Obtaining and Managing Wildcard HTTPS Certificates with Let's Encrypt and acme.sh (DNS Manual Mode)

To use HTTPS you must have a certificate issued by a trusted Certificate Authority (CA); Let's Encrypt is a free, widely trusted CA.

The recommended tool is acme.sh , which can request wildcard certificates such as *.x.rifewang.club for a secondary domain like rifewang.club .

Install acme.sh with the command curl https://get.acme.sh | sh . The system must have a cron implementation (cron, crontab, crontabs, or vivie‑cron) installed.

Issue the certificate in DNS manual mode using: acme.sh --issue --force --dns -d -d \ --yes-I-know-dns-manual-mode-enough-go-ahead-please . Ensure the acme.sh executable is in your PATH or invoke it from its directory.

The --force flag forces re‑issue even if the domain was previously validated; the long --yes‑I‑know‑… flag is required because DNS manual mode does not support automatic renewal.

After issuing, add the following TXT records to your DNS provider: _acme-challenge. and _acme-challenge. . These records prove ownership of the domains.

Wait for the DNS TXT records to propagate, taking care to avoid DNS cache issues.

Renew the certificate with: acme.sh --renew --force --dns -d -d \ --yes-I-know-dns-manual-mode-enough-go-ahead-please . The output confirms successful issuance and shows the default storage path ~/.acme.sh/ / .

Configure your web server with the generated fullchain.cer and .key files. For Nginx, point the SSL directives to these files; for cloud services, upload the certificate and key contents.

Note that Let's Encrypt wildcard certificates are valid for three months, and DNS manual mode does not support automatic renewal; you must re‑issue and renew manually or automate the process with a script. Other modes of acme.sh support auto‑renewal and integration with major cloud providers via API keys.