DNS Challenge for SSL: Getting a Wildcard Let's Encrypt Certificate

Domains · 19.04.2026
DNS Challenge for SSL: Getting a Wildcard Let's Encrypt Certificate

Standard HTTP challenge doesn't support Wildcard certificates. For *.example.com you need DNS-01 challenge — validation via a DNS TXT record.

Manual via certbot

certbot certonly --manual --preferred-challenges dns   -d "*.example.com" -d "example.com"
# Add the shown TXT record to DNS, then press Enter

Automated via acme.sh + Cloudflare API

export CF_Token="YOUR_CLOUDFLARE_API_TOKEN"
~/.acme.sh/acme.sh --issue --dns dns_cf   -d "*.example.com" -d "example.com"
💡 Auto-renewal: acme.sh sets up automatic cron renewal. Let's Encrypt certificates last 90 days — auto-renewal runs every 60 days.
⚠️ Manual DNS challenge: You can't auto-renew with manual validation — you'd repeat the process every 90 days. Use API integration for automation.
← Back to Knowledge Base Ask Support