Wildcard certificates using Let’s Encrypt/Certbot - canonical domain and subdomains

Canonical domain certificates along with CNAME flattening are a great way to enable the possibility of removing the www. of your website address. You may also need to expand the certificate to subdomains, for example to include subsections in your website structure. To issue a wildcard certificate that also includes the canonical form, you need to specify those in separate arguments in the certbot command. The following commands are for Debian based linux distros (like Ubuntu).

To install certbot, if you don’t have it already:

sudo apt-get install certbot

Let’s issue the certificates, just change the example.domain to yours:

sudo certbot certonly --manual --preferred-challenges=dns -d example.domain -d *.example.domain

Follow the instructions on-screen and be sure that you add the _acme-challenge.example.domain as a TXT record in your domain’s DNS. Wait a bit before hitting enter to allow your DNS to propagate. If you are too quick, it may fail the challenge. Just repeat the process, a new challenge will be issued.

The chain and key will be located in the paths below:

/etc/letsencrypt/live/example.domain/fullchain.pem
/etc/letsencrypt/live/example.domain/privkey.pem