The DNS-01 challenge is the only ACME challenge type that supports wildcard certificates (*.example.com). Instead of proving domain control via HTTP, you create a specific TXT record in DNS. This guide covers automating DNS-01 challenges with certbot and various DNS providers.
How DNS-01 Works
- Request a certificate for *.example.com from Let's Encrypt
- Let's Encrypt provides a token value
- You create a TXT record:
_acme-challenge.example.comwith the token - Let's Encrypt verifies the TXT record exists
- Certificate is issued
Manual DNS-01 (Testing)
# Request wildcard cert with manual DNS
sudo certbot certonly --manual --preferred-challenges dns \
-d "*.example.com" -d "example.com"
# Certbot shows:
# Please deploy a DNS TXT record under the name
# _acme-challenge.example.com with the following value:
# abc123def456...
# Add the TXT record at your DNS provider, then press Enter
# Certbot verifies and issues the certificateAutomated DNS-01 with Cloudflare
# Install Cloudflare plugin
sudo apt install certbot python3-certbot-dns-cloudflare
# Create Cloudflare API credentials
cat > /etc/letsencrypt/cloudflare.ini