Question
How to use Let’s Encrypt for wildcard certificates in order to secure subdomains like sub1.example.com
, sub2.example.com
, etc.?
Answer
This feature is available starting from Let’s Encrypt 2.6.0 and it can be done through one of the following methods:
Click on a section to expand
SSL It! extension is installed
- Log in to Plesk
-
Go to Domains > example.com > SSL/TLS Certificates > Issue Certificate > Choose the Secure the wildcard domain option > Click Get it free to renew it:
After clicking the Install button, Let’s Encrypt will either add a DNS TXT record on its own (if Plesk server is authoritative DNS for the domain) or will provide with the instructions on how to add this record (if DNS is managed by an external server):
After completing with DNS configuring and the DNS TXT _acme-challenge.<domain>
record resolves properly, click the Continue button to issue the certificate.
Let’s Encrypt extension is installed
-
Log in to Plesk.
-
Go to Domains > example.com > Let’s Encrypt check the Issue a wildcard SSL/TLS certificate option and click on Install
After clicking the Install button, Let’s Encrypt will either add a DNS TXT record on its own (if Plesk server is authoritative DNS for the domain) or will provide with the instructions on how to add this record (if DNS is managed by an external server):
Note: On Windows, if Bind DNS server is used, the record should be added manually under Domains > example.com > DNS Settings. Such certificates will also not be renewed automatically. This behavior has been registered as a bug and will be fixed in one of the future product updates.
After completing with DNS configuring and the DNS TXT
_acme-challenge.<domain>
record resolves properly, click the Continue button to issue the certificate
This iteration of Let’s Encrypt wildcard certificate has several limitations:
-
A wildcard certificate is only assigned to the main domain.
To apply it to subdomains, go to Hosting Settings of each subdomain and chose the new wildcard Let’s Encrypt certificate in the Certificate drop-down menu.
-
New subdomains do not get the wildcard certificate automatically. It has to be selected for them manually as well.
-
Wildcard certificates can only be issued manually from the Let’s Encrypt screen of a domain. Certificates issued from domain creation screen or with the enabled keep secured option on the service plan will always issue plain (non-wildcard) Let’s Encrypt certificates.
-
Wildcard certificates will not be renewed automatically if the DNS zone is managed by an external DNS server.
Additional information
Instead of Let’s certificates, custom wildcard certificates can be added as usual according to the following article: How to install SSL certificate for a domain in Plesk