To get a Let's Encrypt wildcard SSL you will need to be using a supported DNS provider that provides an API. Our suggestion would be to use CloudFlare or DNSME for this purpose. You need to use one of these services either directly on the domain needing the SSL, or on another domain you control.

Using a domain other than the one needing an SSL is something we call 'DNS Alias Verification'. When you use a different domain than the one needing an SSL it will serve as a proxy for the Wildcard verification record. This can allow for more flexibility when generating SSLs with Let's Encrypt. This even allows generating and installing SSLs on a new server before all the domains DNS is moved over!

Note: Within this article we're going to use {yourdomain.com} to illustrate things. When using this as a tutorial make sure you substitute this string for your real domain name.

Setting up DNS Credentials file for API provisioning

The steps involved will vary a little based on which supported DNS Provider your domain is using. This guide will only cover CloudFlare and DNSME which are pretty similar processes. We'll just assume that you have the domain you're using for verification with one of these two providers.

They both will require creating a DNS credentials file located at:

/var/www/{yourdomain.com}/dns.creds
(via SSH)

/sites/{yourdomain.com}/dns.creds
(via SFTP)

Note: After Monday 16th September 8am EST this file will change to the following format, this will allow the primary site and any additional domains to each use a differently configured DNS API:

/var/www/{yourdomain.com}/dns/{domain.url}.creds
(via SSH)

/sites/{yourdomain.com}/dns/{domain.url}.creds
(via SFTP)

Note: The alias domains for a site will default to using the same DNS credentials file as the primary domain. If you need to use different settings simply create a DNS credentials file using that domain as well.

As mentioned, the contents of this file will differ slightly based which of the providers. These are as follows:
  

For DNSME:

dnsme
{your-dnsme-api-key}
{your-dnsme-api-secret}

Note: After Monday 16th September 8am EST this file will change to the following format:

provider:dnsme
api-key:{your-dnsme-api-key}
api-secret:{your-dnsme-api-secret}

  

For CloudFlare:

cloudflare
{your-cloudflare-global-api-key}
{your-cloudflare@account.email}

Note: After Monday 16th September 8AM EST this file will change to the following format:

provider:cloudflare
api-key:{your-cloudflare-global-api-key}
api-secret:{your-cloudflare@account.email}

  

Setting up DNS Credentials when using DNS Alias Verification

As mentioned, there are some instances where you may not want to change the domains DNS, or just don't manage the DNS in a way you can use this method. If that's the case you can use a proxy domain.

So if you have a domain {needsAnSsl.com}  that isn't managed by a supported provider, but have {domainAtCloudFlare.com}  which is at CloudFlare we can use this domain to get {needsAnSsl.com}  verified.

To do this you just need to add one extra line to the config file for the domain not at CloudFlare but needing an SSL.
 

For DNSME:

dnsme
{your-dnsme-api-key}
{your-dnsme-api-secret}
{domainAtDnsme.com}

Note: After Monday 16th September 8am EST this file will change to the following format:

provider:dnsme
api-key:{your-dnsme-api-key}
api-secret:{your-dnsme-api-secret}
challenge-domain:{domainAtDnsme.com}

  

For CloudFlare:

cloudflare
{your-cloudflare-global-api-key}
{your-cloudflare@account.email}
{domainAtCloudFlare.com}

Note: After Monday 16th September 8AM EST this file will change to the following format:

provider:cloudflare
api-key:{your-cloudflare-global-api-key}
api-secret:{your-cloudflare@account.email}
challenge-domain:{domainAtCloudFlare.com}

Again, substituting our placeholder value for the domain you already have setup with DNSME, or CloudFlare. Next you just need to setup a single CNAME record on the domain that needs an SSL. This CNAME record will effectively make the automatic record created in the process exist within the domain that isn't managed by a supported provider. The CNAME will appear as:

_acme-challenge.{needsAnSsl.com} -> _acme-challenge.{domainAtCloudFlare.com}

Or as such:

Record Type: CNAME
Host: _acme-challenge
Value: _acme-challenge.{domainAtCloudFlare.com}

  

Using Vanity Nameservers

Note: only available after September 16th 8am EST

In either case, if you are using your own vanity nameservers at the managed DNS service the new scripts can deal with those if you set another line in your domain dns creds file:

nameserver-domain:{your-vanity-nameserver-domain}

If your vanity nameservers are set up like so:

ns1.your-domain.com
ns2.your-domain.com


Then the extra line in the creds file would be:

nameserver-domain:your-domain.com

  

Add the wildcard domain to the site in GridPane - aka update the vHost to wildcard

This should be super easy - just login to your GridPane account then navigate to the Sites page. Once there click the domain of the site in question and open the "Domains Manager" tab in the customizer for {needsAnSsl.com}  and add the following domain:

*.{needsAnSsl.com} 

Note: If the site in question already has an SSL setup and enabled, then the system will automatically update the SSL to match the vHost. So if you have not fully followed the previous steps it will fail the attempt to update the SSL.
This can cause issues, so it's imperative you have the dns.creds  file created properly and the CNAME setup if necessary.

Enable the Wildcard SSL

If your site already had an SSL enabled and you correctly followed the directions up to here - you should be all set! Go test your Wildcard SSL and make sure it works.

If the site in question did not have an SSL enabled, then hang tight; just a few more steps! In your GridPane account open the site's customizer and simply click the SSL toggle to enable SSL.

This will trigger the system to check the vHost for domains/aliases, then it checks for a dns.creds  file, performs some tests and if everything checks out generates and enables a wildcard SSL!

Final notes on Wildcard SSLs with GridPane

Once you have the wildcard SSL installed your SSLs can be found on the server. They can be found at /etc/nginx/ssl/{exampledomain.com} , you may want to jump in with SFTP/SSH as root to grab copies of them. Remember, we are not a host - you are self hosting - we don't have any copies of your keys, they only exist on your server.

Also, you should ensure that you have the wildcard DNS A record setup on your domain records, this is always external to GridPane. Exact setup of this A record will depend on whatever service you use.

Did this answer your question?