starred/nginx-proxy-manager-NginxProxyManager
1
0
Fork 0
mirror of https://github.com/NginxProxyManager/nginx-proxy-manager.git synced 2026-04-26 18:05:54 +03:00
Code Issues 937 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #613] letsencrypt wildcard certificates (without Cloudflare) #516

New issue
Closed
opened 2026-02-26 06:33:13 +03:00 by kerem · 12 comments
kerem commented 2026-02-26 06:33:13 +03:00
Owner
Copy link

Originally created by @rt87 on GitHub (Sep 24, 2020).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/613

I would like to be able to use letsencrypt wildcard certificates without being limited to Cloudflare.

Originally created by @rt87 on GitHub (Sep 24, 2020). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/613 I would like to be able to use letsencrypt wildcard certificates without being limited to Cloudflare.
kerem 2026-02-26 06:33:13 +03:00
kerem commented 2026-02-26 06:33:13 +03:00
Author
Owner
Copy link

@Kipjr commented on GitHub (Sep 25, 2020):

A temporary workaround is requesting a normal certificate domain.tld, then after a successful certificate, login to docker (docker exec -it {id} /bin/bash and do following:

certbot --manual -d domain.tld -d *.domain.tld --preferred-challenges=DNS

Follow the instructions, it will replace your certificate with the wildcard. An automatic way is not yet possible due to the lacking support of numerous DNS APIs. This is what I'm doing every now and then..

You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/npm-2.conf)

It contains these names: domain.tld

You requested these names for the new certificate: domain.tld, *.domain.tld.

Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: E
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for domain.tld

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Yes

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.domain.tld with the following value:

Gasdfasdfasdfasdfasdfc

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
<!-- gh-comment-id:698908413 --> @Kipjr commented on GitHub (Sep 25, 2020): A temporary workaround is requesting a normal certificate domain.tld, then after a successful certificate, login to docker (docker exec -it {id} /bin/bash and do following: `certbot --manual -d domain.tld -d *.domain.tld --preferred-challenges=DNS` Follow the instructions, it will replace your certificate with the wildcard. An automatic way is not yet possible due to the lacking support of numerous DNS APIs. This is what I'm doing every now and then.. ``` You have an existing certificate that contains a portion of the domains you requested (ref: /etc/letsencrypt/renewal/npm-2.conf) It contains these names: domain.tld You requested these names for the new certificate: domain.tld, *.domain.tld. Do you want to expand and replace this existing certificate with the new certificate? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (E)xpand/(C)ancel: E Renewing an existing certificate Performing the following challenges: dns-01 challenge for domain.tld - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Yes - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.domain.tld with the following value: Gasdfasdfasdfasdfasdfc Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue Waiting for verification... Cleaning up challenges ```
kerem commented 2026-02-26 06:33:13 +03:00
Author
Owner
Copy link

@hugalafutro commented on GitHub (Oct 3, 2020):

I'm succesfully using wildcard host on noip.com with nginx-proxy-manager. I.e. on noip.com I have registered wildcard domain *.something.ddns.net, then in nginx-proxy-manager I have 11 proxy hosts using hostname.something.ddns.net and "it just works" (tm).

<!-- gh-comment-id:703107836 --> @hugalafutro commented on GitHub (Oct 3, 2020): I'm succesfully using wildcard host on noip.com with nginx-proxy-manager. I.e. on noip.com I have registered wildcard domain *.something.ddns.net, then in nginx-proxy-manager I have 11 proxy hosts using hostname.something.ddns.net and "it just works" (tm).
kerem commented 2026-02-26 06:33:13 +03:00
Author
Owner
Copy link

@rt87 commented on GitHub (Oct 4, 2020):

A temporary workaround is requesting a normal certificate domain.tld, then after a successful certificate, login to docker (docker exec -it {id} /bin/bash and do following:

certbot --manual -d domain.tld -d *.domain.tld --preferred-challenges=DNS

Follow the instructions, it will replace your certificate with the wildcard. An automatic way is not yet possible due to the lacking support of numerous DNS APIs. This is what I'm doing every now and then..

You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/npm-2.conf)

It contains these names: domain.tld

You requested these names for the new certificate: domain.tld, *.domain.tld.

Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: E
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for domain.tld

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Yes

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.domain.tld with the following value:

Gasdfasdfasdfasdfasdfc

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

Thanks, good to know that this would work (and how to do it). But, to be clear: You would have to repeat this every now and then? The automatic renewal of this "manual wildcard certificate" would not work?

