Skip to main content

DNS-01 challenge for wildcard domains

The DNS-01 challenge is the only ACME challenge that supports wildcard domain validation. The HTTP-01 challenge does not support wildcard domains.

Use this method when you automate certificate issuance and renewal for wildcard domains and control the domain's DNS records.

Notice

The DNS-01 challenge validates the base domain and the wildcard simultaneously. For example, validating _acme-challenge.example.com covers both example.com and *.example.com.

The ACME client creates a DNS TXT record containing the required validation parameter and DigiCert-generated random value.

To validate the domain using DNS-01:

  • Configure the ACME client with your DigiCert ACME directory URL and credentials.

  • Allow the ACME client to create a DNS TXT record for _acme-challenge.yourdomain.com.

  • Ensure that DNS propagation completes.

  • Complete the challenge through the ACME client.

DigiCert validates the domain when it detects the DNS TXT record containing the correct DigiCert-generated random value.

Requirements

  • The ACME client must have API access to the domain's DNS provider to create and remove TXT records automatically.

  • DNS propagation time must be accounted for before DigiCert checks for the record.

  • For automation options specific to the DNS-01 challenge, see DNS-01 challenge for Automating the DNS-01 challenge.

Common configuration issues

  1. The TXT record is created on the wrong hostname. The record must be on _acme-challenge.yourdomain.com, not on *.yourdomain.com

  2. DNS propagation is incomplete. Allow additional time before DigiCert checks for the record.

  3. The ACME client does not have API access to the DNS provider. Without automation, the DNS TXT record must be created and removed manually for every certificate renewal.

What's next

Automatic domain control validation (DCV) check to understand how DigiCert automatically checks for validation artifacts without manual intervention

In this section: