How to Generate a Wildcard SSL Certificate Using acme.sh (DNS Manual Mode)

How to Generate a Wildcard SSL Certificate Using acme.sh (DNS Manual Mode)

This guide walks you through installing acme.sh and generating a wildcard SSL certificate for your domain (vergecloud.site) using ZeroSSL with manual DNS verification.

Prerequisites  

  • A domain name (e.g. vergecloud.site)

  • Access to your DNS provider to add TXT records

  • macOS Terminal (or any Unix-like shell)

 

Step 1: Install acme.sh  

Open your terminal and run the following command to install acme.sh, a lightweight and fully functional ACME protocol client used to issue SSL certificates from providers like Let's Encrypt and ZeroSSL:

curl https://get.acme.sh | sh -s email=my@example.com


  1. $ curl https://get.acme.sh | sh -s email=my@example.com
  2. [Tue Jun 10 11:25:59 IST 2025] Installing from online archive.
  3. [Tue Jun 10 11:25:59 IST 2025] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
  4. [Tue Jun 10 11:26:00 IST 2025] Close and reopen your terminal to start using acme.sh
  5. [Tue Jun 10 11:26:04 IST 2025] OK
  6. [Tue Jun 10 11:26:04 IST 2025] Install success!

 

Step 2: Issue the Certificate (Manual DNS Validation)  


Run the following command to request a wildcard SSL certificate:

  1. cd ~/acme && ./acme.sh --issue --dns -d "*.vergecloud.site"  -d "vergecloud.site"   --yes-I-know-dns-manual-mode-enough-go-ahead-please
  1. ./acme.sh --issue --dns -d "*.vergecloud.site"  -d "vergecloud.site"   --yes-I-know-dns-manual-mode-enough-go-ahead-please
  2. [Tue Jun 10 11:27:21 IST 2025] Using CA: https://acme.zerossl.com/v2/DV90
  3. [Tue Jun 10 11:27:21 IST 2025] Creating domain key
  4. [Tue Jun 10 11:27:21 IST 2025] The domain key is here: /Users/user1/.acme.sh/*.vergecloud.site/*.vergecloud.site.key
  5. [Tue Jun 10 11:27:21 IST 2025] Multi domain='DNS:*.vergecloud.site,DNS:vergecloud.site'
  6. [Tue Jun 10 11:27:22 IST 2025] Getting domain auth token for each domain
  7. [Tue Jun 10 11:27:57 IST 2025] Getting webroot for domain='*.vergecloud.site'
  8. [Tue Jun 10 11:27:58 IST 2025] Getting webroot for domain='vergecloud.site'
  9. [Tue Jun 10 11:27:58 IST 2025] Add the following TXT record:
  10. [Tue Jun 10 11:27:58 IST 2025] Domain: '_acme-challenge.vergecloud.site'
  11. [Tue Jun 10 11:27:58 IST 2025] TXT value: 'T47iU3O8S35KVzJbNQGMA_8LLctGBWcBbtw5-JJJjzs'
  12. [Tue Jun 10 11:27:58 IST 2025] Please be aware that you prepend _acme-challenge. before your domain
  13. [Tue Jun 10 11:27:58 IST 2025] so the resulting subdomain will be: _acme-challenge.vergecloud.site
  14. [Tue Jun 10 11:27:58 IST 2025] Add the following TXT record:
  15. [Tue Jun 10 11:27:58 IST 2025] Domain: '_acme-challenge.vergecloud.site'
  16. [Tue Jun 10 11:27:58 IST 2025] TXT value: 'mNOdJHuy0IAgo-8JcLp18SzIjHzyXeniBCNpk1jNq84'
  17. [Tue Jun 10 11:27:58 IST 2025] Please be aware that you prepend _acme-challenge. before your domain
  18. [Tue Jun 10 11:27:58 IST 2025] so the resulting subdomain will be: _acme-challenge.vergecloud.site
  19. [Tue Jun 10 11:27:58 IST 2025] Please add the TXT records to the domains, and re-run with --renew.
  20. [Tue Jun 10 11:27:58 IST 2025] Please add '--debug' or '--log' to check more details.
  21. [Tue Jun 10 11:27:58 IST 2025] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh

You will be prompted with TXT DNS records to add




Wait for DNS Propagation

It may take a few minutes for the changes to propagate. 

