Zurück zur DokumentationWhat Are Wildcard Certificates?
A wildcard SSL certificate covers a domain and all its direct subdomains:
When to use:
When NOT to use:
- *.tuodominio.com — covers api.tuodominio.com, mail.tuodominio.com, app.tuodominio.com, etc.
- Does NOT cover sub.api.tuodominio.com (nested subdomains)
- Single certificate for unlimited direct subdomains
- Multiple subdomains on the same physical server
- Simplifies certificate management (one renewal instead of many)
- Reduces certificate chain overhead
- Different teams managing different subdomains (use SAN certificates instead)
- Nested subdomains (sub.api.tuodominio.com requires *.api.tuodominio.com)
Why DNS Challenge Is Required
Let's Encrypt uses two validation methods:
-
Only proves control of the domain itself
-
Cannot verify
*.tuodominio.com(the wildcard apex) -
Proves control of the DNS zone
-
Required for wildcard certificates
Therefore, wildcard certificates require DNS validation.
- HTTP challenge — places a file in .well-known/acme-challenge/
- DNS challenge — adds a TXT record to DNS
Install Certbot and DNS Plugins
Base installation:
sudo apt update
sudo apt install certbot python3-certbot-nginx
For Cloudflare DNS
If your domain uses Cloudflare, install the Cloudflare plugin:
sudo apt install python3-certbot-dns-cloudflare
For Other DNS Providers
Install the appropriate plugin:
View all available plugins:
certbot plugins
- Route53 (AWS): python3-certbot-dns-route53
- DigitalOcean: python3-certbot-dns-digitalocean
- Hetzner: python3-certbot-dns-hetzner
- Generic/manual: use --manual flag (see below)
Method 1: Manual DNS Challenge
Use this for any DNS provider or one-off testing:
sudo certbot certonly --manual --preferred-challenges dns \
-d "tuodominio.com" \
-d "*.tuodominio.com"
Certbot will prompt you:
Please deploy a DNS TXT record under the name:
_acme-challenge.tuodominio.com
with the following value:
eG9zdGluZ19jaGFsbGVuZ2VfdmFsdWU=
Before continuing, verify the record is deployed
Press Enter to continue
Steps:
- Name:
_acme-challenge.tuodominio.com - Type: TXT
- Value: (the value provided by Certbot)
- TTL: 300 seconds
dig _acme-challenge.tuodominio.com TXT
# or
nslookup -type=TXT _acme-challenge.tuodominio.com
Certificate will be saved to /etc/letsencrypt/live/tuodominio.com/
Manual DNS challenge does NOT auto-renew. For production, use a DNS plugin (Method 2) so renewals happen automatically every 60 days.
- Add the TXT record in your DNS provider's control panel
- Verify propagation:
- Press Enter in Certbot to continue validation
Method 2: Automatic Renewal with Cloudflare
If using Cloudflare, this method auto-renews without manual intervention.
Step 1: Create Cloudflare Credentials File
Create /root/.secrets/certbot/cloudflare.ini (owner must be root):
# Cloudflare API token credentials
dns_cloudflare_api_token = your_cloudflare_api_token_here
Get your API token:
Set secure permissions:
sudo mkdir -p /root/.secrets/certbot
sudo nano /root/.secrets/certbot/cloudflare.ini
# Paste credentials, save and exit
sudo chmod 600 /root/.secrets/certbot/cloudflare.ini
Step 2: Run Certbot with Cloudflare Plugin
sudo certbot certonly --dns-cloudflare \
--dns-cloudflare-credentials /root/.secrets/certbot/cloudflare.ini \
-d "tuodominio.com" \
-d "*.tuodominio.com"
Certbot will:
Step 3: Verify Auto-Renewal
Check the renewal configuration:
sudo certbot renew --dry-run
This simulates a renewal without actually requesting a new certificate. Output should show success:
Processing /etc/letsencrypt/renewal/tuodominio.com.conf
Cert not yet due for renewal
All simulations succeeded. You may want to run Certbot again when
certificates are due for renewal.
