A website with SSL certificate is now very common usage. Not that you can increase your secutiry, it can also increase trust the customer that visit your site.
I already explain how to install Letsencrypt SSL in NGINX server in my previous tutorial.
So, how to install wildcard SSL certificate if you have a subdomain or multiple domain in one server? A wildcard certificate is a public key certificate which can be used with multiple subdomains of a domain.

You can generate wildcard certificate using ACMEv2 staging and produciton server, as you can see from the announcements: https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578

In my case, i need to generate wildcard certificate for my website (waysquare.com), using NGINX, DNS Cloudflare, and Ubuntu server. The method here may differ from others server but overall the same step.

The steps are below:

  1. Install certbot from source (as for now the stable version doesn't yet support to generate wildcard certificate)
  2. Install DNS plugin for validation
  3. Configure DNS Cloudflare configuration
  4. Modify certbot configuration
  5. Generate wildcard certificate
  6. Modify NGINX configuration
  7. Restart NGINX
  8. Test your site!

Install Certbot

Certbot currently do not support for using wildcard certificate in stable release, so you have to install it from the source

git clone [email protected]:certbot/certbot.git && cd certbot
sudo python setup.py install

Install DNS plugin

I use Cloudflare for my DNS. I need to install certbot plugin to support cloudflare DNS validation.

$ certbot plugins

-------------------------------------------------------------------------------
* dns-cloudflare
Description: Obtain certificates using a DNS TXT record (if you are using
Cloudflare for DNS).
Interfaces: IAuthenticator, IPlugin
Entry point: dns-cloudflare =
certbot_dns_cloudflare.dns_cloudflare:Authenticator

* standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator

* webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
-------------------------------------------------------------------------------

To list supported dns plugins:

~/certbot$ ls | grep certbot-dns
certbot-dns-cloudflare
certbot-dns-cloudxns
certbot-dns-digitalocean
certbot-dns-dnsimple
certbot-dns-dnsmadeeasy
certbot-dns-google
certbot-dns-luadns
certbot-dns-nsone
certbot-dns-rfc2136
certbot-dns-route53

To install cloudflare dns plugin:

$ cd certbot-dns-cloudflare && sudo python setup.py install

Configure DNS Cloudlare configuration

To let cloudflare verify your domain so certbot can do the validation, you need to provide Global API key to put in certbot configuration. Please refer to cloudflare documentation to get the Global API Key.
The default global configuration for certbot located at /etc/letsencrypt/. We need to create a configuration file to store cloudflare credential, let say dnscloudflare.ini :

# CloudFlare API key information
dns_cloudflare_api_key = yourcloudflarekey
dns_cloudflare_email = yourcloudflarelogin

Make sure the file is only readable by superuser only or root:

chmod 600 /etc/letsencrypt/dnscloudflare.ini

Modify Certbot Configuration

Wildcard certificate only available on ACME v2 API. So if your /etc/letsencrypt/cli.ini do not yet have below entry, add it manually.

# Let's Encrypt site-wide configuration
dns-cloudflare-credentials = /etc/letsencrypt/dnscloudflare.ini
# Use the ACME v2 staging URI for testing things
server = https://acme-staging-v02.api.letsencrypt.org/directory
# Production ACME v2 API endpoint
#server = https://acme-v02.api.letsencrypt.org/directory

There two server to generate the certificate, for staging and production. It is highly recommended to use staging server first before you go to production to make sure your site running to use SSL well.
Because if you use production server, this server only generate certificate 5 successful certificate generation weekly. So if you use up your weekly limit, you have to wait next week from last successful generation date.

To check the history of certificate generation for your site, this website is usefull for you: http://crt.sh/

Generate Wildcard Certificate

After you have done configuring the steps above, it is now we will generate certificate for your website:

$ sudo certbot certonly -d *.waysquare.com -d waysquare.com --dns-cloudflare

certonly option will generate fullchain.pem and privkey.pem only located at: /etc/letsencrypt/live/<yoursite.com>
and also created data file in folder /etc/letsencrypt/renewal/ and /etc/letsencrypt/archive/

certbot-certonly-dnscloudflare

To delete your existing certificate, the proper command:

$ sudo certbot delete

This command will list your existing certificate and confirm which one that you want to delete.

certbot-delete

To manually delete the certificate, you need to delete the file related to <yourdomain.com> in folder:

/etc/letsencrypt/live/
/etc/letsencrypt/renewal/
/etc/letsencrypt/archive/

Modify NGINX Configuration

Edit your nginx configuration file located at default folder: /etc/nginx/sites-available/waysquare.com.conf

Add this snippet your your server block that listen port 443:

ssl_certificate /etc/letsencrypt/live/waysquare.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/waysquare.com/privkey.pem; # managed by Certbot

This is my full current NGINX configuration:

server {
    listen 80;
    listen [::]:80;
    server_name waysquare.com www.waysquare.com;
    return 301 https://www.waysquare.com$request_uri;
}

server {
    listen 443 ssl;
    server_name waysquare.com;
    ssl_certificate /etc/letsencrypt/live/waysquare.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/waysquare.com/privkey.pem; # managed by Certbot
    return 301 https://www.waysquare.com$request_uri;
}


server {

    server_name www.waysquare.com;

    root /var/www/waysquare.com/html/system/nginx-root;

    access_log /var/log/nginx/waysquare.com_access.log;
    error_log /var/log/nginx/waysquare.com_error.log;

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;
        proxy_pass http://127.0.0.1:2368; #ghost port

        }

    location ~ /.well-known {
        allow all;
    }

    client_max_body_size 50m;

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/waysquare.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/waysquare.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
}

Do the same for your remaining subdomain, that you intent to use SSL.

Restart NGINX

Before you restart NGINX server, validate the configuration first:

$ sudo nginx -t

Then, restart.

$ sudo systemctl restart nginx

Proper DNS Setting in Cloudflare Dashboard

This setting works for me for my main domain and subdomain:
dnssettingcloudflaredashboard

Summary

If you have successfully followed the step above, now you have your site running SSL using Let's Encrypt SSL.