How to issue a wildcard SSL certificate with Certbot DNS challenge

Obtain a wildcard SSL certificate from Let's Encrypt using Certbot's DNS-01 challenge for *.example.com domains.

Prerequisites
Step-by-Step: Issue a Wildcard Certificate with Certbot
1. Request the Wildcard Certificate with DNS Challenge
2. Create the DNS TXT Record
3. Automate DNS Challenges with a Provider Plugin (Recommended)
Common Issues

Obtain a wildcard SSL certificate ( *.example.com) from Let's Encrypt using Certbot's DNS-01 challenge, which validates domain ownership through a DNS TXT record.

Prerequisites

Certbot installed
Administrative access to the domain's DNS records
For automated renewal: a DNS provider plugin for Certbot (e.g., certbot-dns-cloudflare, certbot-dns-route53)

Step-by-Step: Issue a Wildcard Certificate with Certbot

1. Request the Wildcard Certificate with DNS Challenge

sudo certbot certonly --manual --preferred-challenges dns -d "*.example.com" -d "example.com"

Certbot prompts you to create a DNS TXT record at _acme-challenge.example.com with a specific value.

2. Create the DNS TXT Record

Add the TXT record through your DNS provider's control panel or API. Verify the record propagated:

dig TXT _acme-challenge.example.com +short

Wait until the dig commandreturns the expected value, then press Enter in the Certbot prompt to complete validation.

3. Automate DNS Challenges with a Provider Plugin (Recommended)

For automatic renewal, install a DNS provider plugin. For Cloudflare:

sudo snap install certbot-dns-cloudflare
sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/cloudflare.ini -d "*.example.com" -d "example.com"

The plugin creates and removes the DNS TXT record automatically during renewal.

Common Issues

DNS TXT record not found during validation— DNS propagation takes time. Wait 2–5 minutes after creating the record and verify with dig before pressing Enter. Some DNS providers have propagation delays up to 30 minutes.