diff --git a/README.md b/README.md
index abeed5d..dcb6cf1 100644
--- a/README.md
+++ b/README.md
@@ -23,4 +23,25 @@
    your Docker swarm box
 4. `abra app deploy YOURAPPDOMAIN`
 
+## Configuring wildcard SSL using DNS
+
+Automatic certificate generation will Just Work™ for most recipes  which use a fixed
+number of subdomains. For some recipes which need to work across arbitrary
+subdomains, like
+[`federatedwiki`](https://git.coopcloud.tech/coop-cloud/federatedwiki/) and
+[`go-ssb-room`](https://git.coopcloud.tech/coop-cloud/federatedwiki/), you'll
+need to give Traefik access to your DNS provider so that it can carry out
+Letsencrypt DNS challenges.
+
+1. Use Gandi or OVH for DNS 🤡 (support for other providers can be easily added,
+   see [the `lego` docs](https://go-acme.github.io/lego/dns/#dns-providers).
+2. Run `abra app config YOURAPPDOMAIN`
+3. Uncomment e.g. `ENABLE_GANDI` and the related `SECRET_.._VERSION` line, e.g.
+   `SECRET_GANDIV5_API_KEY_VERSION`
+4. Generate an API key for your provider
+5. Run `abra app secret insert YOURAPPDOMAIN SECRETNAME v1 SECRETVALUE`, where
+   `SECRETNAME` is from the compose file (e.g. `compose.gandi.yml`) e.g.
+   `gandiv5_api_key` and `SECRETVALUE` is the API key.
+6. Redeploy Traefik, using e.g. `abra app deploy YOURAPPDOMAIN -f`
+
 [`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra