Issue Auto renew of wildcard cert. fails because Plesk doesn't apply DNS template changes

[andreios]

Server operating system version

Ubuntu 20.04.4 LTS

Plesk version and microupdate number

Plesk Obsidian Version 18.0.42 Update #1

Since some weeks I use wildcard let's encrypt certs. on many of my domains.
It's the second time I get a mail stating that the cert. couldn't renewed.

Could not issue/renew Let`s Encrypt certificates

Could not secure domains of (login admin) with Let`s Encrypt certificates. Please log in to Plesk and secure the domains listed below manually.
Securing of the following domains has failed:

<none>

The following domains have been secured without some of their Subject Alternative Names:

<none>

Could not renew Let`s Encrypt certificates (login admin). Please log in to Plesk and renew the certificates listed below manually.
Renewal of the following Let`s Encrypt certificates has failed:

** 'Lets Encrypt example.com' [days to expire: 29] **
[-] *.example.com
[-] example.com

Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/103951403097.
Details:
Type: urn:ietfarams:acme:error:unauthorized
Status: 403
Detail: Incorrect TXT record "WEIx9l06o8le8DR_VO60aif_V8UwOcEx7O5-LjFkAas" found at _acme-challenge.example.com

When I check DNS settings of this domain there is a warning that the template has changed but changes are not yet applied and I should do it now.
So the acme challenged couldn't be verified automatically.
After applying the DNS template I can click 'reload' in SSL settings and the cert. is renewed.

 

[andreios]

I guess this is a bug.

 

[Nik G]

hello @andreios ,

message

Warning: The DNS zone was modified. If you would like to apply changes in the DNS template to this zone, either click the 'Apply DNS Template Changes' button on this page or go to the Server Administration Panel > Tools & Settings > DNS Template Settings > Apply DNS Template Changes and choose the 'Apply the changes to all zones' option

pointed your attention, that for your domain was added a record _acme-challenge.<domain_name>, which is not a part of global DNS template.
so if you want that such records will be created automatically for each domain - you should update your global DNS template settings.


As about that fact that certificat was not able to renewed, I guess it is due to TTL.


also, please be sure that you've updated extensions Let's Encrypt and SSL It! to the latest versions.


I was not able to reproduce problem on my test environment, sorry.

 

[andreios]

I'm not sure if you even understand the issue.

 

[andreios]

The DNS template should have been automatically applied. That's the issue. Tell me how a wildcard certificate could be automatically renewed if the DNS template is not automatically updated? Why should I at an _acme-challenge line to the global template? You telling me only if I do so the template will be updated automatically? Even then I would consider this as bug.

How should you reproduce this in a test envirnment when the automatic renew process needs months before its been triggered?

 

[Nik G]

@andreios ,

when you update value for TXT record _acme-challenge.<domain> - it is added and applied.
and you no need to modify global DNS template.

this warning point your attention, that there's no TXT _acme-challenge.<domain> in the global DNS template.
and this mean, that when you create another one domain there will no record _acme-challenge.<domain1> created for it automatically, right after domain creation.

For renew certificate later than 30 days since last time, this record will be updated - not created from the scratch.
But when this value updated, it will not propagated to the public DNS servers right after that, but after some time (TTL settings, which can be set globally for Plesk or for exact this domain).

So our SSL It! plugin going to update value for _acme-challenge.<domain1> record and you can verify it,
executing command

nslookup _acme-challenge.<domain1> <IP_address_of_your_plesk_server>

but it does noyt mean that LetsEncrypt servers will see those changes at the same time.

 

[andreios]

I don't know why you telling me all this. It's not related to my issue.

- A let's encrypt wildcard certificate needs an DNS txt record to be verified.
- I have many domains with wildcard certificate, all of them have the setting set to automatically renew.
- Some of them send me an error message because they couldn't renew.
- They haven't updated the DNS template, but this necessary because every time the acme-challenge txt changes!
- TTL is completely unrelated to this because I don't update any thing manually it is and should be an automatic process. Also how is TTL related to this when the template is not updated at all?

 

[Nik G]

@andreios ,

I understand that some of your domains are not able to renew LE certificates due to wrong/not updated TXT record _acme-challenge.
Information about TTL settings and global DNS template was provided for reference purpose, to describe how it should work in general,
because I don't know your technical experience level.

wouldn't you be so kind to fill report at Reports
and describe with details and steps how we can reproduce your problem ?

it would be a better way, than forum in this case because for the first look everything should work, but it does not.
and we can't reproduce this problem (yes, I remember that in real life LE certificates expires in 3 months)

 

[andreios]

I can not tell much about this about issue but I will probably fill the form when I have the time .
This issue could be hard to reproduce because it seems to happen occasionally.

But even when you manually create a wildcard certificate the first time, the DNS template is not applied automatically. I don't know why. Because this should happen. This is an issue for it self.