Letsencrypt Wildcard Certificates on Debian

PUBLISHED ON 22/03/2018 — EDITED ON 08/10/2019 — SYSOPS

Pin the packages from unstable

Early adopters will need to use unstable repo and pin the packages:

# Unstable repo main, contrib and non-free branches, no security updates here
# Packages without bug reports go to stable after 10 days.
deb unstable main contrib non-free
deb-src unstable main contrib non-free
Package: certbot
Pin: release a=unstable
Pin-Priority: 900

Package: python3-certbot
Pin: release a=unstable
Pin-Priority: 900

Package: python3-acme
Pin: release a=unstable
Pin-Priority: 900

After 10 days with no bug reports the package will be in stable, so you can skip this.

Request the certificate

certbot certonly --server --manual --preferred-challenges dns -d \* -d

For ZSH you need to escape the “*”, otherwise it fails.

Edit the DNS records

Add the record that certbot provides to your DNS zone records.

Check the propagation of the records:

nslookup -type=TXT

Reload webserver

Nginx users can hit:

nginx -t && nginx -s reload

For Apache, use:

apache2ctl -t && apache2ctl graceful

See Also