Let’s Encrypt uses a DNS-based verification system, and certain records are required for the installation to succeed. If you’re using the GreenGeeks nameservers, the required records are managed for you, and no changes are needed to issue your SSL certificate.
If you manage your domain’s DNS record outside of GreenGeeks and your Let’s Encrypt installation failed, a DNS record update will be needed. There are a few different ways to make the necessary change. Any of these methods will work.
- Change the Name Servers for the Domain(s)
- Add _acme-challenge Name Server Records to Your DNS
- Add TXT Records for Your Domain(s)
- Switch to a Premium Wildcard SSL Certificate
Option 1: Change the Name Servers for the Domain(s)
This is the easiest method and the one that we recommend. It will allow you to install Let’s Encrypt as well as preventing any future renewal problems.
Important: If you have custom DNS records, re-create them on GreenGeeks before updating the nameservers for the domain.
You can change the name servers for your domain name at the registrar where you purchased the domain. Go to the registrar’s control panel and look for a setting called “name servers,” “custom name servers,” etc.
Here are the GreenGeeks name servers:
If your registrar only provides two fields for name server settings (primary and secondary name servers), use the first two name servers in the above list.
If you have a reseller account you can use the anonymous websitehostserver.net name servers:
Option 2: Add _acme-challenge Name Server Records to Your DNS
If you cannot change your name servers to point to GreenGeeks as recommended in option 1, this is the next best way to allow Let’s Encrypt to verify your domain. It involves setting up a subdomain named _acme-challenge.
So the subdomain would look like _acme-challenge.ggexample.com
When the subdomain is set up, configure it to use these NS records:
_acme-challenge.ggexample.com NS: chi-ns1.greengeeks.com
_acme-challenge.ggexample.com NS: chi-ns2.greengeeks.com
_acme-challenge.ggexample.com NS: ams-ns1.greengeeks.com
Use your domain name in place of “ggexample.com” in the above entries.
You should have access to set up NS records for a subdomain if you use a third-party DNS provider like Cloudflare.
If your domain registrar provides your DNS service, you may have to ask them to configure the subdomain DNS for you.
The _acme-challenge NS records allow GreenGeeks to control the DNS entries for _acme-challenge.ggexample.com only and will not affect any other existing records for the domain name.
Option 3: Add TXT Records for Your Domain(s)
We don’t recommend this method because it requires you to make a manual DNS update every 60 days when the Let’s Encrypt certificate is renewed. However, if none of the other methods work for you, this is a valid option.
Let’s Encrypt uses a specific DNS TXT record for verification, and we can provide you with that record, or you can find the TXT record in the Zone Editor in cPanel.
When you have the two TXT records for _acme-challenge.ggexample.com, you’ll manually update your DNS zone with the TXT records. Again, you’ll have to do this every 60 days. If you want to use this method, please contact technical support for assistance with the TXT records.
Use your domain name in place of “ggexample.com” in the above example.
Option 4: Switch to a Premium Wildcard SSL Certificate
If none of the above methods work for you, there are traditional certificate alternatives to Let’s Encrypt. They aren’t free, but they have certain advantages over a Let’s Encrypt certificate.
If your question wasn’t answered in this article, please don’t hesitate to contact technical support.