Question ACME SSL: How to configure DNS-01 with external DNS provider?

[Azurel]

Server operating system version

AlmaLinux 8.10

Plesk version and microupdate number

18.0.78

Hi,

I installed the new ACME SSL extension (ACME SSL extension - Plesk) because I need wildcard certificates. However, I'm confused about how the extension actually works. The configuration UI only shows three fields:
- ACME Directory URL (required)
- EAB Key ID (optional)
- EAB HMAC Key (optional)

Where do I configure my DNS provider for DNS-01 challenges? My DNS is hosted externally at Artfiles, and they do have a DNS API. In fact, Artfiles is already listed as a supported provider in the lego DNS library (DNS Providers :: ACME client and library written in Go. or acme.sh/dnsapi at master · acmesh-official/acme.sh), which many ACME tools use internally. So the API integration exists but I can't find any way to configure it in the Plesk ACME SSL extension.

 

[Sebahat.hadzhi]

Thank you for the question, @Azurel . I consulted with our team on that matter and ACME SSL/SSL it! does not come with built-in with DNS API integration intended for updating DNS records in external zones. The ACME/SSL It! flow can automatically add the required _acme-challenge TXT record only when the domain’s DNS is handled by Plesk itself or by a third-party DNS service that could be synced with Plesk. If Plesk is not synchronized with Artfiles, the TXT record will not be pushed, and validation will fail.
In order to automatically issue wildcard SSLs, you need either local DNS management or a Plesk integration that can talk to Artfiles’ DNS API directly. In other words, ACME handles certificate issuing, but the DNS API integration is separate.

 

[Sebahat.hadzhi]

As a follow-up, you should be able to create your own script to sync with Artfiles using their API. We have a public example (the slave DNS extension) on GitHub:

integrate-with-system-services/dns/thirdparty-dns-services.72158/

 

[Azurel]

Thank you for the clarification. That's unfortunate – I assumed DNS-01 support would include external DNS providers via their APIs, since that's essentially the main use case for it (so I think). Without that, the extension isn't really usable for anyone whose DNS isn't managed by Plesk itself.

Is there a feature request I can vote on?

 

[Sebahat.hadzhi]

@Azurel please submit a request at features.plesk.com.

 

[Azurel]

I've submitted a feature request:

ACME SSL Extension: Add DNS API integration for external DNS providers (DNS-01 / wildcard certificates)

The ACME SSL extension currently only supports DNS-01 challenges when DNS is managed by Plesk itself. This makes wildcard certificate issuance impossible for anyone using an external DNS provider.

Please add DNS provider API integration to the extension, similar to what the lego library already supports (100+ providers: DNS Providers :: ACME client and library written in Go.). This would allow users to enter their DNS provider API credentials directly in the extension and have Plesk handle the _acme-challenge TXT record automatically.

Without this, the extension is not usable for the most common wildcard certificate use case.

See Question - ACME SSL: How to configure DNS-01 with external DNS provider?

One side note: the features.plesk.com platform is rather frustrating to use. You can log in and submit requests, but there is no overview of your own submitted requests, no status updates, and no email notifications whatsoever – not even when a request gets rejected. It's hard to tell whether submissions are actually reviewed at all. Maybe that's worth looking into as well.

 

[Sebahat.hadzhi]

Thank you for the feedback. Currently, the workflow is the following - when you open a request, there should be a notification sent for confirmation of your email address and the successful submission. At this point, all requests are internally evaluated. If a request is proposed for user demand evaluation, it is placed in the "Under Consideration" tab or if it is approved for implementation under the "Public Roadmap" tab - in each case, you receive an additional update. If a request is rejected or there are certainly no plans for implementation I follow up through a support ticket to inform the user. I don't believe there's a built-in feature to get the status of all ideas you submitted, but if you provide me with your email in a private message, I can collect that information for you.