Let's Encrypt via DNS-01 — issue without opening port 80
The recommended path on ManageMyCert: prove control with a TXT record, we run ACME on our servers.
DNS-01 is the ACME challenge type where you add a temporary TXT record at _acme-challenge.yourdomain.com. Let's Encrypt looks up that record in public DNS. If the value matches, you get a certificate — no web server, no port 80, no SSH key on your side.
ManageMyCert runs the ACME client on our infrastructure. You never install Certbot or open inbound access to your servers. After you verify domain ownership (separate DNS step), open the Let's Encrypt tab, start issuance, paste the TXT record your DNS provider shows, wait for propagation, then click Finalize.
Why DNS-01 beats HTTP-01 for many teams
- Works behind Cloudflare orange-cloud proxy (no need to grey-cloud for the challenge).
- No firewall rules for port 80.
- Supports wildcard certificates when your CA and workflow allow it.
- Ideal when the app server is internal and only the load balancer is public.
Step by step in the portal
1. Add and verify your domain.
2. Set deployment mode to Let's Encrypt (DNS) on Renew & deploy.
3. Let's Encrypt tab → Start issuance — copy the TXT name and value.
4. Add the record at your DNS host (Cloudflare, Route 53, cPanel zone editor, etc.).
5. Wait 1–10 minutes (TTL dependent), then Finalize.
6. Download the ZIP or connect a hosting API to install automatically.
30-day issuance window
We block new issuance when your stored certificate still has more than 30 days left. That prevents accidental re-issues and rate-limit noise.
You can always download the existing cert. Renewal deploy (push to cPanel, Plesk, Cloudflare, or optional SSH) still runs on schedule.
Need the older HTTP-01 + SSH path? See ACME 101 or use Advanced SSH renew in the portal. Full product docs: Let's Encrypt via DNS.