How I Set Up Automatic Wildcard + Root SSL Using My Own acme-dns

(Works with any DNS provider, even without DNS API)

Getting automatic SSL for both root and wildcard domains is easy — until your DNS provider doesn’t offer a DNS API, or you want full control.

This post documents exactly how I set up:

  • ✅ Automatic SSL renewal
  • ✅ Root domain (shoppnn.com)
  • ✅ Wildcard domain (*.shoppnn.com)
  • ✅ Let’s Encrypt
  • ✅ Self-hosted acme-dns
  • ✅ DNS hosted on ResellerClub
  • ✅ SSL deployed via aaPanel

Why This Setup?

The Problem

  • DNS provider does not provide a reliable API
  • Wildcard SSL requires DNS-01 validation
  • Manual TXT updates every 90 days are not scalable

The Solution

Use acme-dns as a delegated DNS authority only for ACME challenges.

Architecture Overview

Let’s Encrypt
     ↓
acme.sh
     ↓
acme-dns (self-hosted)
     ↓
CNAME delegation
     ↓
ResellerClub DNS

Step 1: Install acme.sh

curl https://get.acme.sh | sh
source ~/.bashrc
acme.sh --register-account \
  -m your@email.com \
  --server letsencrypt

Step 2: Install & Configure acme-dns

wget https://github.com/joohoi/acme-dns/releases/latest/download/acme-dns-linux-amd64
mv acme-dns-linux-amd64 /usr/local/bin/acme-dns
chmod +x /usr/local/bin/acme-dns
[general]
listen = "0.0.0.0:53"
protocol = "udp"
domain = "auth.acme-dns.shoppnn.com"

[api]
listen = "0.0.0.0:8080"

[database]
engine = "sqlite3"
connection = "/var/lib/acme-dns/acme-dns.db"

Step 3: Register acme-dns Account

curl -X POST http://127.0.0.1:8080/register

Step 4: Configure acme.sh Environment

export ACMEDNS_API_BASE=http://127.0.0.1:8080
export ACMEDNS_USERNAME=xxxx
export ACMEDNS_PASSWORD=xxxx
export ACMEDNS_SUBDOMAIN=xxxx
export ACMEDNS_STORAGE_PATH=/root/.acme.sh/acme-dns

Step 5: Add CNAME in DNS (One-Time)

Type Host Value
CNAME _acme-challenge <UUID>.auth.acme-dns.shoppnn.com

Step 6: Issue Wildcard + Root SSL

acme.sh --issue \
  --dns dns_acmedns \
  -d shoppnn.com \
  -d '*.shoppnn.com' \
  --dnssleep 120

Step 7: Install SSL in aaPanel

Certificates are stored automatically:

/www/server/panel/vhost/cert/shoppnn.com/

Step 8: Enable SSL via aaPanel UI

  1. Login to aaPanel
  2. Website → shoppnn.com → Settings
  3. SSL → Other Certificate / Custom SSL
  4. Paste certificate and private key
  5. Save and enable SSL

Step 9: Automatic Renewal

crontab -l | grep acme.sh
14 2 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"

Final Result

  • ✔ Wildcard + Root SSL
  • ✔ Fully automated renewals
  • ✔ Works with any DNS provider
  • ✔ aaPanel compatible

Conclusion

This setup permanently solves wildcard SSL automation when DNS APIs are unavailable. One-time setup. Zero future maintenance.

Happy automating SSL 🔐