How to Generate a Wildcard SSL Certificate Using acme.sh (DNS Manual Mode)
Overview
This guide explains the complete process of installing acme.sh and generating a wildcard SSL certificate for your domain (for example: vergecloud.site) using ZeroSSL with manual DNS verification. The steps are written in a clear, practical manner so that even if you are using this method for the first time, you can follow along without confusion. Manual DNS validation is particularly useful when your DNS provider does not support an API-based automated process or when you prefer to have full control over each verification step.
Wildcard certificates are important when you are managing multiple subdomains and want a single certificate to secure all of them at once. Manual DNS verification ensures that the certificate authority can confirm domain ownership before issuing the SSL certificate. Because this method relies on TXT records, it works across virtually any DNS platform.
Prerequisites
Before you start, keep the following ready.
- A registered domain name
- Access to your DNS provider so you can add TXT records
- A macOS Terminal or any Unix-like shell where you can run basic commands
Step 1: Install acme.sh
Open your terminal and run the following command to install acme.sh, a lightweight and fully functional ACME protocol client used to issue SSL certificates from providers like Let's Encrypt and ZeroSSL:
curl https://get.acme.sh | sh -s email=my@example.com
$ curl https://get.acme.sh | sh -s email=my@example.com
[Tue Jun 10 11:25:59 IST 2025] Installing from online archive.
[Tue Jun 10 11:25:59 IST 2025] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
[Tue Jun 10 11:26:00 IST 2025] Close and reopen your terminal to start using acme.sh
[Tue Jun 10 11:26:04 IST 2025] OK
[Tue Jun 10 11:26:04 IST 2025] Install success!
Step 2: Issue the Certificate (Manual DNS Validation)
Run the following command to request a wildcard SSL certificate:
cd ~/acme && ./acme.sh --issue --dns -d "*.vergecloud.site" -d "vergecloud.site" --yes-I-know-dns-manual-mode-enough-go-ahead-please
./acme.sh --issue --dns -d "*.vergecloud.site" -d "vergecloud.site" --yes-I-know-dns-manual-mode-enough-go-ahead-please
[Tue Jun 10 11:27:21 IST 2025] Using CA: https://acme.zerossl.com/v2/DV90
[Tue Jun 10 11:27:21 IST 2025] Creating domain key
[Tue Jun 10 11:27:21 IST 2025] The domain key is here: /Users/user1/.acme.sh/*.vergecloud.site/*.vergecloud.site.key
[Tue Jun 10 11:27:21 IST 2025] Multi domain='DNS:*.vergecloud.site,DNS:vergecloud.site'
[Tue Jun 10 11:27:22 IST 2025] Getting domain auth token for each domain
[Tue Jun 10 11:27:57 IST 2025] Getting webroot for domain='*.vergecloud.site'
[Tue Jun 10 11:27:58 IST 2025] Getting webroot for domain='vergecloud.site'
[Tue Jun 10 11:27:58 IST 2025] Add the following TXT record:
[Tue Jun 10 11:27:58 IST 2025] Domain: '_acme-challenge.vergecloud.site'
[Tue Jun 10 11:27:58 IST 2025] TXT value: 'T47iU3O8S35KVzJbNQGMA_8LLctGBWcBbtw5-JJJjzs'
[Tue Jun 10 11:27:58 IST 2025] Please be aware that you prepend _acme-challenge. before your domain
[Tue Jun 10 11:27:58 IST 2025] so the resulting subdomain will be: _acme-challenge.vergecloud.site
[Tue Jun 10 11:27:58 IST 2025] Add the following TXT record:
[Tue Jun 10 11:27:58 IST 2025] Domain: '_acme-challenge.vergecloud.site'
[Tue Jun 10 11:27:58 IST 2025] TXT value: 'mNOdJHuy0IAgo-8JcLp18SzIjHzyXeniBCNpk1jNq84'
[Tue Jun 10 11:27:58 IST 2025] Please be aware that you prepend _acme-challenge. before your domain
[Tue Jun 10 11:27:58 IST 2025] so the resulting subdomain will be: _acme-challenge.vergecloud.site
[Tue Jun 10 11:27:58 IST 2025] Please add the TXT records to the domains, and re-run with --renew.
[Tue Jun 10 11:27:58 IST 2025] Please add '--debug' or '--log' to check more details.
[Tue Jun 10 11:27:58 IST 2025] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
You will be prompted with TXT DNS records to add
Wait for DNS Propagation
It may take a few minutes for the changes to propagate.
