Generating letsencrypt wildcard certificate with certbot

Vyacheslav Voronenko
2 min readMar 21, 2018

As you might know, letsencrypt ssl certificates officially reached production state, see .

It is time to give it a try. I have two DNS providers in use: Godaddy and Cloudflare, thus I had to use to different methods to make things happen. At a moment of article writing, certbot was not supporting latest features, thus I had to install latest certbot from sources:

Wildcard certificates require dns validation. Thus, once you installed certbot, look for plugins that support your DNS provider.

In my case there was cloudflare plugin, thus for that domain I was able to achieve fully automatic generation/renewal

Steps to install cloud flare plugin from source follow. Also you might use pip3 manager to do the same.

Clould flare installation

To use the authenticator plugin with CloudFlare, you need to provide CloudFlare api key to the bot so it can edit the domain entries to add validation TXT entry to verify you control the domain. This of course means, that you should take care on configuration files with key.

You need to obtain the Global API key on a CloudFlare website from your user profile, than put those keys into a configuration file. Certbot uses a default directory/etc/letsencrypt. We need to create file /etc/letsencrypt/dnscloudflare.ini to store credentials from CloudFlare.

Ensure file is readable only by allowed persons, saying root.

Certbot Configuration Settings

Wildcard certificates are only available via the v2 API, which I haven’t found in certbot installed from packages, so I had to amend configuration to tell certbot server parameter. Certbot uses the /etc/letsencrypt/cli.ini

Generating certificate in automatic mode with ClouldFlare pluging

Case 2: not supported DNS provider

I have also another domain, used for open source activities. For that domain I had to add validation entry manually. Command is slightly different, note that most of — parameters might go to config files. If you have improvements, comments are welcomed.

During the command run you are asked to put TXT entry into DNS records, and wait for change to propagate


We’ve successfully used new letsencrypt API go generate wildcard certificate in fully automated mode as well as in manual mode.



Vyacheslav Voronenko

Software engineer, with project management background. Founder @ — cool automation for the people :) — have a problem that needs to be solved?