Let's Encrypt now provides wildcard certificates

Josh Aas, ISRG Executive Director at ISRG, the entity behind Let’s Encrypt the free automated and open Certificate Authority announced that they’re now providing wildcard cerificates. While they had planned to do so starting in February, they had to postpone this feature due problems with their TLS-SNI domain validation that tied up a lot of their developer resources and prevented them from testing the ACME 2.0 protocol required for wildcard certificates.

Now after a delay of about one month, it’s possible to obtain cerificates for *.example.com that are valid for every subdomain of example.com. This reduces the amount of certificates admins have to manage and makes it easier to work with Public-Key-Pinning where you don’t want any rapid changes of certificates.

There are two requirements you’ve got to meet in order to obtain such a certificate. First, you’ve got to prove ownership of the domain in the form of a TXT-Record on the domains DNS entry and second, you have to use a Let’s Encrypt client that supports ACME 2.0. There are still clients out there that don’t but Let’s Encrypt provides a list of clients that do and not very suprisingly the recommended and easy to use Certbot client, maintained by the Electronic Frontier Foundation is on that list, along with many others like ACME4J, the APIv2 branch of GetSSL and ZeroSSL. Currently the Certbot distributed from the Ubuntu packages is still incapable of using ACME 2.0. The EFF recommends to use their PPA ppa:certbot/certbot and install certbot from there.