After the delay of the ACMEv2 including the wildcard-endpoint [2] it finally is live today [3]. In addition to the ACME v2 requirement, requests for wildcard certificates require an DNS “TXT” record to verify control over the domain.
Just “upgraded” my certificate to an root certificate follwing these steps:
1. Upgraded my certbot
cd /opt/letsencrypt git reset --hard git pull
2. Requested certificate (command is based on [1])
/opt/letsencrypt/certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d "no3x.de" -d "*.no3x.de" --webroot-path=/var/www/html --manual certonly Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None ------------------------------------------------------------------------------- You have an existing certificate that contains a portion of the domains you requested (ref: /etc/letsencrypt/renewal/no3x.de.conf) It contains these names: no3x.de You requested these names for the new certificate: no3x.de, *.no3x.de. Do you want to expand and replace this existing certificate with the new certificate? ------------------------------------------------------------------------------- (E)xpand/(C)ancel: E Renewing an existing certificate Performing the following challenges: http-01 challenge for no3x.de dns-01 challenge for no3x.de ------------------------------------------------------------------------------- NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged? ------------------------------------------------------------------------------- (Y)es/(N)o: Y ------------------------------------------------------------------------------- Create a file containing just this data: 2d_P_nGbYGw51FjBafWKwKh6ms7GUedgWmP8uek27Iw.e6ZC8rMTP4wAt3ZJqrPYTMaJDzvXkHLp8iuDc4oGyP2 And make it available on your web server at this URL: http://no3x.de/.well-known/acme-challenge/2d_P_nGbYGw51FjBafWKwKh6ms7GUedgWmP8uek27Iw ------------------------------------------------------------------------------- Press Enter to Continue ------------------------------------------------------------------------------- Please deploy a DNS TXT record under the name _acme-challenge.no3x.de with the following value: loGH_nwO5z0LL2zX4IGopI0Jp0Z6H9Xx5t9AE-I2Xyw Before continuing, verify the record is deployed. ------------------------------------------------------------------------------- Press Enter to Continue Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/no3x.de/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/no3x.de/privkey.pem Your cert will expire on 2018-06-12. To obtain a new or tweaked version of this certificate in the future, simply run letsencrypt-auto again. To non-interactively renew *all* of your certificates, run "letsencrypt-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
3. Followed the instructions to serve the HTTP challenge and added the DNS record for the DNS challenge.
4. Restarted my webserver
5. Done
Sources:
[1] https://community.letsencrypt.org/t/confusing-on-root-domain-with-wildcard-cert/56113
[2] https://community.letsencrypt.org/t/acmev2-and-wildcard-launch-delay/53654
[3] https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579