{"componentChunkName":"component---src-templates-blog-post-jsx","path":"/blog/one-wildcard-ssl-certificate-to-secure-all-subdomains-via-certbot/","result":{"data":{"site":{"siteMetadata":{"name":"Huzaifa Rasheed","title":"Huzaifa Rasheed","description":"Software Engineer","about":"\n Hey, I'm Huzaifa.\n

\n Engineer by trade, builder by instinct - I believe in owning my stack, shipping fast, and occasionally running on chai (tea) and stubbornness. I work best in that sweet spot between deep focus and fast feedback - solo or in sync with a good team.\n

\n This site's my little corner of the internet - part portfolio, part lab - where I document what I build, break, or learn.\n

\n Outside work, I'm into long walks, pixel-perfect headshots in FPS games (eventually... maybe), plants I probably overwater, and the occasional \"classified\" hobby to stay curious.\n

\n Reach out anytime - my digital door's always open. 👋\n ","twitter":"https://twitter.com/huzRasheed","github":"https://github.com/huzaifa-99","linkedin":"https://www.linkedin.com/in/huzaifa-rasheed/","devto":"https://dev.to/huzaifa99","stackoverflow":"https://stackoverflow.com/users/12579290/huzaifa","leetcode":"https://leetcode.com/rhuzaifa","discord":"https://discordapp.com/users/rhuzaifa","email":"dev@rhuzaifa.com","projects":[{"name":"FFMpeg Web","description":"An experimental browser-based terminal that runs FFmpeg using WebAssembly, enabling media processing directly in the browser.","link":"https://ffmpeg-web.rhuzaifa.com/","github":"https://github.com/huzaifa-99/ffmpeg-web"},{"name":"Feed base 2","description":"A mini browser game where players manipulate 4-bit binary blocks to match target BCD values - part puzzle, part binary logic trainer.","link":"https://feedbase2.rhuzaifa.com/","github":"https://github.com/huzaifa-99/feed-base-2"},{"name":"Fabric browser extension","description":"A Chrome extension that injects engineered Fabric prompts directly into the ChatGPT interface for enhanced workflow automation.","link":"https://github.com/huzaifa-99/fabric-browser-extension","github":"https://github.com/huzaifa-99/fabric-browser-extension"},{"name":"Pure Cinema","description":"An experimental, tongue-in-cheek text-to-video generator that stitches together footage, synthesized voiceovers, and background music with a Node.js + ffmpeg pipeline. Not quite Hollywood, but it renders.","link":"https://cinema.rhuzaifa.com","github":null},{"name":"Aria2c Packload","description":"A Bash script for bulk downloading magnet links or torrents using aria2c - optimized for series or list-based transfers.","link":"https://github.com/huzaifa-99/aria2c-packload","github":"https://github.com/huzaifa-99/aria2c-packload"},{"name":"RSS Watchdog","description":"A lightweight Bash script that watches RSS/Atom feeds and compiles a Markdown-based reading checklist for Unix systems.","link":"https://github.com/huzaifa-99/rss-watchdog","github":"https://github.com/huzaifa-99/rss-watchdog"},{"name":"QuoteGen","description":"A quote graphic generator that produces stylized quote images with random selection and a built-in editor for customization.","link":"https://quotegen.rhuzaifa.com/","github":null},{"name":"WebRTC Video Chat","description":"A basic WebRTC-powered app enabling peer-to-peer video and audio calls between two users.","link":"https://webrtc-video-chat.rhuzaifa.com/","github":null}],"experience":null,"skills":[{"name":"Languages & Frameworks","description":"JavaScript, TypeScript, Python, Bash - Frameworks include Node.js, React, Next.js, Vue, React Native, FastAPI."},{"name":"Databases & Storage","description":"PostgreSQL, MySQL, MongoDB - Experience with schema design, indexing, query optimization, and migrations."},{"name":"Cloud & Infrastructure","description":"AWS (EC2, RDS, S3, Lambda), Vercel, Netlify, Heroku - Comfortable with serverless, autoscaling, and cost optimization."},{"name":"DevOps & Tooling","description":"Docker, Git, CI/CD pipelines (GitHub Actions, GitLab CI) - Experience with observability, containerization, and release workflows."},{"name":"Testing & QA Automation","description":"Jest, Playwright, Puppeteer, Selenium - Focus on E2E testing, mocking APIs, and maintaining test coverage."}]}},"markdownRemark":{"id":"fcb0423f-61ba-5260-947f-bc0d14924ed3","excerpt":"SSL certificates for dozens of subdomains quickly becomes a headache. Recently, I needed to secure all the usual suspects - stuff like , , - and I decided to…","html":"

SSL certificates for dozens of subdomains quickly becomes a headache.

