In today’s digital landscape, website security is paramount. Securing your website with SSL (Secure Sockets Layer) encryption not only protects your users’ sensitive information but also improves your site’s SEO ranking. However, obtaining and managing SSL certificates can be costly and complex. Fortunately, Let’s Encrypt offers a free and easy solution to this problem. In this article, we’ll guide you through the process of obtaining a free wildcard SSL certificate for your Nginx server and integrating it seamlessly into your configuration files.
What is a Wildcard SSL Certificate?
A wildcard SSL certificate is a type of SSL certificate that secures a domain and all its subdomains. For example, if your main domain is example.com, a wildcard certificate will secure *.example.com, including shop.example.com, app.example.com, and so on.
If you have domains like api.shop.example.com then you need to add a domain like *.shop.example.com. Now certificate will cover all the sudomains of shop.example.com.
Step 1: Installing Certbot
Before we can obtain our wildcard SSL certificate, we need to install Certbot, a free and open-source software tool for automatically using Let’s Encrypt certificates. Installation instructions for various platforms can be found on the Certbot website.
Step 2: Generating the Wildcard SSL Certificate
sudo certbot certonly --manual --preferred-challenges=dns --email "your-email@example.com" -d example.com -d *.example.com -d *.shop.example.comReplace your-email@example.com with your email address and example.com with your main domain. Follow the prompts to complete the DNS challenge, which verifies your ownership of the domain.
Step 3: Installing the Certificate
After successfully completing the DNS challenge, Certbot will generate the wildcard SSL certificate. The certificate files will be stored in /etc/letsencrypt/live/example.com/
Next, update your Nginx configuration file for each subdomain to use the SSL certificate:
server {
listen 443 ssl;
server_name shop.example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# Other SSL configurations...
# Other site configurations...
}Replace example.com with your main domain.
Step 4: Automating Certificate Renewal (Manual DNS Limitations)
If you’re using the manual DNS method above, automatic renewal isn’t possible without re-doing the TXT records every 90 days.
To fully automate renewal, you’ll need DNS API access. See below for two automation methods based on your domain registrar.
Step 5: Fully Automating SSL with Cloudflare DNS (Recommended)
If you move your domain’s DNS to Cloudflare (free), you can fully automate wildcard SSL issuance and renewal with Certbot.
Install Certbot Cloudflare plugin
sudo apt install python3-certbot-dns-cloudflareSet up your Cloudflare credentials
Create the credentials file:
sudo nano /root/.secrets/cloudflare.iniAdd your Cloudflare global API key and email:
dns_cloudflare_email = your-email@example.com
dns_cloudflare_api_key = YOUR_API_KEYSecure the file:
sudo chmod 600 /root/.secrets/cloudflare.iniRequest your certificate automatically
sudo certbot certonly \
--dns-cloudflare \
--dns-cloudflare-credentials /root/.secrets/cloudflare.ini \
-d example.com \
-d *.example.com \
-d *.shop.example.com \
--agree-tos \
--non-interactive \
--email your-email@example.comAutomate renewal and reload Nginx
Edit your crontab:
sudo crontab -eAdd:
0 2 * * * certbot renew --quiet --deploy-hook "systemctl reload nginx"This fully automates SSL renewals and Nginx reloads.
Step 6; Alternative – Automate SSL for GoDaddy Domains Using acme.sh
If you’re using GoDaddy and prefer not to move to Cloudflare, acme.sh supports GoDaddy’s API for full automation.
Install acme.sh
curl https://get.acme.sh | sh
source ~/.bashrcSet GoDaddy API credentials
export GD_Key="your_godaddy_api_key"
export GD_Secret="your_godaddy_api_secret"You can get your GoDaddy API keys at https://developer.godaddy.com/keys
Request wildcard certificate
acme.sh --issue --dns dns_gd -d example.com -d *.example.com -d *.shop.example.comInstall the certificate for Nginx
acme.sh --install-cert -d example.com \
--key-file /etc/ssl/private/example.com.key \
--fullchain-file /etc/ssl/certs/example.com.pem \
--reloadcmd "systemctl reload nginx"acme.sh will renew your certs automatically and reload Nginx every 60 days.
Final Thoughts
Securing your Nginx server with a wildcard SSL certificate has never been easier or more affordable. Whether you choose Certbot with Cloudflare DNS or acme.sh with GoDaddy’s API, you now have a fully automated and secure setup to protect your main domain and all its subdomains.
No more manual renewal headaches — just peace of mind.