You can support us by downloading this article as PDF from the Link below. Download the guide as PDF

What is SSL Certificate? SSL stands for secure socket layer. It is a standard global technology which ensures data encryption between a web server and a web client, minimizing the risks of websites and web applications being hacked. An SSL certificate installed on a web server ensures this secure connection. An SSL certificate contains a website public key, website identity and any other related information and hosted in the website original server. Any client trying to communicate with the original server needs to reference the file to obtain the website public key and identity.

Let’s Encrypt is a Certificate Authority providing an easy way to acquire and install free SSL/ TLS certificates, enabling encrypted http traffic on web servers. It provides a software client called certbot that make SSL installation easy by having most steps of installation automated. For Apache and Nginx web servers, SSL installation is fully automated. In this guide, we are going to look at how to use Let’s Encrypt Wildcard SSL Certificate with Nginx and Apache on Ubuntu / CentOS.

Install Certbot on Ubuntu | CentOS

To install certbot on Ubuntu and CentOS we are going to run the command as shown below depending on the web server we are using.

For Nginx Web Server

To install Cerbot for Nginx, use the following command:

--- Ubuntu  ---
sudo apt install certbot python3-certbot-nginx

--- CentOS 8 ---
sudo yum -y install
sudo dnf config-manager --set-enabled PowerTools
sudo yum -y install certbot python3-certbot-nginx nginx

--- CentOS 7 ---
sudo yum -y install
sudo yum -y install certbot python2-certbot-nginx nginx

For Apache Web Server

For Apache web server, run the below command to install certbot.

--- Ubuntu  ---
sudo apt install certbot python3-certbot-apache2

--- CentOS 8 ---
sudo yum -y install
sudo dnf config-manager --set-enabled PowerTools
sudo yum -y install certbot python3-certbot-apache httpd

--- CentOS 7 ---
sudo yum -y install
sudo yum -y install certbot python2-certbot-apache httpd

Check Nginx and Apache web server configurations

We need to ensure that we have the web server virtual hosts after our preferred web server. The file should contain web server name and alias as shown.

For Apache, check the file as shown:

--- Ubuntu ---
sudo vim /etc/apache2/sites-available/

--- CentOS ---
sudo vim /etc/httpd/conf.d/

You should have your server name and alias name as shown:


The same case for Nginx, check the configuration as shown:

sudo vim /etc/nginx/conf.d/

You should have the server name and alias here as well.


How To Issue Let’s Encrypt Wildcard SSL using Certbot

Having confirmed the webserver virtual hosts, it is time to request for Let’s Encrypt wildcard SSL. A wildcard SSL is a type of SSL that covers the main domain and all its subdomains. For example, a wildcard ssl for * should also protect, and so on.

Securing Nginx/ Apache with Let’s Encrypt Wildcard SSL

Run the command as shown below to request SSL for *

sudo certbot certonly \
  --agree-tos \
  --email [email protected] \
  --manual \
  --preferred-challenges=dns \
  -d * \

Below is a description of the various parameters used in the above command:

  • –certonly: The certonly option in our command will make sure that we just want to issue SSL certificate. If you remove the certonly option from the command, Certbot will issue the SSL certificate and it will also update your virtual host file to apply the SSL certificate.
  • –agree-tos: Used to agree Let’s Encrypt terms of service.
  • –email: The email is provided for storing the SSL in Let’s Encrypt account. It will be used in notifying us when the SSL is about to expire.
  • –manual: This brings an interactive way of issuing the SSL where we are prompted for more information.
  • –preferred-challenges: Specifies the method of SSL verification. The domain name has to be verified before issuing SSL. In this case we are slecting DNS
  • -d: Used to specify the domains to issue SSL certificate
  • –server: Used to specify the API endpoint to issue SSL certificate.

Once you execute the command, you will receive a TXT record which you need to add to your DNS server. The records will look as below:

Please deploy a DNS TXT record under the name with the following value: 

Before continuing, verify the record is deployed. 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Press Enter to Continue

Add the records to your DNS server for the webserver domain.

Confirm the record is available in your DNS server.

Once you have verified that the record has been deployed, press Enter to obtain the SSL. You should get feedback as below:

- Congratulations! Your certificate and chain have been saved at: 
  Your key file has been saved at: 
  Your cert will expire on 2020-10-28. To obtain a new or tweaked 
  version of this certificate in the future, simply run certbot 
  again. To non-interactively renew *all* of your certificates, run 
  "certbot renew" 
- If you like Certbot, please consider supporting our work by: 

  Donating to ISRG / Let's Encrypt: 
  Donating to EFF:          

Configuring Nginx web server to use Lets Encrypt Wildcard SSL

Now configure Nginx web server to use Lets Encrypt wildcard ssl

We need to edit nginx virtual host configuration file and enable https as below:

sudo vim /etc/nginx/conf.d/

Your content should now appear as below:

server { 
 listen 80; 
 listen [::]:80; 
 server_name *; 
 return 301 https://$host$request_uri; 

server { 
 listen 443 ssl; 
 server_name *; 
 ssl_certificate /etc/letsencrypt/live/; 
 ssl_certificate_key /etc/letsencrypt/live/; 
 include /etc/letsencrypt/options-ssl-nginx.conf; 
 ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; 
 root /var/www/; 
 index index.html; 
 location / { 
   try_files $uri $uri/ =404; 

Let us enable the file through creating a link to sites-enabled where Nginx reads from during startup.

sudo ln -s /etc/nginx/sites-available/ /etc/nginx/sites-enabled/

Now test your Nginx configuration to ensure that all settings are okay.

sudo nginx -t

You should get an output as below if nginx configuration is ok.

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok 
nginx: configuration file /etc/nginx/nginx.conf test is successful

After that reload Nginx.

sudo systemctl restart nginx

Configuring Apache web server to use Lets Encrypt wildcard SSL

For Apache webserver, repeat the same procedure as for Nginx. The config file edit for Apache is:

sudo vim /etc/apache2/sites-available/

Have SSL lines like below.

SSLCertificateFile      /etc/letsencrypt/live/
SSLCertificateKeyFile   /etc/letsencrypt/live/
SSLCertificateChainFile /etc/letsencrypt/live/

When done, reload Apache

sudo systemctl restart apache2

That’s it. Your webserver is now set up to serve wildcard subdomains. You can test SSL from the browswer and you should be able to get Lets Encrypt SSL information as below:

Enjoy developing and check more captivating Linux guides below:

You can support us by downloading this article as PDF from the Link below. Download the guide as PDF