How to Set Up and Auto-Renew Wildcard SSL Certificates in DirectAdmin Using Let's Encrypt (2025 Guide)

Priya

Content Writer & Researcher

Last Updated: 29 May 2026

How to Set Up and Auto-Renew Wildcard SSL Certificates in DirectAdmin Using Let's Encrypt (2025 Guide)

🖥️

Stop Worrying About Wildcard SSL Renewals on DirectAdmin

Expired wildcard certificates can take down every subdomain at once — CloudHouse's managed DirectAdmin experts set up bulletproof auto-renewal with DNS API hooks so it never happens to you. Get protected before the next 90-day deadline hits.

🔧 Book Free Diagnosis Call Now WhatsApp

🖥️12,400+PCs Fixed

⭐4.9★Google Rating

⚡<15 minAvg. Response

🛡️ISO 27001Certified

If you manage multiple subdomains on a DirectAdmin server, DirectAdmin wildcard SSL Let's Encrypt certificates are the most efficient way to secure them all under a single certificate. The problem most administrators run into is not the initial setup — it's the silent auto-renewal failures that only surface when a client calls to report their browser is showing a security warning. This guide walks you through every step: enabling wildcard support, issuing the certificate via DNS-01 challenge, wiring up external DNS providers like Cloudflare or Route 53, and setting up reliable auto-renewal that actually works.

What Is a Wildcard SSL Certificate and Why Use It in DirectAdmin

A wildcard SSL certificate secures a domain and all of its first-level subdomains with a single certificate. A certificate issued for *.example.com covers mail.example.com, shop.example.com, api.example.com, and every other subdomain — without needing individual certificates for each one.

In a DirectAdmin environment, this matters for several reasons:

Reduced management overhead: One certificate to track, renew, and troubleshoot instead of dozens.
Instant subdomain coverage: Any new subdomain you spin up is automatically covered without reissuing.
Unified renewal window: All subdomains share the same 90-day Let's Encrypt cycle, so you only need one reliable renewal hook.
Cost savings: Let's Encrypt wildcard certificates are free, eliminating per-subdomain commercial certificate costs.

The catch — and the reason most tutorials stop short — is that Let's Encrypt requires the DNS-01 challenge for wildcard certificates. Unlike the HTTP-01 challenge (which just needs a file in your webroot), DNS-01 requires you to create a temporary TXT record in your DNS zone. When your DNS is hosted externally (Cloudflare, Route 53, Google Cloud DNS), DirectAdmin cannot do this automatically without a configured DNS API hook.

Prerequisites Before You Begin

Before issuing any commands, confirm you have the following in place:

DirectAdmin version 1.62 or later — wildcard certificate support via the built-in ACME client was introduced in this release. Run cat /usr/local/directadmin/versions to check.
Root or reseller-level SSH access to the server.
A registered domain with DNS you can manage — either through DirectAdmin's nameservers or an external provider.
API credentials for your DNS provider if DNS is hosted externally (Cloudflare API token, AWS IAM credentials, etc.).
Port 443 open on your firewall and the domain resolving to the server's public IP.

Verify your DirectAdmin Let's Encrypt plugin is active:

ls /usr/local/directadmin/plugins/letsencrypt/

💡 None of these worked? Skip the guesswork.

Get Expert Help →

Step 1: Enable Let's Encrypt Wildcard Support in DirectAdmin

1Access the DirectAdmin Admin Panel

2Enable Wildcard Certificate Option

In the Let's Encrypt configuration panel, locate the Wildcard Certificates toggle and set it to Enabled. Save the configuration.

3Set the ACME Challenge Type to DNS-01

Change the Challenge Type from http-01 to dns-01. Without this change, Let's Encrypt will attempt an HTTP file challenge, which cannot validate wildcard domains and will always fail.

4Confirm the acme.sh Installation

/usr/local/directadmin/scripts/acme.sh --version

If this returns a version string, you are ready. If not, reinstall:

cd /usr/local/directadmin/custombuild
./build update
./build letsencrypt

1Navigate to the SSL Manager for the Domain

Go to Account Manager → SSL Certificates. Select the domain and click Free & automatic certificate from Let's Encrypt.

2Request a Wildcard Certificate

Add both the apex domain and the wildcard entry as SANs, or issue via SSH:

/usr/local/directadmin/scripts/acme.sh   --issue   --dns   -d example.com   -d '*.example.com'   --server letsencrypt

acme.sh will display a DNS TXT record you must create:

[INFO] Add the following TXT record:
Domain: '_acme-challenge.example.com'
TXT value: 'SOME_RANDOM_STRING_HERE'

3Create the DNS TXT Record Manually (for initial issuance)

dig TXT _acme-challenge.example.com +short

Step 3: Configure External DNS for Auto-Renewal

This is where most setups break down. The manual TXT record approach works for a one-time issuance, but when the 90-day renewal cycle hits, DirectAdmin cannot update your external DNS automatically — and the renewal fails silently.

