Let’s Encrypt uses a DNS-based verification system, and certain records are required for the installation to succeed. If you’re using the GreenGeeks nameservers, the required records are managed for you, and no changes are needed to issue your SSL certificate.
If you manage your domain’s DNS record outside of GreenGeeks and your Let’s Encrypt installation failed, a DNS record update will be needed. There are a few different ways to make the necessary change. Any of these methods will work.
- Change the Name Servers for the Domain(s)
- Add _acme-challenge Name Server Records to Your DNS
- Add TXT Records for Your Domain(s)
- Switch to a Premium Wildcard SSL Certificate
Option 1: Change the Name Servers for the Domain(s)
This is the easiest method and the one that we recommend. It will allow you to install Let’s Encrypt as well as prevent any future renewal problems.
Important: If you have custom DNS records, re-create them on GreenGeeks before updating the nameservers for the domain.
You can change the name servers for your domain name at the registrar where you purchased the domain. Go to the registrar’s control panel and look for a setting called “name servers,” “custom name servers,” etc.
Here are the GreenGeeks name servers:
If your registrar only provides two fields for name server settings (primary and secondary name servers), use the first two name servers in the above list.
If you have a reseller account you can use the anonymous websitehostserver.net name servers:
Option 2: Add _acme-challenge Name Server Records to Your DNS
If you cannot change your name servers to point to GreenGeeks as recommended as suggested in option 1, using NS-type records are the second-best option. This involves delegating the _acme-challenge subdomain to the GreenGeeks nameservers.
The NS records need to be created within the existing nameservers. If you’re using a 3rd party DNS provider such as Google, this is where the NS records would need to be created.
Add the following NS records within your existing DNS zone:
_acme-challenge.ggexample.com NS: chi-ns1.greengeeks.com
_acme-challenge.ggexample.com NS: chi-ns2.greengeeks.com
_acme-challenge.ggexample.com NS: ams-ns1.greengeeks.com
_acme-challenge.ggexample.com NS: sgp-ns1.greengeeks.com
Use your domain name in place of “ggexample.com” in the above entries.
Note that many 3rd party DNS providers do not have an option for the NS type of record in their front-end UI, but they can create such records manually upon request. If you don’t see an option for NS records, we suggest contacting the registrar or DNS provider for assistance in creating the records.
Once this is configured, the _acme-challenge NS type records allow GreenGeeks to control the DNS entries for _acme-challenge.ggexample.com, in order to automatically renew the LetsEncrypt SSL certificate without affecting the rest of your DNS configuration.
Option 3: Add TXT Records for Your Domain(s)
Let’s Encrypt uses a specific DNS TXT record for verification, and we can provide you with that record, or you can find the TXT record in the Zone Editor in cPanel.
For TXT verification, you’ll have to set one or two TXT records for _acme-challenge.ggexample.com that’ll need to be manually updated within your DNS zone. Again, you’ll have to do this every 60~ days as the cert is renewed so we do not suggest using this method.
Contact technical support for assistance if you need help finding the TXT records.
Use your domain name in place of “ggexample.com” in the above example.
Note that this is the only option to use Cloudflare + Wildcard LetsEncrypt SSL on GreenGeeks, as Cloudflare manages the Edge certificate independently.
Option 4: Switch to a Premium Wildcard SSL Certificate
If none of the above methods work for you, there are traditional certificate alternatives to Let’s Encrypt. They aren’t free, but they have certain advantages over a Let’s Encrypt certificate.
You can add a premium wildcard certificate to your site in GreenGeeks.
If your question wasn’t answered in this article, please don’t hesitate to contact technical support.
Does this require setting a subdomain with cpanel too or only on the DNS registry?
The link is confusing…”It involves setting up a subdomain named _acme-challenge.”
For option 2:
Should the subdomain be setup on the primary domain name server?
Limitation: Some web hosting providers only allow letters, numbers and a dash. NO UNDERSCORE as requested above: _acme-challenge.ggexample.com
In option 3:
Limitation: Some web host providers, “cut” record name from first dot onwards, so record name:
will look like:
In option 3, add the records where your primari live site is!
The _acme-challenge method worked for cloudflare- BUT… Cpanel did not allow me to add the subdomain “_acme-challenge” like the instructions say.
I had support add that subdomain, then just added the 3 NS records in cloudflare and it worked..
Also note- Cloudflare would not allow me to add an A record for _acme-challenge subdomain once the NS records were setup, but seems it did not matter and worked anyway..