At Kinsta, all verified domains are automatically protected by our Cloudflare integration. Our Managed WordPress Hosting plans include free SSL certificates with wildcard support.
Due to an industry shift in how wildcard SSL certificates are validated, wildcard SSL certificate renewals now require a new TXT record to be added for each domain. The TXT record is unique for each domain and changes with each renewal.
If your site currently uses our free Cloudflare SSL certificate, you have a few options for renewal.
Option 1 — Use Kinsta’s DNS
If you have a Managed WordPress plan and use Kinsta’s DNS for your domain(s), we’ll take care of adding that for you automatically. You’ll only need to take action if the SSL certificate cannot be automatically renewed.
Option 2 — Add a CNAME Record in Third-Party DNS
If you use third-party DNS for your domain(s), you’ll need to add a CNAME record to each domain so we can take care of updating the TXT record needed for SSL validation. This eliminates what would otherwise be an ongoing task for you to add the TXT record with each renewal. This applies to any third-party DNS, including if you have your own Cloudflare account where you manage your domain’s DNS.
Option 3 — Purchase and Install a Custom SSL Certificate
If you prefer to go the custom SSL route, MyKinsta supports custom SSL certificates as well. You can purchase and install an SSL from a third-party vendor and manage the certificate renewal with them. Once your SSL is renewed, you’ll need to re-upload it in MyKinsta.
Option 4 — Switch to a Non-Wildcard SSL Certificate
If you do not need a wildcard SSL for your domain you can remove and re-add your domain in the Domains list in MyKinsta and unselect the option to Add domain with wildcard under Advanced Options. There will be at least 10 minutes of downtime for this process; usually, about the same amount of time it took when you added and verified the domain previously.
Steps to Add a CNAME Record in Third-Party DNS for Renewal
- If you have not yet added a CNAME record for the SSL renewal, you’ll receive an email message and a notification in MyKinsta 30 days before your SSL expires to let you know your SSL certificate is expiring soon. Click on the Get TXT record button in the message to go to the site’s Domains list, where you’ll see a Renew SSL button next to the domain.
- Click that button to show the CNAME record you’ll need to add to your domain’s DNS.
- Log in to your DNS provider’s management panel and add the new CNAME record to your domain. Your DNS provider is where your domain’s name servers are pointed. This may be your domain’s registrar but could be another DNS provider. If needed, you can refer to your provider’s documentation for more information on adding DNS records.
- Depending on your DNS provider, the CNAME records may take up to 24 hours to propagate. After a successful domain verification, you’ll receive an email message and notification in MyKinsta, letting you know your SSL certificate has been renewed.
Renewing an Expired Certificate
If you’re unable to add the CNAME record to your domain before your SSL certificate expires, you’ll receive another email message and notification letting you know your certificate has expired and you need to renew it. The steps to renew an expired certificate are the same as adding a CNAME record for renewal above.
Troubleshooting the Fix Domain Error
During the SSL renewal process, if a Fix domain error button appears next to the domain, this means a CAA record conflict is occurring.
A CAA record is an optional DNS record that lets you specify which certificate authorities (CAs) are allowed to issue SSL certificates for your domain. If a domain has no CAA records, any CA can generate an SSL certificate for it if requested. If a domain has a CAA record, only the CA(s) specified in the CA record can generate an SSL certificate for the domain.
To resolve this error, click the Fix domain error button and update the CAA record as indicated in the modal/pop-up. Alternatively, if you do not need a CAA record on your domain, you can remove the CAA record.
How do I know if I have a wildcard or non-wildcard SSL?
Any current domains in MyKinsta should be using a wildcard for the custom hostname/SSL. This will show as *.example.com under the domain name on the domains page. A domain without *.example.com under the domain name indicates no wildcard hostname is present and can use a non-wildcard SSL certificate.
What’s the difference between a wildcard and a non-wildcard SSL?
Both are free SSL certificates from Cloudflare through Let’s Encrypt. The difference is in the coverage of wildcard subdomains and the renewal process. Non-wildcard SSL certificates can renew with HTTP/.well-known validation methods.
When does my SSL expire? How do I check?
We’ll notify you via email and in MyKinsta 30 days before your SSL certificate’s expiration. You can also check the SSL expiration by viewing your site’s SSL certificate in your browser.
Do I have to take manual action?
Yes, if your site doesn’t use Kinsta’s DNS, currently uses a TXT record instead of a CNAME record for SSL validation, and you want to renew your wildcard SSL certificate. If this is the case, you’ll need to add a CNAME record to your domain’s DNS.
How do I avoid this?
Switch to Kinsta’s DNS for automatic wildcard renewal, switch to non-wildcard SSL when available, or use your desired third-party SSL certificate.
Why would Kinsta do this?
This change to wildcard SSL verification is an industry-level change not decided by Kinsta. Any wildcard SSL provider now requires this or will begin requiring it soon. Here are a few references for more details:
- Changes to HTTP DCV
- Domain validation policy changes in 2021
- Ballot SC45: Wildcard Domain Validation
How long does it renew for?
Cloudflare’s free SSL certificate renews for 90 days, but as long as the CNAME record is in place, we’ll add the required TXT record for you each time.
Can I renew for longer?
No, not with Cloudflare’s free SSL certificate. Some premium third-party SSL certificates may be issued for a longer period. If you want an SSL certificate that’s issued for a longer period, you can check into third-party SSL providers and find one that fits your needs.
Once you’ve purchased your SSL, you can install that in MyKinsta and manage your SSL certificate renewal with your third-party provider. When your third-party provider renews your SSL certificate, you’ll need to re-upload it in MyKinsta.
If I leave the CNAME record in place, will my SSL automatically renew?
Yes, since we’ll take care of the TXT record for each subsequent renewal, you will not have to take any further action for renewal.
How early can I renew my SSL?
30 days before expiration, your SSL certificate will automatically renew if you use Kinsta’s DNS. If you do not use Kinsta’s DNS and your domain still uses a TXT record for SSL verification, you will receive a message and MyKinsta notification about the renewal.
How do I know if I’m using Kinsta’s DNS?
To see if you’re using Kinsta’s DNS for your domain, log in to MyKinsta and click on DNS in the left sidebar. There you’ll see any domains you’ve added to DNS. A green circle with a white checkmark indicates the domain’s name servers have been pointed to Kinsta and the domain is using Kinsta’s DNS. A red circle with a white X indicates the domain’s name servers have not yet been pointed to Kinsta, so the domain is not using Kinsta’s DNS.
Do I need to renew the Kinsta Cloudflare SSL if I have my own Cloudflare account?
This depends on the exact setup of your own Cloudflare account:
- If your domain’s DNS records in Cloudflare have a grey cloud (proxy off), you need to renew the Kinsta Cloudflare SSL certificate.
- If your domain’s DNS records in Cloudflare have an orange cloud (proxy on) and you have either of the following, you don’t technically have to renew the Kinsta Cloudflare SSL certificate, but it is recommended (so that you have a backup certificate):
- a free Universal Cloudflare SSL certificate
- a custom SSL certificate that covers your domain/subdomains uploaded in Cloudflare
- If your domain’s DNS records in Cloudflare have an orange cloud (proxy on) but you do not have a free Universal Cloudflare SSL certificate or custom SSL in Cloudflare, then you need to renew the Kinsta Cloudflare SSL.
You can check for an SSL certificate at Cloudflare in your domain’s Edge Certificates section (SSL/TLS > Edge Certificates).