<!-- gh-comment-id:703224032 --> @rt87 commented on GitHub (Oct 4, 2020): > > > A temporary workaround is requesting a normal certificate domain.tld, then after a successful certificate, login to docker (docker exec -it {id} /bin/bash and do following: > > `certbot --manual -d domain.tld -d *.domain.tld --preferred-challenges=DNS` > > Follow the instructions, it will replace your certificate with the wildcard. An automatic way is not yet possible due to the lacking support of numerous DNS APIs. This is what I'm doing every now and then.. > > ``` > You have an existing certificate that contains a portion of the domains you > requested (ref: /etc/letsencrypt/renewal/npm-2.conf) > > It contains these names: domain.tld > > You requested these names for the new certificate: domain.tld, *.domain.tld. > > Do you want to expand and replace this existing certificate with the new > certificate? > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > (E)xpand/(C)ancel: E > Renewing an existing certificate > Performing the following challenges: > dns-01 challenge for domain.tld > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > NOTE: The IP of this machine will be publicly logged as having requested this > certificate. If you're running certbot in manual mode on a machine that is not > your server, please ensure you're okay with that. > > Are you OK with your IP being logged? > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > (Y)es/(N)o: Yes > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > Please deploy a DNS TXT record under the name > _acme-challenge.domain.tld with the following value: > > Gasdfasdfasdfasdfasdfc > > Before continuing, verify the record is deployed. > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > Press Enter to Continue > Waiting for verification... > Cleaning up challenges > ``` Thanks, good to know that this would work (and how to do it). But, to be clear: You would have to repeat this every now and then? The automatic renewal of this "manual wildcard certificate" would not work?
kerem commented 2026-02-26 06:33:13 +03:00
Author
Owner
Copy link

@rt87 commented on GitHub (Oct 4, 2020):

I'm succesfully using wildcard host on noip.com with nginx-proxy-manager. I.e. on noip.com I have registered wildcard domain *.something.ddns.net, then in nginx-proxy-manager I have 11 proxy hosts using hostname.something.ddns.net and "it just works" (tm).

Well... it really shouldn't! The UI doesn't even let you go for wildcards unless you checked the cloudflare option. Also, both providers, cloudflare and noip, charge for wildcards afaik, so thats something Im not too thrilled about either. And the free noip does not seem to support IPv6, which I would like to use since it "is time" and I do not have to give too much thought to portforwarding and such.

<!-- gh-comment-id:703224514 --> @rt87 commented on GitHub (Oct 4, 2020): > > > I'm succesfully using wildcard host on noip.com with nginx-proxy-manager. I.e. on noip.com I have registered wildcard domain *.something.ddns.net, then in nginx-proxy-manager I have 11 proxy hosts using hostname.something.ddns.net and "it just works" (tm). Well... it really shouldn't! The UI doesn't even let you go for wildcards unless you checked the cloudflare option. Also, both providers, cloudflare and noip, charge for wildcards afaik, so thats something Im not too thrilled about either. And the free noip does not seem to support IPv6, which I would like to use since it "is time" and I do not have to give too much thought to portforwarding and such.
kerem commented 2026-02-26 06:33:13 +03:00
Author
Owner
Copy link

@Kipjr commented on GitHub (Oct 4, 2020):

A temporary workaround is requesting a normal certificate domain.tld, then after a successful certificate, login to docker (docker exec -it {id} /bin/bash and do following:
certbot --manual -d domain.tld -d *.domain.tld --preferred-challenges=DNS
Follow the instructions, it will replace your certificate with the wildcard. An automatic way is not yet possible due to the lacking support of numerous DNS APIs. This is what I'm doing every now and then..

You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/npm-2.conf)

It contains these names: domain.tld

You requested these names for the new certificate: domain.tld, *.domain.tld.

Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: E
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for domain.tld

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Yes

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.domain.tld with the following value:

Gasdfasdfasdfasdfasdfc

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

Thanks, good to know that this would work (and how to do it). But, to be clear: You would have to repeat this every now and then? The automatic renewal of this "manual wildcard certificate" would not work?

Yes, automatic renewal would require an API to your DNS and there are too many to support /implement this, I think.

I would like the output from the console on the webpage so I don't have to do this there. Then you only need to update your TXT record. Or just have a log page on the manager webpage.

