Certbot DNS mode (wildcard) Obtain a Let's Encrypt wildcard certificate (*.domain) via DNS-01 challenge and Certbot on a HolyCloud VPS. ~14 min read Advanced #certbot #dns #wildcard #ssl #letsencrypt Certbot DNS mode (wildcard) The HTTP-01 challenge cannot issue wildcard certificates (*.example.com). On a HolyCloud Linux VPS, use DNS-01: Certbot requests a TXT record _acme-challenge that you create at your registrar or via your DNS provider API (Cloudflare, OVH, etc.). Prerequisites HolyCloud VPS with Certbot installed DNS control for the domain (API token or manual panel access) Matching DNS plugin (e.g. python3-certbot-dns-cloudflare) Port 80 not required for validation (useful behind CDN or multiple servers) Step 1: install Certbot and DNS plugin Cloudflare example: sudo apt update sudo apt install -y certbot python3-certbot-dns-cloudflare Other common plugins: # OVH (si disponible en paquet ou pip) sudo apt install -y python3-certbot-dns-ovh List plugins: certbot plugins Step 2: API credentials (Cloudflare) Create a Cloudflare API token with Zone:DNS:Edit on the target zone. Secure file: sudo mkdir -p /root/.secrets sudo nano /root/.secrets/cloudflare.ini Content: dns_cloudflare_api_token = VOTRE_TOKEN_API sudo chmod 600 /root/.secrets/cloudflare.ini Step 3: request the wildcard certificate sudo certbot certonly \ --dns-cloudflare \ --dns-cloudflare-credentials /root/.secrets/cloudflare.ini \ -d example.com \ -d '*.example.com' \ --agree-tos \ -m [email protected] Without a plugin (manual validation): sudo certbot certonly --manual --preferred-challenges dns \ -d example.com -d '*.example.com' Certbot shows a TXT record to create: _acme-challenge.example.com. TXT "valeur_fournie" Wait for DNS propagation (dig TXT _acme-challenge.example.com) then confirm. Step 4: use the certificate with Nginx Generated files: /etc/letsencrypt/live/example.com/fullchain.pem /etc/letsencrypt/live/example.com/privkey.pem Example server block: server { listen 443 ssl http2; server_name example.com *.example.com; ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; root /var/www/html; index index.html; } Test and reload: sudo nginx -t sudo systemctl reload nginx Step 5: automatic renewal DNS renewal re-runs the API or plugin: sudo certbot renew --dry-run Verify the timer is active: sudo systemctl status certbot.timer Manual mode cannot renew fully automatically without a hook — migrate to a DNS plugin. Step 6: multi-service deployment (HolyCloud) A wildcard covers all subdomains pointing to the same VPS or reverse proxy: app.example.com → HolyCloud VPS IP api.example.com → same IP, separate Nginx virtual hosts A single certificate simplifies TLS management for multiple apps on one HolyCloud VPS. Verification sudo certbot certificates echo | openssl s_client -connect example.com:443 -servername app.example.com 2>/dev/null | openssl x509 -noout -subject -dates dig TXT _acme-challenge.example.com +short Need help? NXDOMAIN or TXT not found: DNS propagation (TTL), wrong zone API error: insufficient token, .ini file permissions too open HolyCloud support: plugin used, certbot certonly output (no secrets), dig TXT _acme-challenge Continue reading Previous article Basic iptables rules Read Next article Configure Fail2ban Read
FR