Issue a wildcard Let’s Encrypt SSL certificate in Plesk (DNS challenge)

A wildcard SSL certificate secures all subdomains under your domain, for example: *.example.com. This is useful when you host multiple subdomains or use dynamic subdomains.

On GARMTECH Hosting you can issue a free wildcard certificate using Let’s Encrypt in Plesk. Wildcard certificates require a DNS‑01 verification (TXT record _acme-challenge).

Before you start

• You need access to your domain’s DNS records (either in Plesk DNS or at an external DNS provider such as Cloudflare).
• If your domain uses GARMTECH nameservers (ns1.garmtech.com, ns2.garmtech.com, ns3.garmtech.com) and DNS is managed in Plesk, Plesk can usually add the TXT record automatically.
• If DNS is external, you will add the TXT record manually.

Step 1 — Open Let’s Encrypt in Plesk

1. Log in to Plesk (open it from My.GARMTECH).
2. Go to Websites & Domains and select your domain.
3. Find Let’s Encrypt (sometimes shown as SSL/TLS Certificates → Get it free).

Step 2 — Request the wildcard certificate

1. Select the wildcard option for your domain: *.example.com.
2. We strongly recommend including the main domain example.com in the same certificate (many setups need both).
3. Click Install / Get it free.

Step 3 — Complete DNS verification (TXT record)

Plesk will either create the TXT record automatically or show you the exact record name and value to add:

• Record name: _acme-challenge.example.com (or just _acme-challenge, depending on DNS editor)
• Record type: TXT
• Record value: a unique token provided by Let’s Encrypt/Plesk

1. Add the TXT record in your DNS zone.
2. Wait until the record resolves (DNS caching can delay it).
3. Return to Plesk and click Continue to finish issuing the certificate.

Step 4 — Assign the certificate to your website

After the certificate is issued, make sure it is selected for the domain:

1. Go to Websites & Domains → your domain → Hosting Settings (or SSL/TLS Certificates depending on Plesk view).
2. Select the new Let’s Encrypt certificate for HTTPS.
3. Enable Permanent SEO-safe 301 redirect from HTTP to HTTPS if you want all visitors to use HTTPS.

Troubleshooting tips

• Validation failed / DNS problem: double-check that the TXT record is created in the correct DNS zone and is visible publicly.
• CAA record prevents issuance: if you use CAA DNS records, ensure Let’s Encrypt is allowed.
• External DNS + auto-renew: for wildcard certificates, renewal requires DNS access. If your DNS provider cannot be updated automatically, you may need to repeat the TXT verification during renewal.