\n

Recently, I needed to secure all the usual suspects - stuff like api., mail., vault. - and I decided to just get one wildcard SSL certificate that covers them all.

\n

Spoiler: It made life way easier.

\n
\n

Why bother with a wildcard cert?

\n

Managing individual certs for every subdomain is a pain - renewals everywhere, multiple cron jobs, config spaghetti.

\n

A wildcard cert (*.example.com) just covers all subdomains in one go.

\n

This is a solid shortcut to less headache and fewer surprises in a multi service, self hosted infra setup on different subdomains.

\n
\n

Why DNS validation?

\n

Let’s Encrypt offers a few ways to prove you own a domain.

\n

The DNS-01 challenge is basically the only way to get wildcard certs. It means you prove ownership by adding a TXT record to your DNS.

\n

It’s also handy because:

\n\n

If your DNS provider has an API and Certbot supports it, you can automate the whole thing. Otherwise, manual TXT records work fine too - just a little more hands-on.

\n

For extra integrity, enable DNSSEC - it helps prevent spoofing of TXT records used in validation.

\n
\n

Certbot? Isn’t there something else?

\n

Sure, there are other ACME clients like acme.sh and lego.

\n

Those are great if you want minimal dependencies or full scripting control. But for my use case, Certbot’s DNS plugins and docs made things straightforward and reliable.

\n
\n

Here’s the quick rundown:

\n

1. Install Certbot

\n

On Debian/Ubuntu, this is easy:

\n
sudo apt update\nsudo apt install certbot
\n

2. Grab the DNS plugin (optional)

\n

If you want Certbot to handle DNS TXT record updates automatically (Cloudflare example):

\n
# replace 'cloudflare' with your DNS provider (ex: python3-certbot-dns-digitalocean)\nsudo apt install python3-certbot-dns-cloudflare
\n

3. Request the wildcard cert

\n

Manual way:

\n
sudo certbot certonly --manual --preferred-challenges dns -d \"*.example.com\"
\n

Certbot will spit out a TXT record to add:

\n
_acme-challenge.example.com IN TXT \"some_long_token\"
\n

Add it, wait a bit, then hit Enter for verification.

\n

Automated way (Cloudflare example):

\n
sudo certbot certonly --dns-cloudflare -d \"*.example.com\"
\n

This handles the DNS records for you.

\n

Wildcards don’t cover the root domain (example.com), so request both if you need it.

\n

4. Use the cert

\n

After success, your cert will be in:

\n
/etc/letsencrypt/live/example.com/fullchain.pem\n/etc/letsencrypt/live/example.com/privkey.pem
\n

Plug those into NGINX, Postfix, whatever.

\n

Don’t forget renewal

\n

Let’s Encrypt certs expire every 90 days. To stay ahead of expiration issues, they recommend renewing every 60 days.

\n

If you’re doing manual DNS, you’ll have to repeat the TXT record dance when they expire.

\n

If automated, just run:

\n
sudo certbot renew --quiet
\n

Or add that to a cron/systemd timer to make it hands-off.

\n

Add something like a deploy hook for post cert renewal actions (which only runs on successful renewals)

\n
sudo certbot renew --quiet --deploy-hook \"systemctl reload nginx\" # or the web server you use
\n

Why this matters in DevOps

\n

Good SSL management is a silent backbone of solid infrastructure. Wildcard certs + DNS validation cut down complexity, especially if you:

\n\n

If you’re in that boat, this setup will save you a bunch of hassle.

\n

Be careful, tho

\n

If someone gains access to your wildcard cert and private key, they can impersonate any subdomain. That’s a much bigger blast radius than a cert for just one subdomain.

\n

For sensitive setups, consider managing certs and keys with something like HashiCorp Vault or Kubernetes Secrets. Don’t just leave .pem files lying around.

\n
\n

If you’ve done this differently or have tips, drop them my way (dev@rhuzaifa.com). Always good to swap war stories.

","frontmatter":{"title":"One Wildcard SSL Certificate to Secure All Subdomains via Certbot","date":"July 18, 2024","description":"Wildcard + Certbot + DNS = one cert to rule them all."}}},"pageContext":{"slug":"/blog/one-wildcard-ssl-certificate-to-secure-all-subdomains-via-certbot/","previous":{"fields":{"slug":"/blog/aggregating-rss-feeds-locally-with-a-simple-bash-script/"},"frontmatter":{"title":"Aggregating RSS Feeds Locally with a Simple Bash Script"}},"next":{"fields":{"slug":"/blog/docker-is-great-just-not-for-local-dev/"},"frontmatter":{"title":"Docker Is Great, Just Not for Local Dev"}}}},"staticQueryHashes":["2276319502"]}