Getting a valid SSL certificate used to require knowing whether your domain was behind a CDN, whether the server could answer an HTTP challenge, and whether your wildcard certificate would cover subdomains. Panelica handles all of that automatically.
Every domain and subdomain you add to Panelica can get a Let's Encrypt certificate in a single click. The panel handles the ACME challenge, installs the certificate, configures Nginx for HTTPS, and sets up automatic renewal. When a certificate is within 30 days of expiry, it is renewed in the background without any manual intervention.
To issue a certificate: open Domains > your domain > SSL and click Issue Certificate. That is the entire process for most domains.
If your domain's DNS is proxied through Cloudflare (the orange cloud), the standard HTTP-01 challenge does not work the way you might expect -- Cloudflare answers the challenge request from its own IP, not yours. Panelica detects this automatically by inspecting the domain's DNS records before attempting any challenge. When a Cloudflare proxy is detected, the panel switches to the appropriate validation path without prompting you to change anything.
Some scenarios -- wildcard certificates, domains that do not point to the panel server yet, or domains behind multiple proxies -- cannot use HTTP validation at all. For these, Panelica uses the DNS-01 challenge, which proves domain ownership by writing a temporary TXT record to the domain's DNS zone.
If the domain uses Panelica's built-in BIND DNS, the record is written and cleaned up automatically. If the domain uses Cloudflare DNS (connected via the Cloudflare integration), Panelica writes the challenge record via the Cloudflare API and removes it after verification. Either way, you do not need to touch DNS manually.
When you create a subdomain, it automatically inherits the parent domain's certificate. The subdomain gets HTTPS immediately, without a separate certificate request or additional configuration. In the panel's SSL view, inherited subdomains show an Inherited (parent) badge so the source is always clear.
If you need the subdomain to have its own certificate -- for example, if it resolves to a different server -- you can issue one independently in the same SSL section.
Every mail domain gets its own TLS certificate for SMTP and IMAP/POP3. Postfix and Dovecot use SNI to serve the correct certificate based on which domain the connecting client is accessing. This means your mail clients get a valid, domain-specific certificate rather than a generic server certificate with a hostname mismatch warning.
This is a separate feature in the same security area, but worth noting here. Panelica's country blocking now covers the full ISO 3166-1 list of 249 countries and territories. Earlier versions had an incomplete country list, which meant some regions could not be blocked by name. That gap is closed.
To configure: open Security > Country Blocking, select the countries to block, and apply. Blocking is enforced at the nftables firewall level, so it applies to all traffic (web, mail, FTP) not just HTTP.
- 1-click issuance -- Let's Encrypt certificate in a single click, auto-renewed.
- Cloudflare detection -- panel detects proxy status and picks the right validation path automatically.
- DNS-01 challenge -- for wildcards, pre-production domains, and multi-proxy setups.
- Subdomain inheritance -- new subdomains get HTTPS immediately with an inherited badge.
- Per-domain SNI mail SSL -- every mail domain gets its own valid certificate.
- Country blocking -- full 249-country ISO coverage in the firewall.
If your domain is not getting a certificate issued correctly, post a reply with the domain's DNS setup (proxied/direct, DNS provider) and the error message from the panel's SSL section. We can help diagnose it.
The Panelica Team