Great news, Let’s Encrypt now supports Wilcard certificates, the procedure is very similar to the one described in a previous post, with only a couple of differences.
First, we need to specify the ACME v2 compliant URL in the certbot command:
sudo certbot certonly --manual --preferred-challenges=dns --server https://acme-v02.api.letsencrypt.org/directory
Then follow certbot instructions as usual, for domain names I used catelin.net and *.catelin.net:
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel): catelin.net, *.catelin.net Obtaining a new certificate Performing the following challenges: dns-01 challenge for catelin.net dns-01 challenge for catelin.net
Then, instead of using a file for authentication, we need to enter a new DNS TXT record, as instructed by certbot:
Please deploy a DNS TXT record under the name _acme-challenge.catelin.net with the following value: BTZ5cofq_SuperLongCode_doUh6Wc9QxM
If you request only *.example.com then you need only one DNS TXT entry, if you install example.com and *.example.com then you need two DNS TXT entries(Edit APR2020: only one DNS entry is now required, probably since a while but I have realised that only today). Note that you can’t add a third domain such as www.example.com as it would be redundant. As explained on https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578
Orders that contain both a base domain and its wildcard equivalent (e.g.*.example.com
andexample.com
) are valid. In that case, there will be two authorization objects in the order for “example.com”, one of which represents the wildcard validation and one of which represents the base domain validation. Redundant entries will produce an error. For instance, and order containing both*.example.com
andwww.example.com
would produce an error since the wildcard entry makes the latter redundant.
However, you will still be able to request separate certificates for subdomains, just that you can’t request them in the same session as your wildcard.
Then you can copy the .crt files to Arvixe using the Cpanel interface. You’ll have to install the same certificate (copy the same .crt file) for each of the subdomains you use with Arvixe.