Wildcard SSL certificates are essential for securing multiple subdomains under a single domain (e.g., *.yourdomain.com). While CloudPanel doesn’t directly support entering wildcard notation in its interface, this comprehensive guide will walk you through the process of implementing wildcard SSL certificates using Certbot and Let’s Encrypt.
Prerequisites
Before we begin, ensure you have:
- SSH access to your CloudPanel server
- Root privileges or sudo access
- DNS management access for your domain
- A domain already set up in CloudPanel
Step 1: Connect to Your Server
First, establish an SSH connection to your CloudPanel server:
ssh username@your-server-ipReplace username and your-server-ip with your server’s details.
Step 2: Install Certbot
Certbot is a free, open-source tool for automatically using Let’s Encrypt certificates. If it’s not already installed, you’ll need to install it:
sudo apt-get update
sudo apt-get install certbotStep 3: Request the Wildcard Certificate
Now, use Certbot to request a wildcard certificate with DNS validation:
sudo certbot certonly --manual --preferred-challenges dns \
--server https://acme-v02.api.letsencrypt.org/directory \
-d yourdomain.com -d *.yourdomain.comReplace yourdomain.com with your actual domain name.
Step 4: Complete DNS Validation
Certbot will ask you to create DNS TXT records to prove you own the domain:
- Certbot will provide instructions for creating a specific TXT record
- Log in to your DNS management panel (like Cloudflare, GoDaddy, etc.)
- Add the TXT record as specified by Certbot
- Wait a few minutes for DNS propagation (you can check using dnschecker.org)
- Return to your terminal and press Enter to continue the validation
This process might need to be done twice – once for the root domain and once for the wildcard.
Step 5: Locate Your Certificate Files
After successful validation, Certbot will generate certificate files. Note the location:
Certificate is saved at: /etc/letsencrypt/live/yourdomain.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/yourdomain.com/privkey.pemStep 6: Copy the Certificate Contents
You’ll need to copy the contents of these files to use in CloudPanel:
sudo cat /etc/letsencrypt/live/yourdomain.com/fullchain.pemSelect and copy all the output, including the BEGIN and END CERTIFICATE lines.
Then copy the private key:
sudo cat /etc/letsencrypt/live/yourdomain.com/privkey.pemAgain, copy all the output including the BEGIN and END PRIVATE KEY lines.
Step 7: Install the Certificate in CloudPanel
Now, go to your CloudPanel interface:
- Log in to CloudPanel
- Navigate to Sites from the left sidebar
- Select your domain
- Click on SSL/TLS in the site settings
- Select “Custom”
- Paste the certificate content (from fullchain.pem) into the “Certificate” field
- Paste the private key content (from privkey.pem) into the “Private Key” field
- Click “Install Certificate”
Step 8: Verify the Certificate Installation
Check that your certificate is properly installed:
Click the padlock icon in your browser to verify the certificate information
Visit your domain with HTTPS (https://yourdomain.com)
Visit a subdomain with HTTPS (https://subdomain.yourdomain.com)
Step 9: Set Up Auto-Renewal (Optional but Recommended)
Let’s Encrypt certificates expire after 90 days, so it’s important to set up auto-renewal:
- Create a renewal script:
sudo nano /root/renew-wildcard.sh2. Add the following content:
#!/bin/bash
certbot renew --cert-name yourdomain.com --manual-auth-hook /path/to/dns-hook.sh3. Make it executable:
sudo chmod +x /root/renew-wildcard.sh4. Add it to crontab to run monthly:
sudo crontab -eAdd this line:
0 0 1 * * /root/renew-wildcard.shNote: For full automation, you’ll need to create a DNS hook script that updates your DNS records automatically. This varies depending on your DNS provider.
Troubleshooting
Certificate Not Working for Subdomains
- Ensure you included both the domain and wildcard (yourdomain.com and *.yourdomain.com) in the Certbot command
- Verify the certificate covers your wildcard by checking with:
sudo certbot certificates
Permission Issues
If you encounter permission errors when accessing certificate files:
sudo chmod -R 755 /etc/letsencrypt/live/
sudo chmod -R 755 /etc/letsencrypt/archive/Certificate Renewal Failures
If automatic renewals fail:
- Check the Certbot logs with:
sudo systemctl status certbot.timer - Run the renewal manually with:
sudo certbot renew --dry-runto test
Conclusion
You now have successfully installed a wildcard SSL certificate for your domain in CloudPanel! Your main domain and all subdomains will be secured with HTTPS. Remember to monitor the expiration date of your certificate and ensure the renewal process works correctly.
For any additional CloudPanel-specific issues, refer to the official CloudPanel documentation or support channels.