Install Wildcard SSL certificate using NGINX and Cloudflare

A website with SSL certificate is now very common usage. Not that you can increase your secutiry, it can also increase trust the customer that visit your site.
I already explain how to install Letsencrypt SSL in NGINX server in my previous tutorial.
So, how to install wildcard SSL certificate if you have a subdomain or multiple domain in one server? A wildcard certificate is a public key certificate which can be used with multiple subdomains of a domain.

You can generate wildcard certificate using ACMEv2 staging and produciton server, as you can see from the announcements:

In my case, i need to generate wildcard certificate for my website (, using NGINX, DNS Cloudflare, and Ubuntu server. The method here may differ from others server but overall the same step.

The steps are below:

  1. Install certbot from source (as for now the stable version doesn’t yet support to generate wildcard certificate)
  2. Install DNS plugin for validation
  3. Configure DNS Cloudflare configuration
  4. Modify certbot configuration
  5. Generate wildcard certificate
  6. Modify NGINX configuration
  7. Restart NGINX
  8. Test your site!

Install Certbot

Certbot currently do not support for using wildcard certificate in stable release, so you have to install it from the source

git clone [email protected]:certbot/certbot.git && cd certbotsudo python install

Install DNS plugin

I use Cloudflare for my DNS. I need to install certbot plugin to support cloudflare DNS validation.

$ certbot plugins-------------------------------------------------------------------------------* dns-cloudflareDescription: Obtain certificates using a DNS TXT record (if you are usingCloudflare for DNS).Interfaces: IAuthenticator, IPluginEntry point: dns-cloudflare =certbot_dns_cloudflare.dns_cloudflare:Authenticator* standaloneDescription: Spin up a temporary webserverInterfaces: IAuthenticator, IPluginEntry point: standalone = certbot.plugins.standalone:Authenticator* webrootDescription: Place files in webroot directoryInterfaces: IAuthenticator, IPluginEntry point: webroot = certbot.plugins.webroot:Authenticator-------------------------------------------------------------------------------

To list supported dns plugins:

~/certbot$ ls | grep certbot-dnscertbot-dns-cloudflarecertbot-dns-cloudxnscertbot-dns-digitaloceancertbot-dns-dnsimplecertbot-dns-dnsmadeeasycertbot-dns-googlecertbot-dns-luadnscertbot-dns-nsonecertbot-dns-rfc2136certbot-dns-route53

To install cloudflare dns plugin:

$ cd certbot-dns-cloudflare && sudo python install

Configure DNS Cloudlare configuration

To let cloudflare verify your domain so certbot can do the validation, you need to provide Global API key to put in certbot configuration. Please refer to cloudflare documentation to get the Global API Key.
The default global configuration for certbot located at /etc/letsencrypt/. We need to create a configuration file to store cloudflare credential, let say dnscloudflare.ini :

# CloudFlare API key informationdns_cloudflare_api_key = yourcloudflarekeydns_cloudflare_email = yourcloudflarelogin

Make sure the file is only readable by superuser only or root:

chmod 600 /etc/letsencrypt/dnscloudflare.ini

Modify Certbot Configuration

Wildcard certificate only available on ACME v2 API. So if your /etc/letsencrypt/cli.ini do not yet have below entry, add it manually.

# Let's Encrypt site-wide configurationdns-cloudflare-credentials = /etc/letsencrypt/dnscloudflare.ini# Use the ACME v2 staging URI for testing thingsserver = Production ACME v2 API endpoint#server =

There two server to generate the certificate, for staging and production. It is highly recommended to use staging server first before you go to production to make sure your site running to use SSL well.
Because if you use production server, this server only generate certificate 5 successful certificate generation weekly. So if you use up your weekly limit, you have to wait next week from last successful generation date.

See also  Docker Tutorial for Beginners

To check the history of certificate generation for your site, this website is usefull for you:

Generate Wildcard Certificate

After you have done configuring the steps above, it is now we will generate certificate for your website:

$ sudo certbot certonly -d * -d --dns-cloudflare

certonly option will generate fullchain.pem and privkey.pem only located at: /etc/letsencrypt/live/<>
and also created data file in folder /etc/letsencrypt/renewal/ and /etc/letsencrypt/archive/


To delete your existing certificate, the proper command:

$ sudo certbot delete

This command will list your existing certificate and confirm which one that you want to delete.


To manually delete the certificate, you need to delete the file related to <> in folder:


Modify NGINX Configuration

Edit your nginx configuration file located at default folder: /etc/nginx/sites-available/

Add this snippet your your server block that listen port 443:

ssl_certificate /etc/letsencrypt/live/; # managed by Certbotssl_certificate_key /etc/letsencrypt/live/; # managed by Certbot

This is my full current NGINX configuration:

server {    listen 80;    listen [::]:80;    server_name;    return 301$request_uri;}server {    listen 443 ssl;    server_name;    ssl_certificate /etc/letsencrypt/live/; # managed by Certbot    ssl_certificate_key /etc/letsencrypt/live/; # managed by Certbot    return 301$request_uri;}server {    server_name;    root /var/www/;    access_log /var/log/nginx/waysquare.com_access.log;    error_log /var/log/nginx/waysquare.com_error.log;    location / {        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;        proxy_set_header X-Forwarded-Proto $scheme;        proxy_set_header X-Real-IP $remote_addr;        proxy_set_header Host $http_host;        proxy_pass; #ghost port        }    location ~ /.well-known {        allow all;    }    client_max_body_size 50m;    listen 443 ssl; # managed by Certbot    ssl_certificate /etc/letsencrypt/live/; # managed by Certbot    ssl_certificate_key /etc/letsencrypt/live/; # managed by Certbot    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot}

Do the same for your remaining subdomain, that you intent to use SSL.

Restart NGINX

Before you restart NGINX server, validate the configuration first:

$ sudo nginx -t

Then, restart.

$ sudo systemctl restart nginx

Proper DNS Setting in Cloudflare Dashboard

This setting works for me for my main domain and subdomain:

See also  Creating Your First Flask Application

How to Check Validity of Certificate

Following command will check validity period of your certificate:

$ sudo openssl x509 -dates -noout -in /etc/letsencrypt/live/;notBefore=Aug 23 21:37:32 2019 GMTnotAfter=Nov 21 21:37:32 2019 GMT


If you have successfully followed the step above, now you have your site running SSL using Let’s Encrypt SSL.

About wahyuway

Check Also

How to install and configure Anaconda on CentOS 7

How to install and configure Anaconda on CentOS 7

Anaconda is the most popular machine learning and data science tool used in large scale …

Leave a Reply