How to Generate a Free Wildcard SSL Certificate on Ubuntu VPS using Certbot (Manual DNS)
Securing your domain with SSL is essential, and wildcard certificates let you cover all subdomains (*.yourdomain.com) under a single certificate. In this guide, we’ll walk you through generating a wildcard SSL certificate on an Ubuntu VPS using Certbot without using any third-party DNS plugin like Cloudflare or DigitalOcean.
✅ What You’ll Need
- A domain name (e.g.,
yourdomain.com) - Access to your domain’s DNS panel (to add TXT records)
- Ubuntu VPS with
sudoaccess - A web server like Nginx or Apache (for using the certificate after issuance)
⚙️ Step 1: Install Certbot
First, install Certbot:
sudo apt update
sudo apt install certbot
You don’t need any special plugin for the manual DNS method.
🌐 Step 2: Request a Wildcard Certificate
Use this command to start the manual certificate issuance process:
sudo certbot certonly --manual \
--preferred-challenges=dns \
-d yourdomain.com -d "*.yourdomain.com"
Certbot will ask you to verify domain ownership by adding a DNS TXT record.
Example:
Please deploy a DNS TXT record under the name
_acme-challenge.yourdomain.com with the following value:
8UoYYJZyZ8OwYyN87kM8yTqlZdl8UvZtLmLjgSpkP4M
🧾 Step 3: Add the DNS TXT Record
- Log in to your domain DNS provider (e.g., Namecheap, GoDaddy, etc.)
- Create a new TXT record:
- Host/Name:
_acme-challenge - Value:
8UoYYJZyZ8OwYyN87kM8yTqlZdl8UvZtLmLjgSpkP4M
- Host/Name:
⚠️ Do not include the domain name in the host field unless your provider requires it.
Wait a couple of minutes for DNS to propagate, then return to the terminal and press Enter.
Certbot will validate the TXT record and generate your wildcard certificate.
📁 Step 4: Where Are the SSL Files?
Your certificate and private key will be stored in:
/etc/letsencrypt/live/yourdomain.com/
Files include:
fullchain.pem: The certificate fileprivkey.pem: The private keycert.pem: Your domain certificatechain.pem: Let’s Encrypt’s chain
🌐 Step 5: Configure Your Web Server (Example: Nginx)
Open your Nginx config:
sudo nano /etc/nginx/sites-available/default
Add inside your server block:
listen 443 ssl;
server_name yourdomain.com *.yourdomain.com;
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
Then restart Nginx:
sudo systemctl reload nginx
🔁 How to Renew Manually (Every 60–90 Days)
Wildcard certificates using manual DNS cannot auto-renew. You’ll need to re-run the manual command and add a new TXT record again.
Renewal Steps:
- Re-run the same command:
sudo certbot certonly --manual \ --preferred-challenges=dns \ -d yourdomain.com -d "*.yourdomain.com" - Add the new TXT record as prompted.
- Restart your web server after success:
sudo systemctl reload nginx
💡 Tip: Set a calendar reminder every 60 days so you don’t forget.
🎯 Final Tips
- Always test your certificate with:
https://www.ssllabs.com/ssltest/analyze.html?d=yourdomain.com - For staging/testing before expiry, use the
--dry-runflag.
✅ Summary
| Task | Command |
|---|---|
| Install Certbot | sudo apt install certbot |
| Request wildcard SSL | sudo certbot certonly --manual --preferred-challenges=dns -d yourdomain.com -d "*.yourdomain.com" |
| Manual renewal | Run the same command again and update TXT |
| Web server reload | sudo systemctl reload nginx |
Wildcard SSL gives you flexibility and coverage for all your subdomains. Even without using DNS APIs like Cloudflare, you can manage it manually and securely on your Ubuntu VPS.