The renewal daemon (certbot.timer for systemd) runs automatically.
- Log in to Cloudflare Dashboard
- Go to Account Settings → API Tokens
- Create a token with "Zone DNS" permissions
- Copy the token
- Connect to Cloudflare API
- Add TXT records automatically
- Wait for DNS propagation
- Validate and issue the certificate
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Using the Wildcard Certificate in Nginx
Configuration is identical to regular certificates:
server {
listen 443 ssl http2;
server_name tuodominio.com *.tuodominio.com;
ssl_certificate /etc/letsencrypt/live/tuodominio.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/tuodominio.com/privkey.pem;
# ... rest of SSL configuration
}
Reload Nginx:
sudo nginx -t # Test syntax
sudo systemctl reload nginx
All subdomains are now served with the same certificate:
- https://tuodominio.com
- https://api.tuodominio.com
- https://mail.tuodominio.com
- https://cdn.tuodominio.com
Auto-Renewal Strategy
DNS Plugin Renewals (Automatic)
When using --dns-cloudflare or similar:
Manual DNS Challenge (Not Recommended)
If you used --manual:
Always use a DNS plugin for production environments. The manual method is suitable only for testing or rare one-off certificates.
- Certbot daemon checks daily
- Renews automatically 30 days before expiry
- No manual action required
- Safe for production
- Manual renewal required every 90 days
- Set a calendar reminder
- Run the same certbot command again
- Certificate will not renew automatically
Verification
Check that your wildcard certificate covers all subdomains:
# View certificate details
echo | openssl s_client -connect tuodominio.com:443 2>/dev/null | openssl x509 -noout -text | grep -A1 "Subject Alternative Name"
Expected output:
X509v3 Subject Alternative Name:
DNS:tuodominio.com, DNS:*.tuodominio.com
Test a subdomain:
echo | openssl s_client -connect api.tuodominio.com:443 2>/dev/null | openssl x509 -noout -subject
Output:
subject=CN=tuodominio.com
Check certificate expiry:
sudo certbot certificates
Output example:
Found the following certs:
Certificate Name: tuodominio.com
Domains: tuodominio.com, *.tuodominio.com
Expiry Date: 2026-06-26
Troubleshooting
DNS propagation is slow:
# Monitor TXT record propagation
watch -n 2 'dig _acme-challenge.tuodominio.com TXT +short'
Certificate renewal is failing:
# Check renewal logs
sudo journalctl -u certbot.timer -n 50
sudo tail -f /var/log/letsencrypt/letsencrypt.log
Cloudflare API token issues:
- Verify token has "Zone DNS" permissions
- Check that the domain is active on Cloudflare
- Confirm credentials file permissions: chmod 600
Checklist
- [ ] Install Certbot and DNS plugin
- [ ] Configure DNS credentials (for automatic renewal)
- [ ] Issue wildcard certificate with DNS challenge
- [ ] Verify TXT record deployment
- [ ] Test certificate with openssl s_client
- [ ] Configure Nginx/Apache to use the certificate
- [ ] Test all subdomains with HTTPS
- [ ] Run certbot renew --dry-run to verify auto-renewal
- [ ] Set up monitoring/alerts for certificate expiry (optional)
Verwandte Artikel
Base Server Hardening
Checklist of fundamental security operations to secure a new VPS before putting it into production
Fail2ban: Brute Force Protection
How to install and configure Fail2ban to protect your server from SSH and web brute force attacks
Change SSH Port
How to change SSH port to reduce automatic brute force attempts from bots and scanners on the internet
DeluxHost, gegründet 2023, bietet hochwertige Hosting-Lösungen für verschiedene digitale Anforderungen. Wir bieten Shared Hosting, VPS und dedizierte Server mit erweiterter Sicherheit und globalen Rechenzentren.
