Setup and automatic renewal of wildcard SSL certificates for Kubernetes with Certbot and NSD

1 minute read

Wildcard SSL certificates cover all subdomains under a certain domain - e.g. * will cover,, etc. which is very useful, if Kubernetes is used to deploy such services.


The following guide assumes that you

  • delegate DNS for the prefix domain (in the example above to a separate zone file
  • which is managed by NSD (depending on your setup you might use the same NSD server, a separate instance, or even a server on another host).


  1. add a name server (NS) entry to your domain configuration that delegates DNS for the prefix domain to a given NSD server.
    k8s  3600    IN      NS
  2. setup the NSD configuration and zone file for the prefix domain. The _acme-challenge entry will be overwritten by Cerbot during the DNS-01 challenge verification process.
    • /etc/nsd/nsd.conf:
              zonefile: /etc/nsd/zones/
    • /etc/nsd/zones/

      @                3660 IN    SOA 2014111364 28800 7200 604800 3660
      @               84600 IN    NS
      @                3600 IN    A
      *                3600 IN    A
      _acme-challenge    60 IN    TXT "--temporary-dummy--"
  3. install the certbot-nsd-hook script to /opt:
    cd /opt
    git clone
  4. create the SSL wildcard certificate with
    cerbot certonly \
           -d '*'  \
           --manual  \
           --manual-auth-hook="/opt/certbot-nsd-hook/" \
           --post-hook="systemctl reload apache2"
  5. adapt your apache2 configuration to use the wildcard certificate
    SSLEngine on
    SSLCertificateKeyFile /etc/letsencrypt/live/
    SSLCertificateFile /etc/letsencrypt/live/
  6. add Certbot to /etc/crontab to ensure that the certificate gets automatically renewed
    17 5  * * *   root    certbot renew --cert-name

    Note: the option --cert-name allows you to specify the certificate to renew. This is relevant if your server uses wildcard and conventional certificates at the same time, since the certbot renew command does not allow mixing of renewal strategies yet.


Leave a comment