Letsencrypt for all subdomains *.example.com

Question

I'd like to obtain one certificate working for all my subdomains *.example.com.

This works:

certbot-auto certonly --webroot --webroot-path /home/www/example/ --domain example.com 
                                --domain www.example.com --email certbot@example.com

but this (with *.):

certbot-auto certonly --webroot --webroot-path /home/www/example/ --domain example.com 
                                --domain *.example.com --email certbot@example.com

fails with:

Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.

How to use certbot-auto to generate a certificate for *.example.com?

Answer 1

As mentioned in a comment, the solution is to use DNS challenge validation, like here: How to use Let's Encrypt DNS-01 challenge validation?.

First, remove your previous certificate (if needed) with the following command:

certbot-auto delete 
# Or for newer versions
certbot --cert-name example.com # Name you can find in /etc/letsencrypt/live directory

Then generate a new certificate with a DNS challenge:

certbot-auto -d *.example.com -d example.com --manual --preferred-challenges dns certonly
# Or for newer versions
certbot -d *.example.com -d example.com --manual --preferred-challenges dns certonly

Then copy/paste the TXT challenge, into your DNS settings, something like:

_acme-challenge.example.com TXT Chs768564536576SDGdG6SQDYTZAEq

Restart Apache/nginx if needed, and it works.

PS: in my case, no installation of an authenticator plugin was needed (is it probably installed out of the box?)

Important notice: to validate the wildcard domain, you must use the DNS validation, you can however validate many subdomains at a time using many times the -d option.