Skip to main content
  1. Home
  2. Knowledge Base
  3. SSL Certificates
  4. Let’s Encrypt Installation Process

Let’s Encrypt Installation Process

Let’s Encrypt uses a DNS-based verification system, and certain records are required for the installation to succeed. If you’re using the GreenGeeks nameservers, the required records are managed for you, and no changes are needed to issue your SSL certificate.

If you manage your domain’s DNS record outside of GreenGeeks and your Let’s Encrypt installation failed, a DNS record update will be needed. There are a few different ways to make the necessary change. Any of these methods will work.

  • Change the Name Servers for the Domain(s)
  • Add _acme-challenge Name Server Records to Your DNS
  • Add TXT Records for Your Domain(s)
  • Switch to a Premium Wildcard SSL Certificate

Option 1: Change the Name Servers for the Domain(s)

This is the easiest method and the one that we recommend. It will allow you to install Let’s Encrypt as well as prevent any future renewal problems.

Important: If you have custom DNS records, re-create them on GreenGeeks before updating the nameservers for the domain.

You can change the name servers for your domain name at the registrar where you purchased the domain. Go to the registrar’s control panel and look for a setting called “name servers,” “custom name servers,” etc.

Here are the GreenGeeks name servers:

If your registrar only provides two fields for name server settings (primary and secondary name servers), use the first two name servers in the above list.

If you have a reseller account you can use the anonymous name servers:

Option 2: Add _acme-challenge Name Server Records to Your DNS

If you cannot change your name servers to point to GreenGeeks as recommended as suggested in option 1, using NS-type records are the second-best option. This involves delegating the _acme-challenge subdomain to the GreenGeeks nameservers.

The NS records need to be created within the existing nameservers. If you’re using a 3rd party DNS provider such as Google, this is where the NS records would need to be created.

Cloudflare DNS

Do not set _acme-challenge NS records when using Cloudflare.

If you wish to use Cloudflare in combination with GreenGeeks SSL you must set the TXT records manually as per Option 3.  Refer to our Support Article.

Add the following NS records within your existing DNS zone:  NS:  NS:  NS:  NS:

Use your domain name in place of “” in the above entries.

Note that many 3rd party DNS providers do not have an option for the NS type of record in their front-end UI, but they can create such records manually upon request. If you don’t see an option for NS records, we suggest contacting the registrar or DNS provider for assistance in creating the records.

Once this is configured, the _acme-challenge NS type records allow GreenGeeks to control the DNS entries for, in order to automatically renew the LetsEncrypt SSL certificate without affecting the rest of your DNS configuration.

Option 3: Add TXT Records for Your Domain(s)

Note that GreenGeeks strongly advises AGAINST using this method(TXT record) as it requires a manual DNS update each time the records change, at a minimum every 60 days when the Let’s Encrypt certificate is renewed. Only use TXT verification if you have no other choice.

Let’s Encrypt uses a specific DNS TXT record for verification, and we can provide you with that record, or you can find the TXT record in the Zone Editor in cPanel.

For TXT verification, you’ll have to set one or two TXT records for that’ll need to be manually updated within your DNS zone.  Again, you’ll have to do this every 60~ days as the cert is renewed so we do not suggest using this method.

Contact technical support for assistance if you need help finding the TXT records.

Use your domain name in place of “” in the above example.

Note that this is the only option to use Cloudflare + Wildcard LetsEncrypt SSL on GreenGeeks, as Cloudflare manages the Edge certificate independently.

Option 4: Switch to a Premium Wildcard SSL Certificate

If none of the above methods work for you, there are traditional certificate alternatives to Let’s Encrypt. They aren’t free, but they have certain advantages over a Let’s Encrypt certificate.

You can add a premium wildcard certificate to your site in GreenGeeks.

If your question wasn’t answered in this article, please don’t hesitate to contact technical support.

Was this article helpful?

Need Support?
Can't find the answer you're looking for?
Contact Support


  1. Does this require setting a subdomain with cpanel too or only on the DNS registry?
    The link is confusing…”It involves setting up a subdomain named _acme-challenge.”

  2. For option 2:
    Should the subdomain be setup on the primary domain name server?
    Limitation: Some web hosting providers only allow letters, numbers and a dash. NO UNDERSCORE as requested above:

  3. In option 3:
    Limitation: Some web host providers, “cut” record name from first dot onwards, so record name:
    will look like:

  4. Critical:
    In option 3, add the records where your primari live site is!

  5. The _acme-challenge method worked for cloudflare- BUT… Cpanel did not allow me to add the subdomain “_acme-challenge” like the instructions say.

    I had support add that subdomain, then just added the 3 NS records in cloudflare and it worked..

    Also note- Cloudflare would not allow me to add an A record for _acme-challenge subdomain once the NS records were setup, but seems it did not matter and worked anyway..

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.