Wildcard SSL Certificates
A wildcard certificate covers *.domain.com — which means one certificate protects your main domain and every subdomain (existing or future) automatically. You don't need to issue a separate certificate for each subdomain.
How it works
Standard Let's Encrypt certificates (the default in Opterius) use HTTP validation: Let's Encrypt checks a file placed at http://yourdomain.com/.well-known/acme-challenge/... to prove you own the domain. This works for individual domains and subdomains, but can't cover *.domain.com because the wildcard pattern can't be verified over HTTP.
Wildcard certificates use DNS validation instead. Let's Encrypt requires you to prove domain ownership by creating a specific _acme-challenge.domain.com TXT record. Opterius handles this automatically using the PowerDNS API built into the panel — no manual DNS editing required.
The issuance flow:
- You click Wildcard SSL and confirm.
- Opterius contacts the PowerDNS API and creates the
_acme-challengeTXT record. - DNS propagates (30–90 seconds).
- Let's Encrypt verifies the TXT record and issues a
*.domain.comcertificate valid for 90 days. - The certificate is installed on your nginx vhost for the main domain and all subdomains that previously had individual Let's Encrypt certificates.
- The
_acme-challengeTXT record is cleaned up automatically.
Requirements
Wildcard SSL requires PowerDNS to be configured as your nameserver. Opterius uses the PowerDNS HTTP API to create and delete the DNS challenge record automatically.
Note: If your domain uses external nameservers (Cloudflare, Namecheap DNS, etc.) instead of the Opterius-managed PowerDNS, wildcard SSL issuance will fail. Use the standard Issue SSL button for individual domain + subdomain certificates in that case.
Issuing a wildcard certificate
- Go to SSL Certificates in the panel sidebar.
- Find your main domain and click Wildcard SSL.
- Review the confirmation dialog and click Issue Wildcard.
- Watch the live progress panel — the five steps complete in roughly 2–3 minutes.
- Once done, the badge updates to Wildcard · Expires ... and all subdomains show Covered by wildcard.
What happens to existing subdomain certificates
When a wildcard certificate is issued:
- Let's Encrypt subdomain certificates are replaced automatically. The subdomain nginx vhosts are updated to use the wildcard certificate, and the old individual certbot certificates are removed.
- Custom (uploaded) subdomain certificates are left untouched. Custom certificates are never overwritten by the wildcard issuance.
Renewal
Wildcard certificates renew the same way as standard certificates — automatically every 60 days via the panel's built-in renewal cron job. The DNS challenge record is created and deleted automatically during each renewal, so no manual action is required.
You can also renew manually at any time using the Renew button on the SSL Certificates page.
Wildcard vs. standard SSL — when to use each
| Standard SSL | Wildcard SSL | |
|---|---|---|
| Covers main domain | ✅ | ✅ |
| Covers subdomains | Per-subdomain only | ✅ All subdomains |
| Nameserver requirement | None | PowerDNS required |
| Issuance time | ~1 minute | ~2–3 minutes |
| Best for | Single domain or a few subdomains | Many subdomains or frequent subdomain creation |
Troubleshooting
"Could not read PowerDNS API key"
The agent cannot find the api-key setting in /etc/powerdns/pdns.conf. Make sure the PowerDNS API is enabled and api-key= is set in the config file.
Issuance fails at "DNS propagation"
The _acme-challenge TXT record was created but Let's Encrypt couldn't verify it within the timeout. This usually means DNS propagation took longer than expected. Click Retry — the record is already in place and the second attempt typically succeeds immediately.
Issuance fails at "Verify with Let's Encrypt" Check that port 443 is open on your server firewall and that the domain's A record points to the correct server IP.