Skip to content

This guide helps you set up a wildcard certificate (*.example.com) in NGINX Proxy Manager (NPM) using Cloudflare DNS-01 challenge with a proper API token.

✅ Prerequisites

  • You are using NGINX Proxy Manager (installed on TrueNAS SCALE 24.10 via App Store or Docker).
  • Your domain is managed in Cloudflare.
  • You want to issue a wildcard cert like *.something.com.

1. 🌐 Create a Cloudflare API Token

⚠️ Do not use Global API Key — this is a common mistake. Use a scoped API Token instead.

Steps:

  1. Go to https://dash.cloudflare.com/profile/api-tokens

  2. Click on "Create Token"

  3. Under "API Token Templates", select "Edit zone DNS"

  4. On the next screen:

  5. Permissions:

    • Zone → DNS → Edit

    • Zone Resources:

    • Include → All Zones (or specify the zone you want)

  6. Click Continue to summary → Click Create Token

  7. Copy the token and store it somewhere safe.

2. 🔐 Configure NGINX Proxy Manager with Cloudflare

  1. Go to NPM Dashboard → SSL Certificates → Add SSL Certificate

  2. Choose Let's Encrypt

  3. Fill in the form:

  4. Domain Names: *.something.com (replace with your actual domain)

  5. Email Address: your email

  6. DNS Challenge Provider: Cloudflare (dns-cloudflare)

  7. Under Advanced:

  8. Tick Use a DNS Challenge

  9. Fill in:

    • CF_API_EMAIL: (Not needed if you’re using token-based auth)
    • CF_API_KEY: Paste your newly created API Token

    If NPM is using the certbot DNS plugin for Cloudflare, it will read from a config file. See next step.

3. ⚙️ Optional: Store Token in Configuration File (If Required)

If NGINX Proxy Manager (your app instance) uses a config file for DNS credentials:

  1. Create a file named cloudflare.ini:
dns_cloudflare_api_token = YOUR_API_TOKEN
  1. Secure it:
chmod 600 cloudflare.ini
  1. Update your NGINX Proxy Manager’s Docker or app config to reference this file if needed.

In some NPM configurations, simply entering the API token into the UI is sufficient.

4. ✅ Issue the Certificate

  • Save the configuration.
  • Click on "Save" and NPM will attempt to issue the certificate via DNS-01 challenge.
  • You should see success logs like:
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/...

5. 📌 Apply the Certificate

Now that the wildcard certificate is issued:

  • Go to Hosts → Proxy Hosts
  • Edit or add a new proxy host

  • Under the SSL tab:

  • Enable SSL

  • Select your newly created wildcard cert from the dropdown
  • Enable Force SSL and HTTP/2 support as needed

🚫 Common Mistakes to Avoid

  • ❌ Using Global API Key instead of creating a scoped API token
  • ❌ Forgetting to include wildcard domain (*.something.com) in the cert
  • ❌ Not ticking the “DNS Challenge” box in NPM when using Cloudflare

🔄 Renewals

Wildcard certs issued by Let's Encrypt are valid for 90 days. NGINX Proxy Manager handles auto-renewal as long as your API token remains valid and permissions don’t change.

Let me know if you'd like a version of this saved to your internal wiki format or exported as a Markdown file.

Perfect — here's the updated full documentation, now including your NGINX Proxy Manager instructions for completing the Let's Encrypt wildcard cert setup via Cloudflare DNS challenge:

🛡️ Wildcard SSL Certificate with Cloudflare for NGINX Proxy Manager (TrueNAS 24.10)

This guide shows how to issue a wildcard SSL certificate (*.yourdomain.com) via Let's Encrypt using Cloudflare DNS challenge, and configure it in NGINX Proxy Manager (NPM) — perfect for hosting multiple subdomains with one cert on your TrueNAS server.

✅ Prerequisites

  • TrueNAS SCALE 24.10 running NGINX Proxy Manager
  • Your domain is managed by Cloudflare
  • You want wildcard SSL: *.something.com

1️⃣ Create a Scoped API Token in Cloudflare

⚠️ Do NOT use the "Global API Key" — instead, create a token.

Steps:

  1. Go to https://dash.cloudflare.com/profile/api-tokens

  2. Click Create Token

  3. Use the Edit zone DNS template

  4. On the next screen:

  5. Permissions:

    • Zone → DNS → Edit

    • Zone Resources:

    • Include → All Zones (or select just your domain)

  6. Click Continue to Summary, then Create Token

  7. Copy the token — you’ll use this in NGINX Proxy Manager.

2️⃣ Configure Wildcard Certificate in NGINX Proxy Manager

Steps:

  1. Open your NGINX Proxy Manager UI

  2. Go to SSL Certificates → Add SSL Certificate

  3. Select Let's Encrypt

  4. Fill out the form:

  5. Domain Name(s): *.something.com (replace with your actual domain) (You can add something.com as a second line if you want it to cover both root and subdomains)

  6. Email Address: Your email address

  7. Use a DNS Challenge: ✅ Check this box

  8. DNS Provider: From the dropdown, choose Cloudflare

  9. Scroll down to Credentials File Content — you will see:

# Cloudflare API token
dns_cloudflare_api_token =

Paste the token you copied from Cloudflare after the = sign.

  1. Agree to the Terms of Service

  2. Click Save

3️⃣ Certificate Issuance & Use

If successful, NPM will:

  • Call the Cloudflare DNS API to add a _acme-challenge TXT record
  • Wait for DNS propagation
  • Issue the wildcard cert from Let's Encrypt

Once saved, the certificate will appear in your list of SSL certs.

4️⃣ Apply the Wildcard Certificate to Your Proxy Hosts

  1. Go to Proxy Hosts

  2. Edit an existing host or create a new one (e.g., app.something.com)

  3. Under the SSL tab:

  4. Check Block Common Exploits

  5. Enable SSL
  6. Select your wildcard cert from the dropdown

  7. Optionally enable Force SSL and HTTP/2 Support

  8. Click Save

🧠 Tips & Notes

  • Your wildcard cert (*.something.com) will cover any subdomain: app.something.com, media.something.com, etc.

  • For root domain something.com, either:

  • Add it as a separate domain in the same cert request

  • Or create a second cert just for the root domain

  • NPM will auto-renew the cert before expiry if the API token remains valid.