<!-- gh-comment-id:703249035 --> @Kipjr commented on GitHub (Oct 4, 2020): > > A temporary workaround is requesting a normal certificate domain.tld, then after a successful certificate, login to docker (docker exec -it {id} /bin/bash and do following: > > `certbot --manual -d domain.tld -d *.domain.tld --preferred-challenges=DNS` > > Follow the instructions, it will replace your certificate with the wildcard. An automatic way is not yet possible due to the lacking support of numerous DNS APIs. This is what I'm doing every now and then.. > > ``` > > You have an existing certificate that contains a portion of the domains you > > requested (ref: /etc/letsencrypt/renewal/npm-2.conf) > > > > It contains these names: domain.tld > > > > You requested these names for the new certificate: domain.tld, *.domain.tld. > > > > Do you want to expand and replace this existing certificate with the new > > certificate? > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > (E)xpand/(C)ancel: E > > Renewing an existing certificate > > Performing the following challenges: > > dns-01 challenge for domain.tld > > > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > NOTE: The IP of this machine will be publicly logged as having requested this > > certificate. If you're running certbot in manual mode on a machine that is not > > your server, please ensure you're okay with that. > > > > Are you OK with your IP being logged? > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > (Y)es/(N)o: Yes > > > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > Please deploy a DNS TXT record under the name > > _acme-challenge.domain.tld with the following value: > > > > Gasdfasdfasdfasdfasdfc > > > > Before continuing, verify the record is deployed. > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > Press Enter to Continue > > Waiting for verification... > > Cleaning up challenges > > ``` > > Thanks, good to know that this would work (and how to do it). But, to be clear: You would have to repeat this every now and then? The automatic renewal of this "manual wildcard certificate" would not work? Yes, automatic renewal would require an API to your DNS and there are too many to support /implement this, I think. I would like the output from the console on the webpage so I don't have to do this there. Then you only need to update your TXT record. Or just have a log page on the manager webpage.
kerem commented 2026-02-26 06:33:13 +03:00
Author
Owner
Copy link

@chaptergy commented on GitHub (Nov 6, 2020):

@jc21 Implemented by PR #635, can be closed.
@rt87 To request wildcard certificates you need to request them via DNS challenge. If your DNS provider is not in the list of available DNS providers but you are sure they offer an API for this please open a new ticket.

<!-- gh-comment-id:723036527 --> @chaptergy commented on GitHub (Nov 6, 2020): @jc21 Implemented by PR #635, can be closed. @rt87 To request wildcard certificates you need to request them via DNS challenge. If your DNS provider is not in the list of available DNS providers but you are sure they offer an API for this please open a new ticket.
kerem commented 2026-02-26 06:33:13 +03:00
Author
Owner
Copy link

@krouter commented on GitHub (Nov 12, 2020):

Can you give a GUI option to request a manual DNS challenge?
Google domains doesn't allow DNS via api updates.

<!-- gh-comment-id:726076097 --> @krouter commented on GitHub (Nov 12, 2020): Can you give a GUI option to request a manual DNS challenge? Google domains doesn't allow DNS via api updates.
kerem commented 2026-02-26 06:33:13 +03:00
Author
Owner
Copy link

@chaptergy commented on GitHub (Nov 12, 2020):

I don't think LetsEncrypt / Certbot is meant to issue certificates with a DNS challenge in a non-automated way. See the DNS challenge documentation, the second paragraph.

<!-- gh-comment-id:726082219 --> @chaptergy commented on GitHub (Nov 12, 2020): I don't think LetsEncrypt / Certbot is meant to issue certificates with a DNS challenge in a non-automated way. See [the DNS challenge documentation](https://letsencrypt.org/docs/challenge-types/#dns-01-challenge), the second paragraph.
kerem commented 2026-02-26 06:33:13 +03:00
Author
Owner
Copy link

@jakern commented on GitHub (May 7, 2021):

I think it would still be better to have a manual UI and the cert to accidentally expire than to not have SSL at all because you can't switch to a provider with an api

<!-- gh-comment-id:834819581 --> @jakern commented on GitHub (May 7, 2021): I think it would still be better to have a manual UI and the cert to accidentally expire than to not have SSL at all because you can't switch to a provider with an api
kerem commented 2026-02-26 06:33:13 +03:00
Author
Owner
Copy link

@chaptergy commented on GitHub (May 10, 2021):

@jakern this is a little off topic for this issue, please see the following issue concerning the manual dns challenge: https://github.com/jc21/nginx-proxy-manager/issues/813

<!-- gh-comment-id:836976499 --> @chaptergy commented on GitHub (May 10, 2021): @jakern this is a little off topic for this issue, please see the following issue concerning the manual dns challenge: https://github.com/jc21/nginx-proxy-manager/issues/813
kerem commented 2026-02-26 06:33:13 +03:00
Author
Owner
Copy link

@bryanhunwardsen commented on GitHub (Nov 16, 2023):

I'm succesfully using wildcard host on noip.com with nginx-proxy-manager. I.e. on noip.com I have registered wildcard domain *.something.ddns.net, then in nginx-proxy-manager I have 11 proxy hosts using hostname.something.ddns.net and "it just works" (tm).

@hugalafutro
Were you able to use a wildcard cert for all the subdomains/proxy hosts?
I have what you indicate working, but each subdomain is requireing its own certificate as npm does not list no-ip as a dns challenge provider???

