I have a multi-tenant app, and each sub-domain is a tenant. I want to change my existing certbot/nginx configuration from multiple domains to a wildcard domain so I don’t need to add a domain everytime I add a client. How do I do that?
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Heya, @edwardsitarski
To use a wildcard cert (*.example.com) with Let’s Encrypt, you must switch from the HTTP challenge to the DNS-01 challenge (wildcards can’t be issued via HTTP-01), so you’ll be proving domain control by creating a TXT record in DNS.
- Issue the wildcard cert (includes apex too):
sudo certbot certonly --manual --preferred-challenges dns \
-d example.com -d '*.example.com'
Certbot will print a _acme-challenge.example.com TXT value to add in your DNS. Create it, wait for DNS to propagate, then continue.
If your DNS provider is supported, use a DNS plugin instead (recommended) so renewals are automatic, e.g. Cloudflare:
sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /root/cf.ini \
-d example.com -d '*.example.com'
- Point Nginx at the new cert (usually under /etc/letsencrypt/live/example.com/):
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
Then:
sudo nginx -t && sudo systemctl reload nginx
- Renewal: wildcard renewals also require DNS-01. If you used --manual, renewals won’t be hands-off. Use a DNS plugin (or something like acme.sh with DNS API) if you want “set and forget”.
Note: wildcard covers tenant.example.com, but not deeper like a.b.example.com (you’d need *.b.example.com for that).
Hope that this helps!
Heya,
you can’t convert an existing HTTP-based Certbot cert into a wildcard. You issue a new wildcard certificate, switch Nginx to it, and you’re done.
-
Issue a new wildcard cert
-
Use Certbot with
--dns-*(depends on your DNS provider). -
Example intent (not exact command): “Give me a cert for
example.comand*.example.comusing DNS validation.”
-
-
Verify via DNS
-
Certbot will either:
-
Automatically add/remove DNS records (best case), or
-
Ask you to manually add a TXT record once (still fine).
-
-
-
Update Nginx
-
Point your
ssl_certificateandssl_certificate_keyto the new wildcard cert. -
Reload Nginx.
-
-
Stop caring about subdomains
- New tenant? Just add DNS → done. No more Certbot runs per client.
Renewal
-
If DNS is automated → renewals are automatic.
-
If DNS is manual → you’ll need to repeat the TXT step on renewal (every ~90 days).
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and AI-native businesses
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.