SSL certificates

MZPanel issues and renews TLS certificates for your sites from the dashboard. The agent runs certbot on the server; the dashboard shows certificate status, expiry and auto-renew per domain. Standard certificate issuance and renewal are available on all plans.

Issue a certificate

Open a site, go to its DNS & TLS view, and each domain shows its current TLS state (valid / expiring / expired / none) next to its DNS status. Use Issue / Renew to obtain a Let’s Encrypt certificate.

For a normal domain pointing straight at the server (DNS-only), MZPanel issues a Let’s Encrypt certificate via the HTTP-01 challenge. The dashboard pairs the DNS signal with the TLS signal because the #1 cause of “SSL won’t issue” is DNS pointing the wrong way — if the domain doesn’t resolve to this server, validation can’t reach it and issuance fails.

Tip

If the domain is proxied through Cloudflare (orange cloud), HTTP-01 validation can fail because Cloudflare terminates TLS at its edge. For proxied domains, set the Cloudflare SSL mode to Full (strict); MZPanel still serves a valid origin certificate behind it.

Auto-renew

Issued certificates renew automatically — the server tracks expiry and renews before the certificate runs out, so you don’t have to remember. The dashboard shows the days remaining and whether auto-renew is on for each domain.

Wildcard / DNS-01 (Plus)

A wildcard certificate (*.example.com) covers every subdomain with one certificate. Wildcards require the ACME DNS-01 challenge (HTTP-01 cannot issue wildcards), which means proving control of the domain by writing a DNS record rather than answering on port 80. Wildcard issuance is available on Plus and above, and requires the zone to be connected via a Cloudflare token (see DNS & TLS).

When you issue a wildcard from the site’s DNS & TLS manage drawer:

1. The server generates the private key and a CSR for example.com and *.example.com. The private key never leaves the box.
2. The control plane runs the ACME order, writing the _acme-challenge TXT record through your Cloudflare connection (which holds the token), then validates and finalizes using the server’s CSR.
3. Only the issued certificate chain is sent back to the server, installed alongside the private key, and Nginx is reloaded.
4. The temporary challenge record is cleaned up.

This split keeps each secret where it belongs: the Cloudflare token stays on the control plane, the private key stays on your server. Wildcard certificates are tracked and auto-renewed like any other certificate (renewed when under ~30 days remaining).

Caution

Let’s Encrypt enforces rate limits per registered domain. If you’re testing issuance repeatedly, expect to hit them — wildcard renewals are scheduled automatically to stay well clear.