Verify using Dig or DNS Checker:
$ dig txt _acme-challenge.vergecloud.site +short
"mNOdJHuy0IAgo-8JcLp18SzIjHzyXeniBCNpk1jNq84"
"T47iU3O8S35KVzJbNQGMA_8LLctGBWcBbtw5-JJJjzs"
OR
Step 3: Re-run the Command with --renew
Once the TXT records are live:
./acme.sh --issue --dns -d "*.vergecloud.site" -d "vergecloud.site" --yes-I-know-dns-manual-mode-enough-go-ahead-please --renew
[Tue Jun 10 12:00:23 IST 2025] Renew: '*.vergecloud.site'
[Tue Jun 10 12:00:25 IST 2025] Using CA: https://acme.zerossl.com/v2/DV90
[Tue Jun 10 12:00:25 IST 2025] Multi domain='DNS:*.vergecloud.site,DNS:vergecloud.site'
[Tue Jun 10 12:00:25 IST 2025] Getting domain auth token for each domain
[Tue Jun 10 12:00:25 IST 2025] Verifying: *.vergecloud.site
[Tue Jun 10 12:00:47 IST 2025] Processing, The CA is processing your order, please just wait. (1/30)
[Tue Jun 10 12:01:00 IST 2025] Success
[Tue Jun 10 12:01:00 IST 2025] Verifying: vergecloud.site
[Tue Jun 10 12:01:02 IST 2025] Processing, The CA is processing your order, please just wait. (1/30)
[Tue Jun 10 12:01:09 IST 2025] Success
[Tue Jun 10 12:01:09 IST 2025] Verify finished, start to sign.
[Tue Jun 10 12:01:09 IST 2025] Lets finalize the order.
[Tue Jun 10 12:01:09 IST 2025] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/8kwX***/finalize'
[Tue Jun 10 12:01:11 IST 2025] Order status is processing, lets sleep and retry.
[Tue Jun 10 12:01:11 IST 2025] Retry after: 15
[Tue Jun 10 12:01:28 IST 2025] Polling order status: https://acme.zerossl.com/v2/DV90/order/8kwX***
[Tue Jun 10 12:01:31 IST 2025] Downloading cert.
[Tue Jun 10 12:01:31 IST 2025] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/iJCW***'
[Tue Jun 10 12:01:38 IST 2025] Cert success.
-----BEGIN CERTIFICATE-----
MIIGgDC***
-----END CERTIFICATE-----
[Tue Jun 10 12:01:38 IST 2025] Your cert is in: /Users/user1/.acme.sh/*.vergecloud.site/*.vergecloud.site.cer
[Tue Jun 10 12:01:38 IST 2025] Your cert key is in: /Users/user1/.acme.sh/*.vergecloud.site/*.vergecloud.site.key
[Tue Jun 10 12:01:38 IST 2025] The intermediate CA cert is in: /Users/user1/.acme.sh/*.vergecloud.site/ca.cer
[Tue Jun 10 12:01:38 IST 2025] And the full chain certs is there: /Users/user1/.acme.sh/*.vergecloud.site/fullchain.cer
You’ll see a successful verification and certificate download message:
Step 4: Locate Your Certificate Files
After successful issuance, the certificate files are saved in:
[Tue Jun 10 12:01:38 IST 2025] Your cert is in: /Users/user1/.acme.sh/*.vergecloud.site/*.vergecloud.site.cer
[Tue Jun 10 12:01:38 IST 2025] Your cert key is in: /Users/user1/.acme.sh/*.vergecloud.site/*.vergecloud.site.key
[Tue Jun 10 12:01:38 IST 2025] The intermediate CA cert is in: /Users/user1/.acme.sh/*.vergecloud.site/ca.cer
[Tue Jun 10 12:01:38 IST 2025] And the full chain certs is there: /Users/user1/.acme.sh/*.vergecloud.site/fullchain.cer
Conclusion
Using acme.sh with ZeroSSL’s manual DNS validation is one of the most reliable ways to generate wildcard SSL certificates, especially when your DNS provider does not offer API access. Although it requires manually adding TXT records, the process is transparent and ensures that you retain full control over ownership verification. Once configured, the same steps can be repeated for renewals, making it a dependable long-term solution for securing your domain and all its subdomains.
Related Articles
Activate Free SSL Certificate
Overview Securing your website with HTTPS is one of the most important steps you can take to protect your users and build trust. VergeCloud makes this extremely simple by offering a free SSL certificate that is automatically issued and renewed. The ...SSL Certificate
Overview This section explains how to manage the connection protocol between your users and your website through VergeCloud’s CDN edge servers. It covers HTTPS configuration, SSL and TLS certificate options, HSTS behavior, protocol versions, and the ...Origin SSL Certificate
Origin Server Certificate VergeCloud allows you to generate free SSL certificates for your origin servers, helping secure connections between VergeCloud’s edge and your web infrastructure. These certificates are ideal for HTTPS communication from ...Custom SSL Certificate
Overview Custom SSL certificates play a crucial role in securing modern applications, ensuring encrypted communication between clients and servers. VergeCloud provides a robust and user-friendly interface that allows users to upload, manage, and ...Install SSL Certificate on Traefik
Overview To secure connections on your server, you need to install an SSL certificate on your Traefik instance. This ensures encrypted traffic between VergeCloud and your backend services. Prepare the Certificate and Private Key You can use your own ...