SSL Certificates
The SSL Control page lets you manage HTTPS certificates for your domains using Let’s Encrypt. You can issue new certificates, monitor their status, renew expiring ones, and remove certificates you no longer need — all from the dashboard.
Admin only
SSL certificate management requires admin privileges (admin.system.ssl permission). Navigate to System > SSL Control from the sidebar.
Key features
🔒 Let's Encrypt Integration
Issue free, trusted SSL certificates with automated validation
🌐 Two Challenge Methods
HTTP challenge for standard setups or DNS challenge for wildcard certificates and restricted environments
📊 Certificate Status
View all certificates at a glance with status badges showing active, expiring soon, or expired
🔄 Renewal Management
Renew certificates manually or let automatic renewal handle it
📡 14 DNS Providers
DNS challenge supports Cloudflare, Route 53, DigitalOcean, and 11 more providers
⏳ Progress Tracking
Certificate operations run asynchronously with live progress indicators
Certificate list
The main view displays all installed SSL certificates in a list. Each entry shows:
- Domain — The domain or wildcard the certificate covers
- Status — Active (valid), expiring soon (within 30 days), or expired
- Expiry date — When the certificate expires
- Actions — Renew or remove the certificate
Status badges with counts at the top of the page give you a quick summary of how many certificates are in each state.
Issuing a certificate
To issue a new Let’s Encrypt certificate, click the Issue Certificate button and fill out the form:
- Select a target — Choose which service the certificate is for (Dashboard, Plex, Emby, Jellyfin, or other supported applications)
- Enter the domain — Type the domain name you want to secure
- Choose a challenge method — HTTP or DNS (see below)
- Submit — The certificate issuance runs asynchronously with progress tracking
HTTP challenge (HTTP-01)
The HTTP challenge is the simplest method. Let’s Encrypt places a temporary file on your server and verifies it is accessible via port 80.
Requirements:
- Port 80 must be open and reachable from the internet
- The domain must point to your server’s IP address
- No additional credentials are needed
This is the recommended method for standard single-domain certificates when your server is directly accessible.
DNS challenge (DNS-01)
The DNS challenge verifies domain ownership by creating a temporary DNS record. This method is required for wildcard certificates and is useful when port 80 is blocked or the server is behind a firewall.
Requirements:
- API credentials for your DNS provider (see supported providers below)
- DNS credentials must be configured on the server before issuing
When you select DNS challenge, choose your DNS provider from the dropdown and enter the required API credentials.
Supported DNS providers
The following DNS providers are supported for DNS challenge validation:
Cloud Providers
Domain Registrars
Each provider requires specific API credentials. Enter your credentials when selecting DNS challenge mode during certificate issuance.
Renewing certificates
Let’s Encrypt certificates are valid for 90 days. QuickBox Pro handles renewal in two ways:
- Automatic renewal — A scheduled task checks for certificates approaching expiry and renews them automatically
- Manual renewal — Click the Renew button next to any certificate to trigger an immediate renewal
Plan ahead
Certificates that show an “expiring soon” status badge are within 30 days of expiry. While automatic renewal should handle these, you can manually renew at any time to be safe.
Removing certificates
To remove a certificate you no longer need, click the Remove button next to it in the certificate list and confirm the action. This removes the certificate files and associated nginx configuration.
Service impact
Removing an SSL certificate will cause the associated domain to stop serving HTTPS traffic. Make sure you have an alternative certificate in place or are prepared for the service to fall back to HTTP.
Progress tracking
Certificate operations (issue, renew, remove) run asynchronously on the server. When an operation is in progress, the dashboard shows a progress indicator with status updates. You can navigate away from the page and return later — the operation continues in the background.
CLI equivalent
SSL certificate management is also available from the command line:
| Dashboard Action | CLI Command |
|---|---|
Issue certificate (HTTP) | qb install lecert -d example.com |
Issue certificate (DNS) | qb install lecert -d example.com --dns --dns-provider cloudflare |
Renew certificate | qb renew lecert -d example.com |
Remove certificate | qb remove lecert -d example.com |
For full CLI options, see the Let’s Encrypt application documentation.
Best practices
Do
- Use DNS challenge for wildcard certificates or when your server is behind a firewall
- Use HTTP challenge for simple single-domain setups — it requires no API credentials
- Monitor the certificate list regularly for expiring certificates, even with automatic renewal enabled
- Keep your DNS provider API credentials secure and use the minimum required permissions
- Issue a certificate for the dashboard itself first — this secures all admin operations
Don't
- Don't let certificates expire — expired certificates cause browser security warnings that alarm your users
- Don't remove a certificate without understanding the impact on services using that domain
- Don't use HTTP challenge if port 80 is blocked by your hosting provider or firewall
- Don't share DNS API credentials with broad permissions — use scoped API tokens when your provider supports them
FAQ
*.example.com) require DNS-based validation because Let's Encrypt cannot verify wildcard domains through HTTP.Related pages
Join the Community
Media server operators sharing configs, getting support, and shaping the future of QuickBox Pro.