Verify using Dig or DNS Checker: 


  1. $ dig txt _acme-challenge.vergecloud.site +short
  2. "mNOdJHuy0IAgo-8JcLp18SzIjHzyXeniBCNpk1jNq84"
  3. "T47iU3O8S35KVzJbNQGMA_8LLctGBWcBbtw5-JJJjzs"

OR


Step 3: Re-run the Command with --renew  

Once the TXT records are live:

  1. ./acme.sh --issue --dns -d "*.vergecloud.site"  -d "vergecloud.site"   --yes-I-know-dns-manual-mode-enough-go-ahead-please --renew
  2. [Tue Jun 10 12:00:23 IST 2025] Renew: '*.vergecloud.site'
  3. [Tue Jun 10 12:00:25 IST 2025] Using CA: https://acme.zerossl.com/v2/DV90
  4. [Tue Jun 10 12:00:25 IST 2025] Multi domain='DNS:*.vergecloud.site,DNS:vergecloud.site'
  5. [Tue Jun 10 12:00:25 IST 2025] Getting domain auth token for each domain
  6. [Tue Jun 10 12:00:25 IST 2025] Verifying: *.vergecloud.site
  7. [Tue Jun 10 12:00:47 IST 2025] Processing, The CA is processing your order, please just wait. (1/30)
  8. [Tue Jun 10 12:01:00 IST 2025] Success
  9. [Tue Jun 10 12:01:00 IST 2025] Verifying: vergecloud.site
  10. [Tue Jun 10 12:01:02 IST 2025] Processing, The CA is processing your order, please just wait. (1/30)
  11. [Tue Jun 10 12:01:09 IST 2025] Success
  12. [Tue Jun 10 12:01:09 IST 2025] Verify finished, start to sign.
  13. [Tue Jun 10 12:01:09 IST 2025] Lets finalize the order.
  14. [Tue Jun 10 12:01:09 IST 2025] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/8kwX***/finalize'
  15. [Tue Jun 10 12:01:11 IST 2025] Order status is processing, lets sleep and retry.
  16. [Tue Jun 10 12:01:11 IST 2025] Retry after: 15
  17. [Tue Jun 10 12:01:28 IST 2025] Polling order status: https://acme.zerossl.com/v2/DV90/order/8kwX***
  18. [Tue Jun 10 12:01:31 IST 2025] Downloading cert.
  19. [Tue Jun 10 12:01:31 IST 2025] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/iJCW***'
  20. [Tue Jun 10 12:01:38 IST 2025] Cert success.
  21. -----BEGIN CERTIFICATE-----
  22. MIIGgDC***
  23. -----END CERTIFICATE-----
  24. [Tue Jun 10 12:01:38 IST 2025] Your cert is in: /Users/user1/.acme.sh/*.vergecloud.site/*.vergecloud.site.cer
  25. [Tue Jun 10 12:01:38 IST 2025] Your cert key is in: /Users/user1/.acme.sh/*.vergecloud.site/*.vergecloud.site.key
  26. [Tue Jun 10 12:01:38 IST 2025] The intermediate CA cert is in: /Users/user1/.acme.sh/*.vergecloud.site/ca.cer
  27. [Tue Jun 10 12:01:38 IST 2025] And the full chain certs is there: /Users/user1/.acme.sh/*.vergecloud.site/fullchain.cer

You’ll see a successful verification and certificate download message:



Step 4: Locate Your Certificate Files  

After successful issuance, the certificate files are saved in:


  1. [Tue Jun 10 12:01:38 IST 2025] Your cert is in: /Users/user1/.acme.sh/*.vergecloud.site/*.vergecloud.site.cer
  2. [Tue Jun 10 12:01:38 IST 2025] Your cert key is in: /Users/user1/.acme.sh/*.vergecloud.site/*.vergecloud.site.key
  3. [Tue Jun 10 12:01:38 IST 2025] The intermediate CA cert is in: /Users/user1/.acme.sh/*.vergecloud.site/ca.cer
  4. [Tue Jun 10 12:01:38 IST 2025] And the full chain certs is there: /Users/user1/.acme.sh/*.vergecloud.site/fullchain.cer


Conclusion  

acme.sh with manual DNS validation offers a flexible way to generate wildcard SSL certificates, especially when DNS APIs aren't available. Though it requires manual DNS setup, it's reliable for securing your domain and subdomains. Once configured, it supports easy renewals and broad server compatibility. 

 

 

    • Related Articles

    • SSL Certificate

      HTTPS Configuration with VergeCloud In this section, you'll learn how to manage the connection protocol between users and your website via VergeCloud's CDN edge servers. You can adjust settings related to HTTPS for content delivery, including ...

    • Activate Free SSL Certificate

      VergeCloud SSL Certificate This document explains how to secure your website with a free VergeCloud SSL certificate, which is valid for a duration of 90 days. After this period, certificate will automatically renew the certificate without incurring ...

    • Custom SSL Certificate

      Custom SSL Certificate You can continue utilizing your custom SSL certificate by navigating to the VergeCloud HTTPS Settings. Introduction Custom SSL certificates are essential for securing data transmitted over the internet. With VergeCloud, users ...

    • DNS Setup

      Add/Edit DNS Records Changing your domain’s NS to those defined by VergeCloud activates your domain’s DNS service. All your DNS records must be entered into your VergeCloud account to be resolved by VergeCloud. This ensures that your subdomains load ...

    • Steps to Build an SSL Certificate Trust Chain

      Why SSL Certificate Trust Chain Is Important? To ensure your website operates smoothly with HTTPS across all browsers and devices, it's essential to implement an SSL Certificate Trust Chain instead of using just one certificate. What You Need ...