<!-- gh-comment-id:1814806530 --> @bryanhunwardsen commented on GitHub (Nov 16, 2023): > I'm succesfully using wildcard host on noip.com with nginx-proxy-manager. I.e. on noip.com I have registered wildcard domain *.something.ddns.net, then in nginx-proxy-manager I have 11 proxy hosts using hostname.something.ddns.net and "it just works" (tm). @hugalafutro Were you able to use a wildcard cert for all the subdomains/proxy hosts? I have what you indicate working, but each subdomain is requireing its own certificate as npm does not list no-ip as a dns challenge provider???
kerem commented 2026-02-26 06:33:13 +03:00
Author
Owner
Copy link

@hugalafutro commented on GitHub (Nov 16, 2023):

@bryanhunwardsen yes. Each whatever.something.ddns.net site has its own cert which npm renews whenever needed. Honestly I am a bit of a newb so I don't even understand the dns challenge stuff or it's advantage as it works just fine without.

<!-- gh-comment-id:1815157903 --> @hugalafutro commented on GitHub (Nov 16, 2023): @bryanhunwardsen yes. Each whatever.something.ddns.net site has its own cert which npm renews whenever needed. Honestly I am a bit of a newb so I don't even understand the dns challenge stuff or it's advantage as it works just fine without.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
develop
dependabot/npm_and_yarn/backend/liquidjs-10.25.7
dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987
dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41
dependabot/npm_and_yarn/backend/basic-ftp-5.3.0
dependabot/npm_and_yarn/test/follow-redirects-1.16.0
dependabot/npm_and_yarn/test/axios-1.15.0
dependabot/npm_and_yarn/frontend/lodash-4.18.1
dependabot/npm_and_yarn/backend/lodash-4.18.1
dependabot/npm_and_yarn/test/lodash-4.18.1
dependabot/npm_and_yarn/frontend/vite-7.3.2
dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21
dependabot/npm_and_yarn/frontend/lodash-es-4.18.1
dependabot/npm_and_yarn/frontend/happy-dom-20.8.9
dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0
dependabot/npm_and_yarn/frontend/picomatch-4.0.4
dependabot/npm_and_yarn/backend/picomatch-2.3.2
dependabot/npm_and_yarn/frontend/yaml-1.10.3
dependabot/npm_and_yarn/test/flatted-3.4.2
dependabot/npm_and_yarn/test/tar-7.5.11
dependabot/npm_and_yarn/frontend/immutable-5.1.5
master
dependabot/npm_and_yarn/test/glob-10.5.0
dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1
dependabot/npm_and_yarn/test/form-data-4.0.4
v3-abandoned
bump-freedns
openidc
ssl-passthrough-hosts
static-content
v2.14.0
v2.13.7
v2.13.6
v2.13.5
v2.13.4
v2.13.3
v2.13.2
v2.13.1
v2.13.0
v2.12.6
v2.12.5
v2.12.4
v2.12.3
v2.12.2
v2.12.1
v2.12.0
v2.11.3
v2.11.2
v2.11.1
v2.11.0
v2.10.4
v2.10.3
v2.10.2
v2.10.1
v2.10.0
v2.9.22
v2.9.21
v2.9.20
v2.9.19
v2.9.18
v2.9.17
v2.9.16
v2.9.15
v2.9.14
v2.9.13
v2.9.12
v2.9.11
v2.9.10
v2.9.9
v2.9.8
v2.9.7
v2.9.6
v2.9.5
v2.9.4
v2.9.3
v2.9.2
v2.9.1
v2.9.0
v2.8.1
v2.8.0
v2.7.3
v2.7.2
v2.7.1
v2.7.0
v2.6.2
v2.6.1
v2.6.0
v2.5.0
v2.4.0
v2.3.1
v2.3.0
v2.2.4
v2.2.3
v2.2.2
v2.2.1
v2.2.0
v2.1.2
v2.1.1
v2.1.0
2.0.14
2.0.13
2.0.12
2.0.11
2.0.10
2.0.9
2.0.8
2.0.7
2.0.6
2.0.5
2.0.4
2.0.3
2.0.2
2.0.0
v2.0.0
1.1.2
1.1.1
1.0.1
Labels
Clear labels   
awaiting feedback

   
bug

   
cannot reproduce

   
dns provider request

   
duplicate

   
enhancement

   
enhancement

   
enhancement

   
good first issue

   
help wanted

   
invalid

   
need more info

   
no certbot plugin available

   
product-support

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
stale

   
troll

   
upstream issue

   
v2

   
v2

   
v2

   
v3

   
wontfix
No labels
awaiting feedback
bug
cannot reproduce
dns provider request
duplicate
enhancement
enhancement
enhancement
good first issue
help wanted
invalid
need more info
no certbot plugin available
product-support
pull-request
question
stale
troll
upstream issue
v2
v2
v2
v3
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/nginx-proxy-manager-NginxProxyManager#516
No description provided.