Let’s Encrypt supports wildcard certificates (e.g.
*.example.com) with their
ACMEv2 infrastructure. A wildcard certificate will work for any hostname inside
a given domain, which helps with handling certificates for multiple domains.
Unrelated to ACME, but wildcard certificates in general: A wildcard
only helps for one level of subdomains. For example,
will work for
host.example.com but will NOT work for
host.sub.example.com. If hosts are structured in this way, a wildcard
certificate is required for each sub zone, e.g.
Wildcard validation requires a DNS-based method and works similar to
validating a regular domain. For example, to get a certificate for
*.example.com, the package updates a TXT record in DNS the same as it would
example.com, which means the DNS record (and potentially key name) would
To obtain a wildcard certificate, follow the same procedures as other DNS validation methods, with the following differences:
- The Account Key must be registered with an ACME v2 server (staging for testing, or production)
- The Domain SAN list should contain entries for the base domain (e.g.
example.comand the wildcard version of the same domain (e.g.
*.example.com. The settings will be the same for both entries.
- For DNS-NSupdate / RFC 2136: Set the Key Name to the base domain
example.com) for both entries.