At Kinsta, all verified domains are automatically protected by our Cloudflare integration, which includes free SSL certificates with wildcard support.

Due to an industry shift in how wildcard SSL certificates are validated, wildcard SSL certificate renewals now require a new TXT record to be added for each domain annually. The TXT record is unique for each domain and changes every year.

If your site currently uses our free Cloudflare SSL certificate, you have a few options for renewal.

Option 1 — Use Kinsta DNS

If you use Kinsta DNS for your domain(s), we’ll take care of adding that for you automatically. You’ll only need to take action if the SSL certificate cannot be automatically renewed.

Option 2 — Add a TXT Record in Third-Party DNS

If you use third-party DNS for your domain(s), you’ll need to add a new TXT record for SSL validation for each domain every year. Because the TXT record will change each year, this will be an ongoing task. This applies to any third-party DNS, including if you have your own Cloudflare account where you manage your domain’s DNS.

Option 3 — Purchase and Install a Custom SSL Certificate

If you prefer to go the custom SSL route, MyKinsta supports custom SSL certificates as well. You can purchase and install an SSL from a third-party vendor and manage the certificate renewal with them. Once your SSL is renewed, you’ll need to re-upload it in MyKinsta.

Option 4 — Switch to a Non-Wildcard SSL Certificate

If you do not need a wildcard SSL for your domain you can remove and re-add your domain in the Domains list in MyKinsta and unselect the option to Add domain with wildcard under Advanced Options. There will be at least 10 minutes of downtime for this process; usually about the same amount of time it took when you added and verified the domain previously.

Steps to Add a TXT Record in Third-Party DNS for Renewal

  1. 30 days before your SSL expires, you’ll receive an email message and a notification in MyKinsta letting you know your SSL certificate is expiring soon. Click on the Get TXT record button in the message to go to the site’s Domains list, where you’ll see a Renew SSL button next to the domain.

    Renew SSL button next to the domain in MyKinsta Domains list.
    Renew SSL button next to the domain in MyKinsta Domains list.

  2. Click that button to show the TXT record you’ll need to add to your domain’s DNS.
    TXT record to verify the domain and renew free SSL.
    TXT record to verify the domain and renew free SSL.

  3. Log in to your DNS provider’s management panel and add the new TXT record to your domain. Your DNS provider is where your domain’s name servers are pointed. This may be your domain’s registrar but could be another DNS provider. If needed, you can refer to your provider’s documentation for more information on adding DNS records.
  4. Depending on your DNS provider, the TXT records may take up to 24 hours to propagate. After a successful domain verification, you’ll receive an email message and notification in MyKinsta letting you know your SSL certificate has been renewed.

Renewing an Expired Certificate

If you’re unable to add the TXT record to your domain before your SSL certificate expires, you’ll receive another email message and notification letting you know your certificate has expired and you’ll need to restart the process.

  1. To restart the SSL renewal process, log in to MyKinsta and navigate to your site (Sites > sitename > Info), and click the Restart SSL renewal button next to the domain name.

    Restart SSL button in MyKinsta Domains list.
    Restart SSL button in MyKinsta Domains list.

  2. After a few minutes, you’ll see the Renew SSL button once again next to your domain. Click that button to view the new TXT record you’ll need to add to your domain’s DNS. You’ll also receive a new email and MyKinsta notification.
  3. Log in to your DNS provider’s management panel and add the new TXT record to your domain. Your DNS provider is where your domain’s name servers are pointed. This may be your domain’s registrar but could be another DNS provider. If needed, you can refer to your provider’s documentation for more information on adding DNS records.
  4. Depending on your DNS provider, the TXT records may take up to 24 hours to propagate. After a successful domain verification, you’ll receive an email message and notification in MyKinsta letting you know your SSL certificate has been renewed.

FAQ

How do I know if I have a wildcard or non-wildcard SSL?

Any current domains in MyKinsta should be using a wildcard for the custom hostname/SSL. This will show as *.example.com under the domain name on the domains page. A domain without *.example.com under the domain name indicates no wildcard hostname is present and can use a non-wildcard SSL certificate.

