What are my options for creating a wildcard SSL certificate?

There are a few options for installing a wildcard SSL certificate on your own using Certbot. Each has their benefits and drawbacks, as well as their own processes.

Certbot-dns-linode Plugin

There is a Linode plugin for Certbot that can help with the process of creating a wildcard SSL. This plugin is the most commonly recommended method for a wildcard certificate, has available documentation, and is relatively easy to use.

The certbot-dns-linode plugin is not available for Ubuntu in the standard PPA repository, so it's worth noting that you'll need to get the plugin from its source. You can also run it with Docker; there are instructions for doing so here.

ACME

You can use acme.sh rather than the plugin, which is installed from source and has documentation on its Github page. The acme.sh script is designed to be easy to use. You'll likely need to force DNS manual mode in order to issue the wildcard certificate, which will involve adding a TXT record to your domain as specified by Certbot; make sure you wait until your DNS updates propagate before trying to run your certificate again.

Using Certbot Directly

In March of 2018, Certbot/Let's Encrypt added support for wildcard certificates. One way is via the provider plugin as mentioned earlier; the alternative solution is by using the --manual flag. They cannot be renewed automatically, but a script that can make DNS record changes can do so if permissions are granted accordingly. CertBot does warn that certain systems may not be supported yet. Their documentation for using the --manual flag for wildcard SSL certificates can be found here.