• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue Could not issue/renew Let`s Encrypt certificates

tanasis

Regular Pleskian
Server operating system version
AlmaLinux 8.6
Plesk version and microupdate number
18.0.44
Hello,
i have some domains in Cloudflare.
The 1st SSL installation was OK.
The 1st renew have problem...
Please check the email i get....
 

Attachments

  • image1714.jpg
    image1714.jpg
    104.8 KB · Views: 17
See the error message regarding the TXT record: You'll need to correct the ACME TXT record for the certificate in your nameserver. The correct TXT record can be seen in the SSL section of the "websites & domains" menu.
 
When you do not use the built-in nameserver in your host, your host cannot update the TXT record for your SSL wildcards. In that case you must update their TXT records manually every three months. As that has not been done, SSL fails to renew, because the TXT record does not match the token that the Let's Encrypt trust center expects to validate domain ownership.
 
This is a big problem. Think you have 200 websites in Cloudflare... You have to do this manually every 89 days!
 
Can't be helped, validation for wildcard domains requires the TXT record in DNS as you have to prove more control over the host than with just a single domain.
Otherwise, with well-known only, you could generate a cert valid for subdomains outside of the scope belonging to you, so you have to prove that you could mess with their dns anyway as to enable you to get certs for any subdomain possible.
 
Back
Top