Reverting back here as promised. Thanks @speedy for sharing this!
Wildcard certificate works only with DNS challenge.
For this challenge to work certbot plugin is required, which will perform DNS manipulations to satisfy the challenge.
If your provider doesn’t provide certbot plugin, you can ‘redirect’ specific sub-domain to the provider who support it - could be Digital Ocean.
Here are the (not yet tested) steps to make it work:
- create a DNS zone [acme.MyDomain.com] at DO
- create 3 NS records at DeprecatedDNS provider for acme.MyDomain.com to point to ns1,2,3.digitalocean.com
- create CNAME at DeprecatedDNS provider for _acme-challenge.MyDomain.com that points to _acme-challenge.acme.MyDomain.com
- use certbot digital ocean plugin, as described here
- pray, it should work
In my particular case I have found that Gandi have certbot plugin: GitHub - obynio/certbot-plugin-gandi: Certbot plugin for authentication using Gandi LiveDNS and hexonet seems to have plugin as well: Authentication/cleanup hook for acme certbot to authenticate a domain via DNS-01 challenge and using hexonet API (ISP API) · GitHub
Gandi certbot howto
sudo pip install certbot-plugin-gandi
sudo tee -a /etc/letsencrypt/gandi.ini > /dev/null <<EOT
# live dns v5 api key
# optional organization id, remove it if not used
sudo chmod 600 /etc/letsencrypt/gandi.ini
sudo certbot certonly --authenticator dns-gandi --dns-gandi-credentials /etc/letsencrypt/gandi.ini --server https://acme-v02.api.letsencrypt.org/directory -d $DOMAIN_NAME -d \*.$DOMAIN_NAME
I shall keep this posted updated as I progress with more examples.