In a previous article I introduced how to issue an SSL cert for a single subdomain using acme. If there are several services running on a server (e.g., cloud storage, blog, chatroom), and each service has a subdomain, it is helpful to secure multiple subdomain names (hosts) under the same base domain using the wildcard cert.

Install and configure

Install and create a symlink using ln.

curl | sh
ln -s  /root/ /usr/local/bin/

Change cert authority if you want.

# change to buypass --set-default-ca --server buypass
# change to letsencrypt --set-default-ca --server letsencrypt

Register an account using your email. --register-account -m [email protected]

Create and import domain name API

The domain name API is obtained from the DNS service provider of the domain, and I use Cloudflare as the example here.

First, go to API Tokens page.


Go to API Tokens page.

Click Create Token and Use Edit zone DNS's template (typically the first one).

Select the domain for which the cert is to be issued at Zone Resources, and click Continue to summary at the bottom to go to next page.


Select the domain name in Zone Resources.

Click Create Token.


Create Token.

Then, you will obtain an API Token that shows only once. Make sure to save this API Token properly, as it will no longer be viewable after the webpage is closed.

Start issuing

Login to server and fill the corresponding value to set environment variables.

export CF_Token="The API Token"
export CF_Account_ID=""
export CF_Zone_ID=""
export CF_Email="[email protected]"

The CF_Token is the API Token just obtained, the CF_Account_ID and CF_Zone_ID can be found in the Overview page, which can be accessed by clicking on the domain name.


Zone ID and Account ID.

Next, start issuing cert. Change below to your domain name. --issue --dns dns_cf -d -d * -k ec-256

Finally, install the cert as follows. The file_dir in the follows should be replaced with your directory. --install-cert -d -d * --ecc \
--key-file       file_dir/server.key \
--fullchain-file file_dir/server.crt \
--reloadcmd      "systemctl force-reload nginx"

Now, all subdomains under a base domain such as for blog, for chatroom, for cloud storage, can be secured by a single wildcard cert.