You Don’t Need A Wildcard SSL With Kinsta

Wildcard SSLs are no longer a required with Kinsta. Long live the standard SSL. Time to celebrate! 🥳

I don’t have anything against wildcard SSLs. What I do have a problem with is the new requirement that requires manual verification when renewing wildcard SSLs. That has led me to do some crazy engineering to keep SSL renewals going here at Anchor Hosting.

Thank you @kinsta for a non-wildcard SSL option! I'll be using this for all @AnchorHost customers moving forward. The new verification requirements for wildcard SSLs just makes it overkill for 99% of customers.

Any plans to add an option to drop wildcard SSL on existing SSLs? pic.twitter.com/RIUjHGQ3BR

— Austin Ginder (@austinginder) June 24, 2022

Most folks don’t need a wildcard SSL and probably shouldn’t use it. Replacing the wildcard SSL for standard SSLs will enable automatic SSL renewals, which is going to be a huge win. Increases reliability and happiness. Ain’t nobody have time to manually renew SSL in 2022. Here are the steps to downgrade a wildcard SSL to standard SSL at Kinsta.

Downgrading SSLs requires downtime and DNS changes.

To begin you’ll have DNS access for your domains and access to Kinsta. Pick a time when it’s OK for some downtime. To minimize downtime I recommend using a fast and reliable DNS service. Under ideal conditions this process will take around 10 minutes to complete.

Start by making the built-in Kinsta domain the primary domain.

Next, remove domain mappings for the current domain. This will remove the wildcard SSL and take the website offline.

Add back the primary domain and uncheck the wildcard option under “Advanced Options”.

Select “Verify domain” to reveal the verification DNS records. This can be done while the domain mappings are added. No need to wait around.

Go to your DNS control panel and add a TXT verification record.

Repeat the same steps for any secondary domains.

Reassign the primary domain.

While the domains are being verified you may see error messages like these.

While waiting, you can use the command line application dig to verify the TXT record was added properly. The command format would look like this:

dig kinsta-verification-XXXXXX.my-domain.com TXT +short

This should respond with your verification TXT value.

After a few minutes, assuming DNS updates were applied properly and your DNS provider rolled them out successfully, you should see the next round of verification records.

Add these new records to your DNS provider. After a few more minutes, the website should be restored with the new standard SSL. Enjoy automatic SSL renewals once again. 🎉