Photo by Muhammad Zaqy Al Fattah / Unsplash

Wildcard with Certbot and OVH

Self-Hosting Feb 1, 2023
TL;DR further down the page


A wildcard certificate is a single public key SSL certificate, enabling HTTPS on all your subdomains or aliases.

Cerbot is a tool to generate and renew free Let's Encrypt SSL certificates to ensure HTTPS on your website.

OVHcloud is a cloud computing company that offers VPS, dedicated servers and other web services.


I do not own this domain and IP address, they are just used as an example

I have a domain name that points to my server :

OVH Manager - DNS Zone of : A record

This server hosts three services behind a reverse-proxy, pointed by three aliases of :

OVH Manager - DNS Zone of : CNAME records

To use HTTPS on these services, I can generate three SSL certificates, one for each alias. The problem is that if I want to host more services, managing each one of them can become quite tricky. Imagine having to manage hundreds of certificates!

Three SSL certificates generated with Certbot

I can also generate a single certificate for those three services, but I will still need to generate a certificate every time I want to host a new service. Also, the certificate will list all my aliases, which I don't want for security reasons.

A single SSL certificate generated with Certbot

So instead, I can generate a single certificate, that will work with all recorded and future aliases : a Wildcard certificate

A Wildcard SSL certificate generated with Certbot, for all the aliases
Link to OVH Manager - DNS Zone (domain to change by yours) :

To proceed


sudo apt install certbot python3 python3-pip
sudo pip3 install cerbot-dns-ovh

Generate API keys

OVH - Creating API Keys

 (!) Don't forget to add the last line (DELETE in this case) using its + button

  • Write down in your password manager the generated API keys
OVH - Created API Keys

Check generated keys on API console (optional)

OVH API Console - GET application ID info
To delete an application, paste the app ID into
DELETE /me/api/application/{applicationId}

Add the API keys on the server

On the host server :

  • Create a restricted-access ovh.ini file
sudo mkdir -p /root/.secrets/cerbot/ && sudo touch /root/.secrets/certbot/ovh.ini
Create a 'certbot' folder and the ovh.ini file
sudo chmod 600 /root/.secrets/certbot/ovh.ini
Restrict access to root user only, with read/write privileges
  • Edit the ovh.ini file with the previously generated API keys :
    sudo nano /root/.secrets/certbot/ovh.ini
# OVH API credentials "Wildcard"
dns_ovh_endpoint = ovh-eu
dns_ovh_application_key = MDAwMDAwMDAwMDAw
dns_ovh_application_secret = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
dns_ovh_consumer_key = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
Change, obviously, the key values by yours

Check the configuration

Edit the following command, the --dry-run option is to test the configuration:

sudo certbot certonly -v --dry-run --dns-ovh --dns-ovh-credentials /root/.secrets/certbot/ovh.ini --non-interactive -d -d "*" --agree-tos --email --rsa-key-size 4096
  • Change the -d -d "*" parameters by your domain name
The * parameter is used for generating the Wildcard cert., don't forget the *
and the quotation marks " in the command line
  • Change the --email by yours

Generate the Wildcard certificate

Just remove the --dry-run option from your command

The Wildcard will be generated under /etc/letsencrypt/live/

To overwrite an existing certificate, use the --expand option in your command
More options in the cerbot manual page : cerbot -h or man-page certbot

vHost SSL configuration

Here is a useful tool to help you generate an SSL vHost configuration file depending on your HTTP server and more (Apache, Nginx ...)

Mozilla SSL Configuration Generator
An easy-to-use secure configuration generator for web, database, and mail software. Simply select the software you are using and receive a configuration file that is both safe and compatible.

Restart and Test

Another tool to check your configuration

SSL Server Test (Powered by Qualys SSL Labs)
A comprehensive free SSL test for your public web servers.

Automatic renewal

Since a free Let's Encrypt certificate last 3 months, you can add a Cron to automatically renew your wildcard : sudo crontab -e

# Certbot renew on even months 
0 0 1 */2 * certbot renew && service nginx reload


Requirements :

sudo apt install certbot python3 python3-pip
sudo pip3 install cerbot-dns-ovh

API keys :

  • GET, PUT, POST, DELETE = /domain/zone/*
sudo mkdir -p /root/.secrets/cerbot/ && sudo touch /root/.secrets/cerbot/ovh.ini && sudo chmod 600 /root/.secrets/certbot/ovh.ini && sudo nano /root/.secrets/certbot/ovh.ini
dns_ovh_endpoint = ovh-eu
dns_ovh_application_key = 
dns_ovh_application_secret = 
dns_ovh_consumer_key = 

Generate Certs

sudo certbot certonly -v --dns-ovh --dns-ovh-credentials /root/.secrets/certbot/ovh.ini --non-interactive -d -d "*" --agree-tos --email --rsa-key-size 4096
  • To test : --dry-run
  • To overwrite : --expand