How to Set Up Free Wildcard SSL with Auto Renewal Using Certbot (Apache & Nginx)

Securing your website is no longer optional. HTTPS is mandatory for SEO, security, browser trust, and user confidence. In this blog, we’ll start from zero and reach a production-ready setup using:

• Wildcard SSL
• Certbot
• Route 53 DNS plugin
• Apache & Nginx
• Automatic renewal

This guide is written for beginners, but detailed enough for production engineers.

What is SSL/TLS?

SSL (Secure Sockets Layer)

SSL (now technically TLS) is a security protocol that:

• Encrypts data between browser ↔ server
• Prevents data theft (passwords, tokens, payments)
• Enables HTTPS

Without SSL: http://example.com  (Not secure)

With SSL: https://example.com (Secure)

What is a Wildcard SSL Certificate?

Normal SSL Covers

		example.com
		www.example.com

Wildcard SSL Covers

		example.com
		*.example.com

which means

		api.example.com
		anything.example.com

One certificate for unlimited subdomains

What is Certbot?

Certbot is the official tool by Let’s Encrypt to:

• Generate SSL certificates
• Install them automatically
• Renew them before expiry

Let’s Encrypt certificates:

• Free
• Trusted by all browsers
• Valid for 90 days (auto-renewed)

Why DNS Validation is Needed for Wildcard SSL?

Wildcard SSL cannot be issued using HTTP verification.

Instead, it uses DNS TXT records.

Flow:

1. Certbot asks: “Prove you own this domain”
2. A TXT record is added to DNS
3. Let’s Encrypt verifies it
4. Certificate is issued

What is Route 53 Plugin?

If your DNS is hosted on AWS Route 53, Certbot can:

• Automatically create TXT records
• Automatically remove them
• Fully automate renewal

Plugin used:

	certbot-dns-route53

• No manual DNS work
• Fully automatic renewal
• Best for production

Architecture Overview

Browser
   ↓ HTTPS
Apache / Nginx
   ↓
SSL Certificate (Wildcard)
   ↓
Certbot Auto Renewal
   ↓
Route 53 DNS (TXT validation)

Installing Required Packages

Ubuntu/Debain

sudo apt update
sudo apt install certbot python3-certbot-dns-route53 -y

Ensure AWS credentials exist:

~/.aws/credentials

With permissions:

route53:ChangeResourceRecordSets
route53:ListHostedZones

Generate Wildcard SSL (One-Time)

sudo certbot certonly \
  --dns-route53 \
  -d example.com \
  -d "*.example.com" \
  --agree-tos \
  --non-interactive \
  --email your@email.com

Certificate locations:

/etc/letsencrypt/live/example.com-0001/

Apache Configuration (From Scratch)

Apache Paths

Purpose	Path
Config	/etc/apache2/sites-available/
Enabled	/etc/apache2/sites-enabled/
Logs	/var/log/apache2/	

Apache HTTP → HTTPS Redirect

<VirtualHost *:80>
    ServerName example.com
    ServerAlias www.example.com *.example.com

    RewriteEngine On
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</VirtualHost>

• Forces HTTPS
• Improves SEO
• Security best practice

Apache HTTPS VirtualHost (Wildcard)

<VirtualHost *:443>
    ServerName example.com
    ServerAlias www.example.com *.example.com

    DocumentRoot /var/www/laravel/public

    <Directory /var/www/laravel>
        AllowOverride All
        Require all granted
    </Directory>

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/example.com-0001/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/example.com-0001/privkey.pem
</VirtualHost>

Enable Apache Modules

sudo a2enmod ssl rewrite
sudo systemctl restart apache2

Nginx Configuration (From Scratch)

Ngnix Paths

Purpose	Path
Config	/etc/nginx/sites-available/
Enabled	/etc/nginx/sites-enabled/
Main	/etc/nginx/nginx.conf

Nginx HTTP → HTTPS Redirect

server {
    listen 80;
    server_name example.com *.example.com;

    return 301 https://$host$request_uri;
}

Nginx HTTPS Server Block (Wildcard)

server {
    listen 443 ssl;
    server_name example.com *.example.com;

    root /var/www/laravel/public;
    index index.php index.html;

    ssl_certificate /etc/letsencrypt/live/example.com-0001/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com-0001/privkey.pem;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php8.1-fpm.sock;
    }
}

Test & Restart Nginx

sudo nginx -t
sudo systemctl restart nginx

Auto Renewal (Most Important Part)

Certbot automatically creates a cron job / systemd timer.

Test renewal:

sudo certbot renew --dry-run

Actual renewal:

sudo certbot renew

• TXT records created automatically
• Apache/Nginx not interrupted
• Zero downtime

What are fullchain.pem and privkey.pem?

• When you generate an SSL certificate using Certbot / Let’s Encrypt, it creates multiple .pem files.
• Among them, fullchain.pem and privkey.pem are the most important and are the ones your web server actually uses.

privkey.pem — The Private Key (Most Sensitive File)

What it is

privkey.pem contains the private key of your SSL certificate.

• It is generated on your server
• It never leaves your server
• Used to decrypt encrypted data
• Proves your server’s identity to browsers

Why it’s important

When a browser connects to your website:

• The browser encrypts data using your public key
• Only your private key can decrypt it
• This ensures secure communication

Example

SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem

Security Warning

• Never share this file
• Never commit to Git
• Never expose publicly
• If leaked → your SSL security is compromised

fullchain.pem — The Complete Certificate Chain

What it is

fullchain.pem is a combined certificate file containing:

1. Your domain certificate
2. Intermediate certificate(s) from Let’s Encrypt

Together, these form a trust chain that browsers can verify.

Why “full chain” is required

Browsers do not trust your certificate directly.

They verify it step-by-step until they reach a trusted root CA.

Your Domain Certificate
   ↓
Let’s Encrypt Intermediate CA
   ↓
Trusted Root CA (in browser)

If the chain is incomplete:

• Browsers may show “Not Secure”
• Mobile devices often fail validation

Example

SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem

Why Not Use cert.pem Alone?

Certbot also creates:

• cert.pem – Contains only your domain (leaf) certificate
• chain.pem – Contains only the intermediate certificate(s)
• fullchain.pem – Combines cert.pem and chain.pem (recommended and commonly required

Best practice: Always use fullchain.pem

How These Two Files Work Together

• fullchain.pem – Contains your public certificate along with the complete trust chain
• privkey.pem – Your private secret key used to encrypt and decrypt secure traffic

Together they:

• Enable HTTPS
• Encrypt data
• Authenticate your server

Pros & Cons

Pros

1. Wildcard SSL – Secures unlimited subdomains with a single certificate
2. Route 53 Plugin – Enables fully automated DNS validation and renewal
3. Free – No cost ($0) for certificate issuance and renewal
4. Secure – Uses industry-standard encryption and trusted CAs
5. SEO Friendly – Helps improve Google rankings and user trust

Cons

1. AWS Dependency – Requires Route 53 for DNS validation and automation
2. DNS-Based Validation – Slower compared to HTTP-based validation methods
3. 90-Day Validity – Certificates expire quickly and require auto-renewal setup
4. Overkill for Single Site – Unnecessary if you only need SSL for one domain

Final Recommendation

1. Many subdomains – ✅ Wildcard SSL is the best choice
2. AWS DNS setup – ✅ Use the Route 53 plugin for full automation
3. Production environments – ✅ DNS validation is recommended for reliability
4. Small single site – ❌ Wildcard SSL is overkill and not required