What’s the difference between a wildcard and a non-wildcard SSL?

Both are free SSL certificates from Cloudflare through Digicert. The difference is in the coverage of wildcard subdomains and the renewal process. Non-wildcard SSL certificates can renew with HTTP/.well-known validation methods automatically.

When does my SSL expire? How do I check?

We’ll notify you via email and in MyKinsta 30 days before your SSL certificate’s expiration. You can also check the SSL expiration by viewing your site’s SSL certificate in your browser.

Do I have to take manual action?

Yes, if your site doesn’t use Kinsta DNS and you want to renew your wildcard SSL certificate. You’ll need to add a TXT record to your domain’s DNS.

How long do I have to add the TXT record?

It depends on when you retrieve the TXT record within the renewal period. The TXT record changes every 14 days after the renewal period starts. For example, if you retrieve the TXT record 5 days after receiving the notification email that your SSL certificate expires in 30 days, that TXT record will only be valid for 9 days before it rotates and a new TXT record is generated.

How do I avoid this?

Switch to Kinsta DNS for automatic wildcard renewal, switch to non-wildcard SSL when available, or use your desired third-party SSL certificate.

Can I go back to using Let’s Encrypt?

No, we now offer free Cloudflare SSL certificates through their provider, Digicert. If you want to use a different SSL, you’ll need to obtain it from your desired third-party SSL provider and install the certificate in MyKinsta.

Why would Kinsta do this?

This change to wildcard SSL verification is an industry-level change not decided by Kinsta. Any wildcard SSL provider now requires this or will begin requiring it soon. Here’s a few references for more details:

How long does it renew for?

Cloudflare’s free SSL certificate renews for 1 year.

Can I renew for longer?

No, not with Cloudflare’s free SSL certificate. Some premium third-party SSL certificates may be issued for a longer period. If you want an SSL certificate that’s issued for a longer period, you can check into third-party SSL providers and find one that fits your needs.

Once you’ve purchased your SSL, you can install that in MyKinsta and manage your SSL certificate renewal with your third-party provider. When your third-party provider renews your SSL certificate, you’ll need to re-upload it in MyKinsta.

If I leave the TXT in place, will it automatically renew next year?

No; unfortunately, the requirement is a new TXT value for each subsequent yearly renewal.

How early can I renew my SSL?

30 days before expiration, your SSL certificate will automatically renew if you use Kinsta DNS. If you do not use Kinsta DNS, you will receive a message and MyKinsta notification about the renewal.

How do I know if I’m using Kinsta DNS?

To see if you’re using Kinsta DNS for your domain, log in to MyKinsta and click on Kinsta DNS in the left sidebar. There you’ll see any domains you’ve added to Kinsta DNS. A green circle with a white checkmark indicates the domain’s name servers have been pointed to Kinsta, and the domain is using Kinsta DNS. A red circle with a white X indicates the domain’s name servers have not yet been pointed to Kinsta, so the domain is not using Kinsta DNS.

In Kinsta DNS, a checkmark next to a domain indicates name servers are pointed to Kinsta and an X indicates they are not.
In Kinsta DNS, a checkmark next to a domain indicates name servers are pointed to Kinsta, and an X indicates they are not.

Do I need to renew the Kinsta Cloudflare SSL if I have my own Cloudflare account?

This depends on the exact setup of your own Cloudflare account:

  • If your domain’s DNS records in Cloudflare have a grey cloud (proxy off), you need to renew the Kinsta Cloudflare SSL certificate.
  • If your domain’s DNS records in Cloudflare have an orange cloud (proxy on) and you have either of the following, you don’t technically have to renew the Kinsta Cloudflare SSL certificate, but it is recommended (so that you have a backup certificate):
  • If your domain’s DNS records in Cloudflare have an orange cloud (proxy on) but you do not have a free Universal Cloudflare SSL certificate or custom SSL in Cloudflare, then you need to renew the Kinsta Cloudflare SSL.

You can check for an SSL certificate at Cloudflare in your domain’s Edge Certificates section (SSL/TLS > Edge Certificates).