Input add external DNS APIs for Letsencrypt extension

[johnrdorazio]

I use Gandi.net's DNS service for most of my domains. I also use wildcard certificates issued by the Letsencrypt extension. However the automatic update of the DNS records with the _acme-challenge only works if the DNS is handled within Plesk, if I understand correctly?

Gandi, as many DNS services do, has an API which makes it very easy to automatically update DNS records. It would be nice to integrate some of these APIs into the Letsencrypt extension for Plesk. Perhaps add for each domain, in the SSLit / Letsencrypt / SSL security area, a field for DNS service (from a list of known supported services) and a field for an API key which would allow Plesk to handle the record updates automatically, this would be a nice feature. Currently I am having to manually update the DNS records every month when Plesk starts the renewal process but is unable to complete it.

 

[johnrdorazio]

for example, integration of the acme.sh client would be great. I just used it from the command line and it is quite simple, it works very nicely.

 

[ManuelGDot]

Hi @johnrdorazio - have you made it to deploy the script acme.sh client into your Plesk installations? I'm currently looking into solutions myself and it would be great if you could share your findings.

I would have to update the script for another DNS provider API but I would be more than happy to do that. The problem I see: How to get Plesk to use the script? Or in more detail, how can we grab the acme.challenge from Plesk when it renews the certs and trigger the script?

Cheers,
Manuel.

 

[ManuelGDot]

Another solution I've been looking into in the past was to use Plesk DNS solely for the acme.challenge providing it as additional Nameserver via ns1.domain.tld... anybody has done this solution?

 

[johnrdorazio]

Hello Manuel, so far what I have is a cron job that runs this:

/usr/local/bin/acme.sh/acme.sh --issue --dns dns_gandi_livedns -d mydomain.com -d *.mydomain.com -d *.subdomain.mydomain.com

plesk bin certificate --update "LetsEncrypt wildcard_mydomain.com" -domain mydomain.com -key-file /root/.acme.sh/mydomain.com/mydomain.com.key -cert-file /root/.acme.sh/mydomain.com.cer -cacert-file /root/.acme.sh/mydomain.com/fullchain.cer -csr-file /root/.acme.sh/mydomain.com/mydomain.com.csr

plesk bin certificate --update "LetsEncrypt wildcard_mydomain.com" -domain subdomain.mydomain.com -key-file /root/.acme.sh/mydomain.com/mydomain.com.key -cert-file /root/.acme.sh/mydomain.com.cer -cacert-file /root/.acme.sh/mydomain.com/fullchain.cer -csr-file /root/.acme.sh/mydomain.com/mydomain.com.csr

plesk bin subscription_settings --update mydomain.com -mail_certificate 'Lets Encrypt wildcard_mydomain.com'

I do this for each of the domains on my plesk instance (though they don't all have fourth level domains like in the above example).
However I am now seeing that on one of my domains, the new certificate was not picked up by the 'webmail' subdomain for some reason.
I'm trying to investigate further.

UPDATE: I believe I see what happened, on that domain I had an older certificate with the same name, so when the script tried to update the certificate it was updating one but the server was serving the other for webmail (go figure!). In any case I was able to delete the old certificate from the Plesk interface and everything starting working right.