Nginx Proxy Manager – SSL Wildcard Certs

What is an SSL Wildcard Cert and how does it work on the Nginx Proxy Manager? A Wildcard Cert is a Certificate that is not just valid for a specific Domain or Subdomain but all. It includes a “Wildcard” identified by a * in the domain name, which is just a placeholder for any string. So that means a valid Certificate for the domain * is also valid for all subdomains. This can be easily obtained in the Nginx Proxy Manager SSL section.

This is very useful in situations where you don’t know which subdomains you may add later. Then you don’t want to renew the certificate all the time. Or you may host a website in different languages and the current language is identified by a subdomain.

In this case, you can’t just validate the ownership with a simple HTTP challenge. Because there may be a situation where the certificate owner may control a specific DNS zone such as a subdomain, but not the entire domain. So, you could a Wildcard Certificate that is valid for subdomains that you don’t own yourself. This would be a big security risk, so therefore the HTTP challenge is not enough to validate Wildcard Certificates. Instead, we use something that is called a DNS Challenge.

A DNS Challenge validates not just a specific domain or subdomain, to pass the DNS Challenge. You need to prove that you have control over the full domain you want to create the Wildcard Certificate or. Depending on your DNS Provider the setup is different, usually, it is somewhere documented on your Provider homepage. Mostly you need to create an API token that you will need to enter in the Nginx Proxy Manager.

Of course, I can’t show you this for every single DNS Provider. Let me do a short demonstration on Cloudflare and DigitalOcean.

Nginx Proxy Manager

In the Nginx Proxy Manager enable “Use a DNS Challenge” and select your DNS Provider. Now you need to follow the instructions on your DNS Providers on how to create an access token.

Once you have created the access token, copy it in the “Credentials File Content”.

On Cloudflare

On Cloudflare DNS you will find the Section “API Tokens” in the Web UI. Create a new DNS Zone API Token with “Read” and “Edit” permissions. Don’t forget to include all the DNS Zones and create the Token.

On DigitalOcean

On DigitalOcean you will find the API Tokens in the “Account” Section. Generate a new token and make sure “Write” Access is selected. Once you created the token it will only you once, for security reasons.