To home page

Installing Let's Encrypt Wildcard SSL in Hestia CP

Step-by-step guide to issuing and configuring a wildcard certificate.

Hestia CP is a hosting control panel for managing websites, email, databases, SSL certificates, files, and scheduled tasks.

Let's Encrypt Wildcard SSL secures both the root domain and all its subdomains (*.example.com) with a single certificate — useful when you have many subdomains.

This guide applies to HestiaCP on Ubuntu and Debian. For CentOS, use yum instead of apt-get.

Step 1. Install acme.sh

cd /root
sudo apt-get update
sudo apt-get install socat git -y
git clone https://github.com/acmesh-official/acme.sh.git
cd ./acme.sh
./acme.sh --install

After installation, acme.sh automatically adds a cron job for certificate renewal. Verify it's there:

crontab -l

Step 2. Set Let's Encrypt as the certificate authority

./acme.sh --set-default-ca --server letsencrypt

Step 3. Issue the wildcard certificate

./acme.sh --issue -d example.com -d *.example.com --dns --force --yes-I-know-dns-manual-mode-enough-go-ahead-please

Replace example.com with your domain.

The script will output two TXT records that need to be added to your domain's DNS. Make sure each record name ends with a dot.

Example:

_acme-challenge.example.com.    TXT    "GCgAc4Q1Ur4Iv5A-SFhaZ6as-IyuIbfcm7FnUOq3Qxs"
_acme-challenge.example.com.    TXT    "dA6AcK4oR2VOIuD_i7zdNn6RZXXBJORpZWlhDOmk96A"

Our products and services

Web HostingReliable hosting services for websites of any scale.
Order
VPSFlexible cloud infrastructure with full root access.
Order
Dedicated ServersBare metal servers for maximum performance.
Order

Step 4. Verify DNS propagation

dig txt +short _acme-challenge.example.com

Wait until both TXT records appear in the output before proceeding.

Step 5. Complete the certificate issuance

./acme.sh --renew -d example.com -d *.example.com --dns --force --yes-I-know-dns-manual-mode-enough-go-ahead-please

The certificates will be saved to:

/root/.acme.sh/example.com_ecc/

Step 6. Add the certificate to Hestia CP

Rename the certificate files:

cd /root/.acme.sh/example.com_ecc/
mv ca.cer example.com.ca
mv fullchain.cer example.com.crt

Add the certificate to the domain (replace user with the HestiaCP username):

v-add-web-domain-ssl user example.com /root/.acme.sh/example.com_ecc/

If a certificate was already installed for this domain, use the update command instead:

v-update-web-domain-ssl user example.com /root/.acme.sh/example.com_ecc/

Automatic renewal

acme.sh sets up a cron job automatically. For extra reliability, you can also add a daily check manually:

0 3 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null 2>&1

Help

If you have any questions or need assistance, please contact us through the ticket system — we're always here to help!

Need help?Our engineers will help you free of charge with any question in minutesContact us