Resources     Blog  

  1. Home
  2. Knowledge Base
  3. SSL Certificates
  4. Let’s Encrypt Installation Process

Let’s Encrypt Installation Process

Let’s Encrypt uses a DNS-based verification system, and certain records are required for the installation to succeed. If you’re using the GreenGeeks nameservers, the required records are managed for you, and no changes are needed to issue your SSL certificate.

If you manage your domain’s DNS record outside of GreenGeeks and your Let’s Encrypt installation failed, a DNS record update will be needed. There are a few different ways to make the necessary change. Any of these methods will work.

Option 1: Change the Name Servers for the Domain(s)

This is the easiest method and the one that we recommend. It will allow you to install Let’s Encrypt as well as preventing any future renewal problems.

Important: If you have custom DNS records, re-create them on GreenGeeks before updating the nameservers for the domain.

You can change the name servers for your domain name at the registrar where you purchased the domain. Go to the registrar’s control panel and look for a setting called “name servers,” “custom name servers,” etc.

Here are the GreenGeeks name servers:

If your registrar only provides two fields for name server settings (primary and secondary name servers), use the first two name servers in the above list.

If you have a reseller account you can use the anonymous name servers:

Option 2: Add _acme-challenge Name Server Records to Your DNS

If you cannot change your name servers to point to GreenGeeks as recommended in option 1, this is the next best way to allow Let’s Encrypt to verify your domain. It involves delegating the _acme-challenge subdomain to our nameservers.

You should have access to set up NS records for a subdomain if you use a third-party DNS provider like Cloudflare.

If your domain registrar provides your DNS service, you may have to ask them to configure the DNS for you.

At your domain registrar or DNS provider, add the following NS records:  NS:  NS:  NS:

Use your domain name in place of “” in the above entries.

Once this is done, the _acme-challenge NS records allow GreenGeeks to control the DNS entries for only and will not affect any other existing records for your domain name.

Option 3: Add TXT Records for Your Domain(s)

We don’t recommend this method because it requires you to make a manual DNS update every 60 days when the Let’s Encrypt certificate is renewed. However, if none of the other methods work for you, this is a valid option.

Let’s Encrypt uses a specific DNS TXT record for verification, and we can provide you with that record, or you can find the TXT record in the Zone Editor in cPanel.

When you have the two TXT records for, you’ll manually update your DNS zone with the TXT records. Again, you’ll have to do this every 60 days. If you want to use this method, please contact technical support for assistance with the TXT records.

Use your domain name in place of “” in the above example.

Option 4: Switch to a Premium Wildcard SSL Certificate

If none of the above methods work for you, there are traditional certificate alternatives to Let’s Encrypt. They aren’t free, but they have certain advantages over a Let’s Encrypt certificate.

You can add a premium wildcard certificate to your site in GreenGeeks.

If your question wasn’t answered in this article, please don’t hesitate to contact technical support.

Was this article helpful?


  1. Does this require setting a subdomain with cpanel too or only on the DNS registry?
    The link is confusing…”It involves setting up a subdomain named _acme-challenge.”

  2. For option 2:
    Should the subdomain be setup on the primary domain name server?
    Limitation: Some web hosting providers only allow letters, numbers and a dash. NO UNDERSCORE as requested above:

  3. In option 3:
    Limitation: Some web host providers, “cut” record name from first dot onwards, so record name:
    will look like:

  4. Critical:
    In option 3, add the records where your primari live site is!

  5. The _acme-challenge method worked for cloudflare- BUT… Cpanel did not allow me to add the subdomain “_acme-challenge” like the instructions say.

    I had support add that subdomain, then just added the 3 NS records in cloudflare and it worked..

    Also note- Cloudflare would not allow me to add an A record for _acme-challenge subdomain once the NS records were setup, but seems it did not matter and worked anyway..

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.