The most surprising thing about Let’s Encrypt wildcard certificates is that they don’t actually verify your domain ownership via DNS records in the way you might intuitively expect.
Let’s see this in action. Imagine you want a certificate for *.example.com. When you initiate a request for this, Let’s Encrypt doesn’t ask you to create a TXT record like _acme-challenge.example.com with a specific value. Instead, it requires you to create a TXT record for a specific subdomain that is a subdomain of your wildcard domain. This is the DNS challenge.
Here’s how it works. You’ll run a client like certbot or acme.sh.
# Example using certbot with DNS plugin
sudo certbot certonly --manual --preferred-challenges dns \
-d "*.example.com" \
-d example.com
When certbot gets to the DNS challenge, it will output something like this:
-------------------------------------------------------------------------------
Please add the following TXT record to the DNS zone of your domain.
In your DNS zone, add a TXT record with the following name and value:
_acme-challenge.yourdomain.com. IN TXT "some-long-random-string-1"
If you are using a wildcard domain, you may also need to add this TXT record:
_acme-challenge.yourdomain.com. IN TXT "another-long-random-string-2"
-------------------------------------------------------------------------------
Notice the _acme-challenge.yourdomain.com part. This is the key. The DNS challenge for a wildcard certificate (*.example.com) actually involves proving control over the base domain (example.com) by placing a TXT record at _acme-challenge.example.com. The certbot command above is designed to handle this by asking you to create the TXT record for the base domain.
The problem this solves is proving you control the domain namespace, not just a specific server. For wildcard certificates, you can’t point a specific server to respond to an HTTP challenge for *.example.com because that doesn’t resolve to a single IP address. DNS is the only reliable way to prove ownership across all potential subdomains.
Internally, the ACME (Automated Certificate Management Environment) protocol, which Let’s Encrypt uses, defines two primary challenge types: HTTP-01 and DNS-01. The HTTP-01 challenge requires you to serve a specific file on your web server at a predictable URL. The DNS-01 challenge requires you to create a DNS TXT record with a specific value. For wildcard certificates, only the DNS-01 challenge is feasible.
When you run the command, certbot (or your chosen ACME client) will first attempt to validate the base domain (example.com) and then the wildcard domain (*.example.com). For the wildcard, it will generate a unique token and instruct you to create a TXT record like _acme-challenge.example.com with that token as its value. Let’s Encrypt’s servers will then query DNS for this record. If they find it with the correct value, they consider the domain validated.
The actual configuration you need to do is on your DNS provider’s control panel. For example, if you use Cloudflare, you’d go to your DNS settings for example.com and add a new TXT record:
- Type:
TXT - Name:
_acme-challenge(your DNS provider might automatically append.example.com) - Content:
"some-long-random-string-1" - TTL:
120(or a low value like 60 seconds, but 120 is common)
After you’ve added the record, you’ll press Enter in your terminal where certbot is waiting. certbot will then tell Let’s Encrypt to check the DNS.
The most common pitfall is not waiting long enough for DNS propagation. Even with low TTLs, it can take a few minutes for DNS changes to propagate across the internet. If Let’s Encrypt’s servers query before the record is visible, the challenge will fail.
Once the certificate is issued, you’ll need to configure your web server (e.g., Nginx, Apache) to use the new certificate files. The certificate and its private key will typically be stored in /etc/letsencrypt/live/example.com/.
The next hurdle you’ll likely encounter is automating this process. Manual DNS challenges are fine for a one-off, but for renewals, you need a DNS provider plugin for your ACME client that can automatically create and delete these TXT records.