Issue wildcard certificate for Your domain using certbot on ubuntu 16.04+



Continuing the discussion from Setting up LEMP on Ubuntu 18.04 (Fresh Install/Upgrade):

:warning: This tutorial requires advanced knowledge of terminal and Your full control over your domain.

:white_check_mark: As of 28/05/2018, We’ve tested this guide on live installs of 16.04 and this procedure can be used to obtain wildcard certificates on ubuntu 16.04 & Above. Please make sure your certbot is the latest.

So you want to generate wildcard (* certificate for your domain to enable ssl on all your subdomains by default? let’s get started:

:warning: This guide only works with Certbot >= 0.22.0. and the official PPA currently only has v0.23.0 for ubuntu 18.04

The process starts with the usual gig of adding PPA to your ubuntu server.

run the following commands:

    sudo apt update
    sudo apt install software-properties-common
    sudo add-apt-repository ppa:certbot/certbot
    sudo apt update
    sudo apt install python-certbot-nginx

And then run:

sudo certbot --manual --preferred-challenges dns -i nginx -d * -d --server

Now certbot will give You a few instructions. I’ll break down what to expect!

  • Certbot will ask you to enter email (to create send urgent notification)
  • Certbot will take consent for logging Your IP
  • Certbot will give you 2 DNS TXT records like first is for your domain and second is for * so create both records in your DNS entries.

After that’s done, Your wildcard certificate will be issued.

Certbot is now available for Ubuntu 18.04
Setting up LEMP on Ubuntu 18.04 (Fresh Install/Upgrade)

cc @Harry @gulshankumar @Abhijeet



Can you please guide how to create a corntab for certificate renewal, complete noob here :sweat_smile:


Certbot creates it automatically.

You can check if it is created using

crontab -e


no crontab for root - using an empty one


I’ll share our crontab with you.


I am getting error while certbot dry run why?
certbot renew --dry-run

error -

The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,).


You don’t need to run a dry run!

there are a lot of variables that you need to include into your command. (our certbot command is not a standard command)


Why are we not using the standard command and How will I make sure that it will renew after 90 days?


#1 this is a purpose built command to issue wildcard certificates hence it is technically not possible to use the standard command.
#2 the letsencrypt daemon adds a crontab entry to make sure it runs at regular intervals to perform renewal. Check it using crontab -e if it exists, You’re good.


It doesn’t ref -



sudo nano /etc/cron.d/certbot

the last line should be like:

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew


Yes it is that means I am good to go!!

and one more thing

8 packages can be updated.
8 updates are security updates.

*** System restart required ***

So sudo reboot is the only way out here?


You have to reboot to enable kernel patches. on VPS it shouldn’t last more than 30 seconds so do it at the low-traffic hours.


Wait I did

sudo reboot

Message is still there :face_with_monocle:


After restarting the system should I have to restart nginx too?
Because site is dead


Come to teamviewer let’s check.


Woah okay :grinning:


Inbox me Your ID & Password.