Install wildcard certificates

While CloudPanel supports Let's Encrypt certificates, it only supports the HTTP-01 challenge. This works well but has 2 problem: - For the Let's Encrypt servers to validate the HTTP-01 challenge file your domain must be accessible from the public internet, which might not be the case if you are running CloudPanel on your HomeLab server. - The HTTP-01 challenge does not support wildcard certificates

To solve these problems, you can use a separate tool that does support the DNS-01 challenge like acme.sh. Since acme.sh has support for various DNS providers it can integrate with the one you are using and set the TXT record necessary to validate your domain and issue your wildcard certificate. But the only problem now is on integrating the certificate into CloudPanel.

Luckily CloudPanel offers a CLI command clpctl site:install:certificate to install a certificate for a domain. We can use this command to install the obtained certificates into the sites.

HomeLab certificate usage

A special case is my HomeLab where I have a domain setup which is used for all services in the intranet. I obtain a wildcard certificate for this domain via the DNS-Challenge and every site I create in CloudPanel will be a subdomain for this domain. If I setup a new service in CloudPanel I don't want to always manually login to the server and install the certificate I got via acme.sh.

This is why I created a small helper that will install the certificate automatically for all newly created sites. Since CloudPanel doesn't have a hook system to know when a new site was created, I'm using incron to get notified when a new nginx configuration is created and trigger the helper script to do it's work.

Check out the steps to set it up in the cloudpanel.helpers repo on github.