Add wildcard Let’s Encrypt certifications with Namecheap

Let’s Encrypt recently added wildcard certifications but it involves a little more steps than a normal certification process. First you must make sure you have certbot version 0.22.0 or above. You can get the latest version from the certbot site. As of now, you can’t get a high enough version using apt-get

wget https://dl.eff.org/certbot-auto
chmod a+x ./certbot-auto
sudo ./certbot-auto

Once the latest version is installed we need to get a TXT DNS record value to add to Namecheap. This allows Let’s Encrypt to verify with your domain name provider rather than the server on a per subdomain basis. We can request a vlue for the TXT record from Let’s Encrypt with:

sudo certbot-auto certonly \
--server https://acme-v02.api.letsencrypt.org/directory \
--manual --preferred-challenges dns -d *.lmerza.com

Just replace lmerza.com with the name of your domain. Let’s Encrypt will ask you about exposing your server IP address to log the verification, select Yes then it will give you the host and value for the new TXT record you need to create:

Please deploy a DNS TXT record under the name                                                                          
 _acme-challenge.lmerza.com with the following value:                                                                   
                                                                                                                        
 yB0AXXXXXXORZXTwzeXXXXXXXXXXXXXXXXmOoA1-XXX                                                                            
                                                                                                                        
 Before continuing, verify the record is deployed.

In the advanced DNS panel for your domain in Namecheap we need to create a new TXT Record and add _acme-challengeas the host and yB0AXXXXXXORZXTwzeXXXXXXXXXXXXXXXXmOoA1-XXX as the value:

Namecheap might take a while to sync the new record but you can test to see if the record has been synced by running the command (again replacing the domain name):

nslookup -type=TXT _acme-challenge.lmerza.com

You’ll get a server can’t find _acme-challenge.lmerza.com: NXDOMAIN error if the record hasn’t synced and a success answer like this if it has:

Server:         192.XXX.XXX.XXX
Address:        192.XXX.XXX.XXX#XX
Non-authoritative answer:
_acme-challenge.lmerza.com text = "5GFgXXWfT5V-XXXXXWfT5XXXX"

Once the record is synced continue the certbot process by pressing enter and you will see the usual Congratulations! Your certificate and chain have been saved at message. You can now use these new certification files to add to your web server.