Issue Cant use Lets encrypt at the same time with DNSSEC

[Alakide]

Hello,

I am writing here because for some reason my license appears as invalid on the PLESK support page and I cannot write a ticket there.

Some months ago I have detected a problem that could be serious and I don't know if it happens to all of you.

The problem is that if DNSSEC is activated in a domain LetsEncryps stops working, then in order to renew the SSL certificates I have to deactivate DNSSEC, renew the SSL certificate and then activate DNSSEC again for each domain.

This is a big problem when you have 50-100+ domains on a server. I was wondering if somebody have detected this issue and if you can help me to resolve it.

Best Regards
Emmanuel Delgado

 

[learning_curve]

@Alakide You have no forum signature, so your experience / setup etc maybe very different from ours but... FWIW:
We have Normal and/or *WildCard and/or Multi-Domain *Wildcard Let's Encrypt SSL Certificates (RSA and/or ECDSA) on all the domains that we host, which all have DNS CAA / DNSSEC / TLSA (DANE) too but... We use acme.sh via CLI to issue / renew these cetificates via the provided API to our IONOS Cloud Servers. To date, DNSSEC (provided by IONOS) has never created the issues that you're having i.e. Let's Encrypt renewal failures, so it's pretty unlikely that the issue is actually DNSSEC itself. Maybe? you're using the Plesk DNSSEC Extension (not an external source), so it's a small server internal-misconfig somewhere?

 

[Alakide]

Thank you very much for your answer.
Actually I'm using the Plesk DNSSEC Extension as I don't really know how to issue this signature by other method. I'm also using full Wildcard Let's Encrypt SSL for all domains. Indeed I'm preaty sure that the Plesk DNSSEC Extension is the one that have a problem. Any idea?

Regards

 

[learning_curve]

~~ I'm using the Plesk DNSSEC Extension as I don't really know how to issue this signature by other method.

There's lot of different ways to appy DNSSEC depending... on all of your other criteria e.g. Plesk or External Controlled DNS / Hosting setups etc
You've added a forum signature now, so you can see that we actually have pretty similar basic setups, but still not sure how you're hosting that?
VPS? Cloud or Dedicated Server? A.N.Other hosting arrangement?
Never used the Plesk DNSSEC Extension to be fair, so you would need to raise a Plesk Service Ticket IF it does finally come down just to that extension setup

I'm also using full Wildcard Let's Encrypt SSL for all domains. Indeed I'm preaty sure that the Plesk DNSSEC Extension is the one that have a problem. Any idea?

If you have Plesk controlled DNS, then auto-renewing *wildcard Let's Encrypt certificates should be very simple.
If the above is correct, then you'll only be using Plesk extensions to do that - presumably?

Without disbabling the Plesk DNSSEC Extension, have you tried renewing a wildcard Let's Encrypt certificate manually, without using the Plesk Extensions?
e.g. via CLI with acme.sh or any other external SSL - CLI application? That would the kind of prove your source of conflict but with minimal work wouldn't it?

 

[Alakide]

Thank you,

Yes, I've added my signature

Well, I'm hosting this in a VPS provided by IONOS. The server have this features:
- Intel(R) Xeon(R) CPU E5-2660 v4 @ 2.00GHz (6 core(s))
- 12 GB RAM
- 240 GB SSD

If you have Plesk controlled DNS, then auto-renewing *wildcard Let's Encrypt certificates should be very simple.
If the above is correct, then you'll only be using Plesk extensions to do that - presumably?

Yes, I'm using the Plesk Let's Encrypt auto-renewing tool and works fine as long as Plesk DNSSEC is not turned on. If DNSSEC is turned on then Let's Encrypt sends a 400 error on whatever domain it tries to issue.

Never used the Plesk DNSSEC Extension to be fair, so you would need to raise a Plesk Service Ticket IF it does finally come down just to that extension setup.

I can't reach Plesk support because when I open a ticket my license appears as invalid and I just can't send the ticket.

Let me see if I can issue Let's Encrypt via terminal (cerbot) although, it is not ideal when you have more than 100 domains for the time it takes to issue.

I'll share my result.
Regards.

 

[IgorG]

I can't reach Plesk support because when I open a ticket my license appears as invalid and I just can't send the ticket.

How to get support directly from Plesk?

Question How to get support directly from Plesk? Answer Lease-type Plesk licenses purchased directly from Plesk running on supported Plesk version include full free support. Perpetual-type license...

support.plesk.com

 

[learning_curve]

I can't reach Plesk support because when I open a ticket my license appears as invalid and I just can't send the ticket.

The post by @IgorG details how to do this, yet for whatever reason, lot's of people have never seen it etc but it works perfecty!

Let me see if I can issue Let's Encrypt via terminal (cerbot) although, it is not ideal when you have more than 100 domains for the time it takes to issue.

Yes, Cerbot or Acme.SH or A.N.Other. You're only testing this on just one domain, though, NOT on ALL of your domains,.... so it will take less than a few minutes to run the whole process on one domain and give you the result aka the missing answer!

FWIW IONOS run their own DNSSEC and you can apply TLSA DANE Records too (via IONOS) in order to complete the whole picture. All of those things work perfectly for us but, we use IONOS Cloud Servers, so you might have a lot more limitations with IONOS VPS. You'd neeed to double-check.

 

[ChristophRo]

If LetsEncrypt does not work with DNSSEC enabled domains, you most likely (99%+ chance) have an invalid DNS configuration. (that may or may not affect "normal" DNS services)

- what status does a "dig caa yourdomain.tld" query return? If it's SERVFAIL instead of NOERROR, then you have a DNS problem
- what does a https://dnssec-analyzer.verisignlabs.com/ check find, if you test one of your domains? (with enabled DNSSEC)

 

[learning_curve]

- what status does a "dig caa yourdomain.tld" query return? If it's SERVFAIL instead of NOERROR, then you have a DNS problem

The addition of a CAA record that confirms Let's Encrypt (and any other CA that you may choose) is a valid CA for the SSL Certificate(s) that you have issued on each of your domains is a simple task. All of our domains have CAA records that were added via the the IONOS DNS panel. Yours @Alakide should be / will be... within your Plesk DNS setup. FWIW A simplified clear explanation of DNS CAA records is shown here: What is DNS CAA and how to Validate and Implement ?

If you have no CAA record on any of your domains, then you could / should have already seen this, on your previous DNS tests. However, that ^ CLI test from @ChristophRo is both fast & more specific for you now. The other test mentioned earlier: "...Without disbabling the Plesk DNSSEC Extension, have you tried renewing a wildcard Let's Encrypt certificate manually, without using the Plesk Extensions? e.g. via CLI with acme.sh or any other external SSL - CLI application?..." will also lead you back to a DNSSEC/CAA/DNS issue too, whilst proving that the Plesk DNSSEC Extension is not at fault at the same time.

- what does a https://dnssec-analyzer.verisignlabs.com/ check find, if you test one of your domains? (with enabled DNSSEC)

That's ^ a good one and there's lots more DNSSSEC online test sites, some that have areas of specific focus e.g. security on this one: https://dnsviz.net/
Plus, if you are going to use TLSA records, there's DNSSEC & DANE test sites, plus DNSSEC & DANE test sites that will test different ports & protocols too.