• long running

Free SSL Wildcard Certificates - with Let's Encrypt. Available Now, Forever


You never need to buy another SSL certificate ever again, as Let's Encrypt now provides Wildcard certificates. So one certificate will work with all subdomains you control!

Related Stores

Let's Encrypt
Let's Encrypt


  • +12 votes

    You never need to buy another SSL certificate ever again

    Unless you need EV.

    • who (really) needs an EV cert?

      • Not you.

      • who (really) needs an EV cert?

        EV…last time I looked LE don't even support OV certs! OV should always be the bare minimum for any site that should be trusted with your personal details or anything eCommerce related. The problem with an OV cert over a DV cert is that there is no clear visible difference to non-technical folk that clearly identify a company has at least gone to some effort to validate their domain for OV certificates. EV certs stand out at least. I issued about 5 EV certs in the last year and they're pretty standard in finance for your critical customer login pages such as Internet banking. But they can be stupidly expensive and its just all about the optics of the company name in the URL bar; apparently it gives customers the warm and fuzzies.

        • What's all these acronyms?

        • +4 votes

          While I haven't read it, after some searching:

        • Clearly someone who knows nothing about SSL has downvoted you :( Let's Encrypt isn't the best system for EVERYTHING. Just like a wooden door verses a steel door.

        • Lets Encrypt's certificates verify that your connection is encrypted, and cannot be intercepted by a 3rd party.

          Other certificates actually verify (to various degrees) the identity of the website that you are connecting to. This way you are sure that, say, NAB.com.au is actually NAB the bank and not a phishing site.

        • @TrevBargn:
          Letsencrypt also verify (to various degrees) that you are who you are connecting to.

          With letsencrypt you still have to go trough verification so its not like anyone can obtain certificate for any domain. Letsencrypt verification is not as rigorous as EV but on par with other certificates. I think letsencrypt certificate is more secure because of the short expiry which lead to more frequent verification.

        • @TrevBargn: That's not correct, the bare minimum of an SSL cert is to verify the identity of the domain. Encryption is pointless without domain identity confirmation.

        • @TenaciousTom: Well, sort of. It verifies that the SSL certificate matches the domain - it can't do anything else..

          One of the larger problems that LE is introducing is phishing sites using legit SSLs. You can end up on a super dodgy URL, but have Chrome throw up "Secure" and think everything is rosy.

          Not that there is anything that can be done (besides making people smarter….)

        • @ryang: if we want more people to be able to access https, that's the downside.

        • @ryang:
          People with profitable fishy dodgy scammy web sites can afford $10 for a single domain SSL certificates available everywhere - nothing is stopping them from doing it right now.

          But a lot of people whose web sites are not making any money could not justify extra cost of certificates. Let's encrypt is a huge help there.

        • +2 votes


          That and Google started the whole,not using an SSL certificate? Oh ok well rank you lower.

          Facebook app development also requires an SSL.

          As you said, if you're not making money or its a hobby, buying an SSL certificate wasn't really justifiable.

        • @Zachary:
          WATA ? IDK, IDK, IDGAF

        • @Zachary:

          Extended Validation (EV) certificate is one that's issued when the Certificate Authority has performed more than bare minimum identification checks on the organisation requesting a certificate for its website. You can see that a website has an EV when the name of the organisation appears next to the green lock in Firefox and its meant to provide greater confidence to the visitors that the website is operated by the claimed organisation.

    • or if you need to sign code

  • Handy for people with oodles of subdomains, but not so much for multiple servers..

    • What's the problem w/ multiple servers ?

      • Only one server can generate the wildcard, so you have to export/import to every other server that needs it. Powershell would help with this, sure, but it's not bulletproof.

        • Reverse Proxy might help ?

          eg - HAProxy / nginx or AWS ELB / ALB or Azure Load Balancer or just IIS ARR

        • @tofu_soldier: Yep, that'd certainly work.. I was thinking more about multiple servers offering up different subdomains in multiple locations. But for that kind of setup I'd just let each server manage it's own LE cert/renewal.


  • Short expiry but just couple it with lets encrypt 9 beta and set and forget with auto renew.

  • Who is the root with?

    • Let's Encrypt is a root CA.

      • I can't seem to find the CA record in default Win/Android/IOS. I dont think they are a root CA themselves but probably onsells other Roots. Otherwise its no point if you have to do CA management yourself. Might as well set up your own CA if that's the case. lol

    • DST Root CA X3

  • +15 votes

    No idea what this does but I want it. But how do i get it?

    • +10 votes

      It's for people who run multiple sub domains on one domain. Like if you had… pizza.ozbargain.com.au, mobiles.ozbargain.com.au

      But you could have always gotten individual free ssl certicates from letsencrypt.org anyways. So this is mainly for convenience, if you have too many sub domains and you don't want to get individual certificates for each one.

      Kinda useless for most people.

    • +2 votes

      Use an ACME client with DNS validation. Easiest one is acme.sh and use something like Amazon Route 53

  • Wildcart SSLs. A few years ago these things were selling for $150/yr.

