If you’re running multiple subdomains, issuing a separate SSL cert for each one is a pain. Wildcard certs fix that. One cert covers everything under *.yourdomain.com, and Let’s Encrypt will issue one for free.
The trade-off is that wildcard certs can’t use the standard HTTP challenge. You have to verify domain ownership through DNS instead, which means adding a TXT record to your DNS provider before Let’s Encrypt will issue the cert. If your DNS is through Namecheap, here’s how that looks.
Install Certbot
On Ubuntu/Debian:
sudo apt update
sudo apt install certbot
You need version 0.22.0 or higher. Check with:
certbot --version
Request the Certificate
sudo certbot certonly \
--server https://acme-v02.api.letsencrypt.org/directory \
--manual \
--preferred-challenges dns \
-d "*.yourdomain.com"
What those flags do:
certonly— generate the cert without touching your web server config--server— ACME v2 endpoint, required for wildcard certs--manual— you handle the verification step yourself--preferred-challenges dns— use DNS-01 instead of HTTP-01
Certbot will ask if you’re okay with your IP being logged, then output something like:
Please deploy a DNS TXT record under the name
_acme-challenge.yourdomain.com with the following value:
yB0AXXXXXXORZXTwzeXXXXXXXXXXXXXXXXmOoA1-XXX
Before continuing, verify the record is deployed.
Leave the terminal open and don’t press Enter yet.
Add the TXT Record in Namecheap
- Go to Domain List and click Manage on your domain
- Open the Advanced DNS tab
- Add a new record:
- Type: TXT Record
- Host:
_acme-challenge - Value: the string certbot gave you
- TTL: 1 min if available, otherwise Automatic
Save it and give it a minute or two to propagate.
Verify the Record
nslookup -type=TXT _acme-challenge.yourdomain.com
If it hasn’t propagated yet you’ll get an NXDOMAIN error. Run it again until you see your value come back:
Non-authoritative answer:
_acme-challenge.yourdomain.com text = "yB0AXXXXXXORZXTwzeXXXXXXXXXXXXXXXXmOoA1-XXX"
Once it shows up, go back to your terminal and press Enter.
Finish Up
Certbot checks the record against Let’s Encrypt and issues the cert. You’ll see:
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/yourdomain.com/fullchain.pem
Your cert files:
/etc/letsencrypt/live/yourdomain.com/fullchain.pem/etc/letsencrypt/live/yourdomain.com/privkey.pem
Point your nginx or Apache config at those and you’re done.
Renewal
Manual DNS challenge means auto-renewal won’t work out of the box. Certbot can’t add DNS records on its own unless you set up a DNS API plugin. Namecheap has an API but it requires some configuration and IP whitelisting. If you don’t want to deal with that, a calendar reminder every 60 days to re-run the process works fine. If you want fully automated renewal and you’re managing a lot of certs, moving DNS to Cloudflare is worth considering since the certbot plugin support there is solid.
