Letsencrypt - Certificate Authority
Get Letsencrypt WILDCARD Certificate?
Anton Putra
March 30, 2021
1 min


  • AWS account (AWS Free Tier Sign Up)


  • Intro
  • Create EC2 Instance
  • Install acme-dns Server
  • Install acme-dns-client
  • Install certbot
  • Get Letsencrypt Wildcard Certificate


Today, I’m going to show you how to obtain a Letsencrypt wildcard certificate and automate the renewal process. The challenge here is that only DNS verification is supported for wildcard certificates. You have to request and verify ownership of your domain by updating DNS TXT records every 60 days or so. Certbot has few DNS plugins for specific providers but in this video, I’ll show you an approach that will work with all DNS providers.

Create EC2 Instance

  • Create devops Key Pair

  • Create web Security Group with the following inbound ports:

    • SSH
    • DNS (UDP - is used to exchange small information)
    • DNS (TCP - is used when the response data size exceeds 512 bytes)
  • Create EC2 Ubuntu 20.04 server

  • Allocate public Elastic IP address and associate it with our EC2 instance

Install acme-dns Server

  • Create folder for acme-dns and change directory
  • Download and extract tar with acme-dns from GitHub
  • Create soft link
  • Create a minimal acme-dns user
  • Update default acme-dns config
  • Move the systemd service and reload
  • Start and enable acme-dns server
  • Check acme-dns for posible errors
  • Use journalctl to debug in case of errors
  • Create A record for your domain
  • Create NS record for auth.devopsbyexample.io pointing to auth.devopsbyexample.io. This means, that auth.example.org is responsible for any *.auth.devopsbyexample.io records

Install acme-dns-client

Install certbot

Get Letsencrypt Wildcard Certificate

  • Create a new ACME account
  • Create a new acme-dns account for your domain and set it up
  • Get wildcard certificate
  • Check txt records
  • Print out certificate
  • Decode certificate online

  • Renew certificate (test)

  • Setup cronjob

if you’re setting up a cron or systemd job, we recommend running it twice per day (it won’t do anything until your certificates are due for renewal or revoked, but running it regularly would give your site a chance of staying online in case a Let’s Encrypt-initiated revocation happened for some reason). Please select a random minute within the hour for your renewal tasks.

Let’s Encrypt will send a message to the email you specified, warning you when your certificate is about to expire.

Clean Up

  • Terminate EC2 Instance
  • Delete web Security Group
  • Release Elastic IP Address
  • Delete devops Key Pair and local devops.pem file
  • Delete DNS records



Anton Putra

DevOps Engineer

Big Data | DevOps engineer with hands-on experience in building large, scalable batch and real-time applications with Apache Spark, Hive, Flink on top of Kubernetes; designing and developing CI/CD pipelines.



Social Media


Related Posts

Wildcard Certificate
Letsencrypt Wildcard Certificate
November 16, 2020
1 min
© 2021, All Rights Reserved.

Quick Links

About UsContact Us

Social Media