certbot

https://letsencrypt.org/docs/faq/#does-let-s-encrypt-issue-wildcard-certificates Yes. Wildcard issuance must be done via ACMEv2 using the DNS-01 challenge. See this post for more technical information.

Install

   1 wget https://dl.eff.org/certbot-auto
   2 sudo mv certbot-auto /usr/local/bin/certbot-auto
   3 sudo chown root /usr/local/bin/certbot-auto
   4 sudo chmod 0755 /usr/local/bin/certbot-auto
   5 certbot-auto

Get cert to domain www.example.org (nginx)

   1 /usr/local/bin/certbot-auto certonly --webroot
   2 #Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'to cancel): www.example.org
   3 # - Congratulations! Your certificate and chain have been saved at:
   4 #   /etc/letsencrypt/live/www.example.org/fullchain.pem
   5 #   Your key file has been saved at:
   6 #   /etc/letsencrypt/live/www.example.org/privkey.pem
   7 cd /etc/letsencrypt/live/www.example.org/
   8 cat cert.pem  > www_ca_bundle.crt
   9 echo "" >> www_ca_bundle.crt 
  10 cat  chain.pem >> www_ca_bundle.crt
  11 cp privkey.pem /etc/ssl/private/www_private.key 
  12 cp www_ca_bundle.crt /etc/ssl/certs/www_ca_bundle.crt
  13 nano /etc/nginx/sites-enabled/www.example.org
  14 # ssl_certificate /etc/ssl/certs/www_ca_bundle.crt;
  15 # ssl_certificate_key /etc/ssl/private/www_private.key;
  16 # change paths ...
  17 service nginx restart

Get cert to domain using other webroot

   1 cd /etc/nginx/sites-available
   2 cp other.example.org other.example.org.ori 
   3 cp www.example.org other.example.org
   4 sed -i 's/server_name www.example.org/server_name other.example.org/g' other.example.org
   5 cat other.example.org
   6 # restart nginx
   7 service nginx restart
   8 
   9 /usr/local/bin/certbot-auto certonly --webroot
  10 # Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c' to cancel): other.example.org
  11 # Input the webroot for other.example.org: (Enter 'c' to cancel): /var/www/www.example.org
  12 # Congratulations! Your certificate and chain have been saved at:
  13 #   /etc/letsencrypt/live/other.example.org/fullchain.pem
  14 #   Your key file has been saved at:
  15 #   /etc/letsencrypt/live/other.example.org/privkey.pem
  16 
  17 cp /etc/nginx/sites-available/other.example.org.ori  /etc/nginx/sites-available/other.example.org
  18 cd  /etc/letsencrypt/live/other.example.org/
  19 cat cert.pem  > other_certificate_bundle.crt;
  20 echo "" >> other_certificate_bundle.crt;
  21 cat  chain.pem >> other_certificate_bundle.crt;
  22 cp privkey.pem /etc/ssl/private/other_private.key 
  23 cp other_certificate_bundle.crt /etc/ssl/certs/other_certificate_bundle.crt;
  24 service nginx restart

Install on Ubuntu with snap

   1 sudo snap install core
   2 sudo snap refresh core
   3 sudo snap install --classic certbot
   4 sudo ln -s /snap/bin/certbot /usr/bin/certbot
   5 certbot --nginx