Use “Let’s Encrypt Wildcard SSL Certificate” via Nginx and Apache

You can download this article in PDF format via the link below to support us.

Download the guide in PDF format

turn off


What is an SSL certificate? SSL stands for Secure Socket Layer. This is a standard global technology that ensures data encryption between the web server and the web client, thereby minimizing the risk of websites and web applications being hacked. The SSL certificate installed on the web server ensures this secure connection. The SSL certificate contains the website’s public key, website identity and any other relevant information, and is hosted on the website’s original server. Any client trying to communicate with the original server needs to reference this file to obtain the website’s public key and identity.

Let’s Encrypt is a certificate authority that provides an easy way to obtain and install free SSL/TLS certificates, thereby enabling encrypted http traffic on web servers. It provides a software client called certbot, which simplifies SSL installation by automating most of the installation steps. For Apache and Nginx web servers, SSL installation is fully automated. In this guide, we will study how to use “Let’s Encrypt Wildcard SSL Certificate” with Nginx and Apache on Ubuntu/CentOS.

Install Certbot CentOS on Ubuntu

To install certbot on Ubuntu and CentOS, we will run the commands shown below according to the web server used.

For Nginx web server

To install Cerbot for Nginx, use the following command:

--- Ubuntu  ---
sudo apt install certbot python3-certbot-nginx

--- CentOS 8 ---
sudo yum -y install
sudo dnf config-manager --set-enabled PowerTools
sudo yum -y install certbot python3-certbot-nginx nginx

--- CentOS 7 ---
sudo yum -y install
sudo yum -y install certbot python2-certbot-nginx nginx

For Apache web server

For Apache web server, run the following command to install certbot.

--- Ubuntu  ---
sudo apt install certbot python3-certbot-apache2

--- CentOS 8 ---
sudo yum -y install
sudo dnf config-manager --set-enabled PowerTools
sudo yum -y install certbot python3-certbot-apache httpd

--- CentOS 7 ---
sudo yum -y install
sudo yum -y install certbot python2-certbot-apache httpd

Check Nginx and Apache web server configuration

We need to ensure that we have a web server virtual host after the preferred web server. The file should contain the web server name and alias as shown below.

For Apache, check the file as follows:

--- Ubuntu ---
sudo vim /etc/apache2/sites-available/

--- CentOS ---
sudo vim /etc/httpd/conf.d/

You should have the server name and alias as shown below:


For Nginx, the situation is the same, please check the configuration as follows:

sudo vim /etc/nginx/conf.d/

You should also have the server name and alias here.


How to use Certbot to issue Let’s Encrypt Wildcard SSL

After confirming the web server virtual host, it is time to request the “encrypted” wildcard SSL. Wildcard SSL is a type of SSL that covers the main domain and all its subdomains. E.g,*. The wildcard ssl of should also protect,, etc.

Secure Nginx/Apache with encrypted wildcard SSL

Run the command shown below to request SSL for *

sudo certbot certonly 
  --email [email protected] 
  -d * 

The following is a description of the various parameters used in the above command:

  • –Certonly: The certonly option in the command will ensure that we only want to issue SSL certificates. If you remove the “certonly” option from the command, Certbot will issue an SSL certificate and will also update your virtual host file to apply the SSL certificate.
  • –Agree-tos: used to agree to “Let’s Encrypt Terms of Service”
  • –Email: Provides the email used to store SSL in the Let’s Encrypt account. When SSL is about to expire, it will be used to notify us.
  • –Manual: This will publish SSL in an interactive way, when prompted for more information.
  • –Preferred-challenges: Specify the method of SSL verification. The domain name must be verified before SSL is issued. In this case, we choose DNS
  • -d: Used to specify the domain to be issued SSL certificate
  • -Server: Used to specify the API endpoint to issue the SSL certificate.

After executing the command, you will receive the TXT record that needs to be added to the DNS server. The record will look like this:

Please deploy a DNS TXT record under the name with the following value: 

Before continuing, verify the record is deployed. 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Press Enter to Continue

Add the record to the DNS server of the web server domain.

Confirm that the record is available in your DNS server.

Use "Let's Encrypt Wildcard SSL Certificate" via Nginx and Apache

After the verification record has been deployed, press enter Obtain SSL. You should get the following feedback:

- Congratulations! Your certificate and chain have been saved at: 
  Your key file has been saved at: 
  Your cert will expire on 2020-10-28. To obtain a new or tweaked 
  version of this certificate in the future, simply run certbot 
  again. To non-interactively renew *all* of your certificates, run 
  "certbot renew" 
- If you like Certbot, please consider supporting our work by: 

  Donating to ISRG / Let's Encrypt: 
  Donating to EFF:          

Configure Nginx web server to use Lets Encrypt wildcard SSL

Now configure Nginx web server to use Lets Encrypt wildcard ssl

We need to edit the nginx virtual host configuration file and enable https as shown below:

sudo vim /etc/nginx/conf.d/

Your content should now look like this:

server { 
 listen 80; 
 listen [::]:80; 
 server_name *; 
 return 301 https://$host$request_uri; 

server { 
 listen 443 ssl; 
 server_name *; 
 ssl_certificate /etc/letsencrypt/live/; 
 ssl_certificate_key /etc/letsencrypt/live/; 
 include /etc/letsencrypt/options-ssl-nginx.conf; 
 ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; 
 root /var/www/; 
 index index.html; 
 location / { 
   try_files $uri $uri/ =404; 

Let’s enable the file by creating a link to the enable site, which reads Nginx from it during startup.

sudo ln -s /etc/nginx/sites-available/ /etc/nginx/sites-enabled/

Now test your Nginx configuration to make sure all settings are OK.

sudo nginx -t

If the nginx configuration is normal, you should get the following output.

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok 
nginx: configuration file /etc/nginx/nginx.conf test is successful

After that, reload Nginx.

sudo systemctl restart nginx

Configure Apache web server to use Lets Encrypt wildcard SSL

For the Apache web server, repeat the same process as Nginx. The Apache configuration file is edited as:

sudo vim /etc/apache2/sites-available/

Have the SSL line shown below.

SSLCertificateFile      /etc/letsencrypt/live/
SSLCertificateKeyFile   /etc/letsencrypt/live/
SSLCertificateChainFile /etc/letsencrypt/live/

When finished, reload Apache

sudo systemctl restart apache2

That’s it. Your web server is now set to provide wildcard subdomains. You can test SSL from your browser, and you should be able to get the Lets Encrypt SSL information as shown below:

Use "Let's Encrypt Wildcard SSL Certificate" via Nginx and Apache

Enjoy the following development and more interesting Linux guides:

  • How to install Nginx with PHP-FPM on Ubuntu
  • How to host multiple sites on the same domain (FQDN) on Nginx
  • How to install WordPress with Nginx on Ubuntu/Debian
  • How to protect Apache web pages with LDAP authentication
  • How to install Apache Tomcat on Ubuntu/CentOS 7 using Ansible

You can download this article in PDF format via the link below to support us.

Download the guide in PDF format

turn off