The fix is to configure a DNS API hook so acme.sh can create and delete TXT records on your behalf during every renewal cycle.

Option A: Cloudflare DNS Hook

1. Create a Cloudflare API Token with Zone DNS Edit permissions.

2. Export credentials:

export CF_Token="your_cloudflare_api_token_here"
export CF_Account_ID="your_cloudflare_account_id_here"
export CF_Zone_ID="your_cloudflare_zone_id_here"

Persist to /etc/environment for cron jobs.

3. Reissue using the Cloudflare hook:

/usr/local/directadmin/scripts/acme.sh   --issue   --dns dns_cf   -d example.com   -d '*.example.com'   --server letsencrypt

Option B: AWS Route 53 DNS Hook

1. Create an IAM policy with route53:ChangeResourceRecordSets and route53:ListHostedZones permissions.

2. Set AWS credentials:

export AWS_ACCESS_KEY_ID="your_access_key"
export AWS_SECRET_ACCESS_KEY="your_secret_key"
export AWS_DEFAULT_REGION="us-east-1"

3. Issue with Route 53 hook:

/usr/local/directadmin/scripts/acme.sh   --issue   --dns dns_aws   -d example.com   -d '*.example.com'   --server letsencrypt

Verify the Auto-Renewal Cron Job

crontab -l | grep acme

You should see an entry similar to:

0 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

If missing, install it manually:

/usr/local/directadmin/scripts/acme.sh --install-cronjob

Step 4: Verify and Apply the Wildcard Certificate to Subdomains

1. Confirm the certificate was issued:

/usr/local/directadmin/scripts/acme.sh --list

2. Install into DirectAdmin:

/usr/local/directadmin/scripts/acme.sh   --install-cert   -d example.com   --cert-file /usr/local/directadmin/data/users/username/domains/example.com.cert   --key-file /usr/local/directadmin/data/users/username/domains/example.com.key   --fullchain-file /usr/local/directadmin/data/users/username/domains/example.com.cacert   --reloadcmd "service httpd restart"

3. Test the certificate:

openssl s_client -connect shop.example.com:443 -servername shop.example.com 2>/dev/null | openssl x509 -noout -subject -dates

If you need hands-off SSL management across a fleet of DirectAdmin servers, managed DirectAdmin server support handles certificate lifecycles so your team does not have to.

Troubleshooting Common Errors

DNS challenge failed — TXT record not found

Verify the TXT record: dig TXT _acme-challenge.example.com @8.8.8.8 +short
Confirm your API token has Edit (not Read-only) permissions on the DNS zone.
Add a propagation delay: append --dnssleep 120 to your acme.sh command.

Wildcard certificate not working on subdomains

Confirm the SAN includes *.example.com.
Grep the virtual host config: grep -r "SSLCertificateFile" /etc/httpd/conf/extra/
Restart the web server: service httpd restart

Renewal failing silently

Run a manual renewal test: /usr/local/directadmin/scripts/acme.sh --renew -d example.com --force
Log renewals: 0 0 * * * /usr/local/directadmin/scripts/acme.sh --cron --home /root/.acme.sh >> /var/log/acme-renewal.log 2>&1

Rate limited by Let's Encrypt

Switch to the staging server while testing:

/usr/local/directadmin/scripts/acme.sh   --issue --dns dns_cf   -d example.com -d '*.example.com'   --server letsencrypt_test

Getting wildcard SSL certificates right in DirectAdmin is a one-time investment that pays off every 90 days when renewal completes automatically. The critical steps are enabling DNS-01 challenge mode, configuring your DNS provider's API hook, and verifying the cron job is in place. For teams managing multiple DirectAdmin servers, our managed DirectAdmin server support covers certificate management, renewal monitoring, and everything in between.

Get the Free Linux Server Admin Cheatsheet (PDF)

Essential commands for server management, networking, and troubleshooting — all on one printable page.

Running Linux servers? Let us manage them for you.

Our Managed Linux Server plans cover updates, security hardening, monitoring, and 24/7 incident response — so your servers stay up and your team stays focused.

Proactive OS patching and security updates
24×7 monitoring with instant alerting
Backup configuration and disaster recovery
Dedicated Linux engineers on call

See Pricing Plans →

What our customers say

“Our production server went down at 2 AM. CloudHouse had it back online in under 20 minutes. Incredible response time.”

Arun S.

CTO, SaaS Startup

“They migrated our entire infrastructure from Ubuntu 18 to 22 with zero downtime. Couldn't have asked for better.”

Deepak N.

DevOps Lead

Frequently Asked Questions

Let's Encrypt's policy requires the DNS-01 challenge for all wildcard certificates (those containing *.domain.com). The HTTP-01 challenge can only validate a specific hostname by placing a file in its webroot, so it cannot prove control over every possible subdomain. DNS-01 validates domain ownership at the DNS level, which covers the entire domain including all subdomains under the wildcard.

Book your free 15-minute diagnosis

A certified technician will call you back within 15 minutes during business hours.

Share this article

Comments (0)

Loading comments...