  • Why is it free?

    • +44 votes

      Because security is for everyone.

    • +13 votes

      There’s a push to make the Web encrypted-by-default. Pretty soon, if your site doesn’t support HTTPS, browsers will display a big, ugly warning that the site is insecure.

      But what about non-profit or personal sites? That’s the point of Let’s Encrypt. It allows them to get SSL certificates to secure the site for free, meaning nobody has an excuse to not use HTTPS.


    you will need to modify DNS TXT records in order to demonstrate control over a domain

    I am not a newbie in RHEL administration and DNS, but I have no idea what it means or how to do it.

    • Hate to break it to you but you are… TXT records are a standard part of DNS, along with A, MX, etc.

      • +1 vote

        It seems you are right :)

        A TXT record (short for text record) is a type of resource record in the Domain Name System (DNS) used to provide the ability to associate arbitrary text with a host or other name, such as human readable information about a server, network, data center, or other accounting information.

    • -2 votes

      Clearly you are a n00b if you don't know what DNS TXT record is…

    • Most people won't manually do this, but will setup their systems to automate it. You can use acme.sh for example

  • Just wondering if someone could tell me the use case for this? It will still require renewal every 3 months, so it's not like you get set it up for the parent domain and "set and forget" all the child domains to not need the renewal clients

    • You can pretty easily set up a script or cron job to try and renew every week or so. Then it's set and forget

      • No problem there, except some hosts which doesn't have an ACME client. I imagine that even with a wildcard autorenewing on another host automatically, the host without an ACME client will still need manual certificate replacement?

      • If only I had it that easy!
        Online forms,
        server cert requests,
        multiple days wait
        billing authorisation
        endless people sticking their fingers in
        And that is the new streamlined Symantic system!

        XXXX.qld.gov.au domain

        • You poor bugger. That'll be the taxpayer money at work, making sure that you don't slack off and do something sensible.

    • The site has a comprehensive list of software that automate renewal. If you have a lot of child domains, then hopefully you are also running a site configuration management system to push changes to hosts.

    • Yeh, it's a pretty limited use case, but I imagine there was enough people requesting it..

    • +1 vote

      The short certificate validity is at the core of the Lets Encrypt philosophy.

      • No problem there, except some hosts which doesn't have an ACME client. I imagine that even with a wildcard autorenewing on another host automatically, the host without an ACME client will still need manual certificate replacement?

        • If your hosting provider does not support automatic Let's Encrypt certs with a single button click by now, you really need to ask yourself if you want to be paying them for hosting your site(s). Personally, I would request Let's Encrypt support and if the hosting provider did not deliver the feature with two to three months, I'd move elsewhere.

        • @peteru: lol webhosting

  • …except when your host still refuses to let you automate the process.

    Without shell access it's still very inconvenient.

    • Here's a list of hosts that seemingly support it intrinsically (no shell access required): https://community.letsencrypt.org/t/web-hosting-who-support-...

      • Yeah I'm aware of that list, but thanks for the link anyway.

        I should clarify that my complaint is with regards to hosts removing a built in feature of cPanel (AutoSSL), which already allows free 90 day Comodo certs without the need for Let's Encrypt at all. My host "accidentally" left this feature on for a while before deciding it's not in their business interests.

        It's hard to encourage the world to make all web forms use SSL when the big companies still make it an optional additional cost. Or even worse, take it away.

        • Have you tried acme.sh? It supports Amazon Route 53, Azure DNS, OVH, etc.

          Strictly speaking, acme.sh still requires shell access, but the shell doesn't have to be running on the same host serving HTTPS.

        • +1 vote

          Ask your webhost management team to re-enable it. If they refuse then you should name and shame them.

    • No. Free wildcard certs have never been available until today. Previously they have been over a hundred dollars each

  • Will this allow us to create SSLs for sites hosted on Github Pages (with custom domains)?

  • Thanks heaps! :-)

  • sweet! i was tired of having a list of subdomains in my certbot ini file. now i can do away with those extra characters saving valuable space!

    nah seriously - whenever i add a new app at home i have to make a new subdomain for it and go through getting new certificates so this makes my life much easier. thanks for the heads up!

  • Geekiest OzBargain post and comments ever?

  • hmmm.. well.. do I need these certs… ? Yes… no … Don't know…

  • I mean, you don't need to "rush in and buy this asap" and it doesn't get OzBargain'd lol.
    I use this script to maintain all of mine: https://github.com/Neilpang/acme.sh
    This + a cron job and I haven't had to worry about them for a good 6+ months.

  • How long did the process take to get your cert?

    • The process itself - about 60 seconds.. :D

      You'll need some previous knowledge and a capable system first though.

  • Crazy Domains would not use Let's Encrypt certs last time I tried. I had to pay for their ones.

  • Any deals on Code Signing Certificate?

  • Do these certs work for Microsoft Exchange and TMG 2010 servers?


    can some1 tell me how to actually generate a certificate so I can apply it to IIS myself?