Wildcard SSL Certificates with Let’s Encrypt and Namecheap

June 24, 2026 | By Jack Harner

If you’re running multiple subdomains, issuing a separate SSL cert for each one is a pain. Wildcard certs fix that. One cert covers everything under *.yourdomain.com, and Let’s Encrypt will issue one for free.

The trade-off is that wildcard certs can’t use the standard HTTP challenge. You have to verify domain ownership through DNS instead, which means adding a TXT record to your DNS provider before Let’s Encrypt will issue the cert. If your DNS is through Namecheap, here’s how that looks.


Install Certbot

On Ubuntu/Debian:

sudo apt update
sudo apt install certbot

You need version 0.22.0 or higher. Check with:

certbot --version

Request the Certificate

sudo certbot certonly \
  --server https://acme-v02.api.letsencrypt.org/directory \
  --manual \
  --preferred-challenges dns \
  -d "*.yourdomain.com"

What those flags do:

  • certonly — generate the cert without touching your web server config
  • --server — ACME v2 endpoint, required for wildcard certs
  • --manual — you handle the verification step yourself
  • --preferred-challenges dns — use DNS-01 instead of HTTP-01

Certbot will ask if you’re okay with your IP being logged, then output something like:

Please deploy a DNS TXT record under the name
_acme-challenge.yourdomain.com with the following value:

yB0AXXXXXXORZXTwzeXXXXXXXXXXXXXXXXmOoA1-XXX

Before continuing, verify the record is deployed.

Leave the terminal open and don’t press Enter yet.


Add the TXT Record in Namecheap

  1. Go to Domain List and click Manage on your domain
  2. Open the Advanced DNS tab
  3. Add a new record:
    • Type: TXT Record
    • Host: _acme-challenge
    • Value: the string certbot gave you
    • TTL: 1 min if available, otherwise Automatic

Save it and give it a minute or two to propagate.


Verify the Record

nslookup -type=TXT _acme-challenge.yourdomain.com

If it hasn’t propagated yet you’ll get an NXDOMAIN error. Run it again until you see your value come back:

Non-authoritative answer:
_acme-challenge.yourdomain.com text = "yB0AXXXXXXORZXTwzeXXXXXXXXXXXXXXXXmOoA1-XXX"

Once it shows up, go back to your terminal and press Enter.


Finish Up

Certbot checks the record against Let’s Encrypt and issues the cert. You’ll see:

Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/yourdomain.com/fullchain.pem

Your cert files:

  • /etc/letsencrypt/live/yourdomain.com/fullchain.pem
  • /etc/letsencrypt/live/yourdomain.com/privkey.pem

Point your nginx or Apache config at those and you’re done.


Renewal

Manual DNS challenge means auto-renewal won’t work out of the box. Certbot can’t add DNS records on its own unless you set up a DNS API plugin. Namecheap has an API but it requires some configuration and IP whitelisting. If you don’t want to deal with that, a calendar reminder every 60 days to re-run the process works fine. If you want fully automated renewal and you’re managing a lot of certs, moving DNS to Cloudflare is worth considering since the certbot plugin support there is solid.