How to Generate And Renew Wildcard SSL Certificate With Letsencrypt

Generating Certificates

In this post we will generate a wildcard SSL certificate. This SSL certificate is for domain.

Make Sure locale is set.
export LC_ALL=”en_US.UTF-8″

export LC_CTYPE=”en_US.UTF-8″
Install Certibot

chmod a+x ./certbot-auto
sudo ./certbot-auto
Obtaining Certificates Using Manual Mode

Manual mode means that you need to complete the DNS challenge by doing a DNS TXT record entry manually to prove that you own the domain. Run the following command to obtain the SSL certificate. Here we are generating for nginx so put “-i nginx”, if you want to use it for apache, replace “nginx“ with apache.

./certbot-auto -i nginx --server --manual --preferred-challenges dns -d * -d --no-bootstrap

The certbot client will walk you through the process of registering an account, and it will instruct you on what to do to complete the challenges. You should see something like:

Please deploy a DNS TXT record under the 

name with the following value:
Before continuing, verify the record is deployed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

Press Enter to Continue

You can deploy this DNS TXT record using your domain control panel (Route53 in this case). Once you have completed the TXT record deployment, you need to verify that it is working using nslookup:



Server: 192.XXX.XXX.XXX 

Address: 192.XXX.XXX.XXX#XX 

Non-authoritative answer: text = 


When you have verified that the TXT record is properly deployed and accessible using nslookup command then proceed to the next challenge. It will ask again to deploy another DNS TXT record, so repeat the same again and move ahead.

If you’ve multiple site-enabled in your nginx server, you need to manually select the site. In my case, I want to update both site configuration file. You can leave this step as you need to carefully modify the nginx config file manually instead of certbot modifying it for you.

When the certificate will be issued and you should see something like:

IMPORTANT NOTES:  - Congratulations! Your certificate and chain have been saved at:    /etc/letsencrypt/live/    Your key file has been saved at:    /etc/letsencrypt/live/    Your cert will expire on 2018-12-09. To obtain a new or tweaked    version of this certificate in the future, simply run certbot-auto    again. To non-interactively renew *all* of your certificates, run    "certbot-auto renew"  - Your account credentials have been saved in your Certbot    configuration directory at /etc/letsencrypt. You should make a    secure backup of this folder now. This configuration directory will    also contain certificates and private keys obtained by Certbot so    making regular backups of this folder is ideal.  - If you like Certbot, please consider supporting our work by:    Donating to ISRG / Let's Encrypt:    
 Donating to EFF:          

The certificates obtained can be seen by the following commands:

cd /etc/letsencrypt/live/ 

cat fullchain.pem 

cat privkey.pem
Renewing The Certificates

Since we have created the wildcard certificate using Manual Mode, then we need to repeat the above steps every time we want to renew your wildcard certificate.