• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx

  • We are developing a new feature in Plesk that will help you promote your websites or business on social media. We want to conduct a one-hour online UX test to present the prototype and collect feedback. If you are interested in the feature, please book a meeting via this link.
    Thank you in advance!
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Issue Force Let'sEncrypt extension to use DNS-01 authentication when issuing a new certificate

Would you like, as a Plesk owner / administrator, to have more control over the SSL extensions?

  • Yes, please I need this

    Votes: 10 100.0%
  • Maybe, it would be nice tho

    Votes: 0 0.0%
  • Don't care, I wouldn't use it

    Votes: 0 0.0%
  • No, they're perfectly fine as they are

    Votes: 0 0.0%

  • Total voters
    10

bryanpedini

New Pleskian
Issue - Feature request - Annoyance - Large number of customers and broad audience

UPDATE 1: added additional reference.

I am an employee of a company that uses Plesk as their hosting management panel; and I have a private account on the same server.
However, being an IT professional (and because I need to host applications Plesk doesn't support, like custom services, Golang executables and Python Flask web services), I decided to get a VPS and host only my emails and the DNS zones on Plesk (so much easier to manage with the APIs instead of editing named zones by hand).

However securing my domains has become impractical. On my VPS I've created all sorts of automatic scripts to use HTTP-01 authentication all on the same subfolder and stuff and it works perfectly fine; however, it seems that issuing a wildcard certificate on Plesk (which we all know and remember a wildcard can be issued ONLY using DNS-01 authentication), still spits out the error "your website on Plesk has this IP but the DNS used for the challenges was this", which should not appear in the first place.
This means one and only one thing: the Let's Encrypt extension uses HTTP-01 to validate the root domain, and DNS-01 to validate the wildcard certificate for all the subdomains.

Answer that fixes all the problem: a simple volountary checkbox on the Let's Encrypt panel for issuing / renewing certificates that forces DNS-01 authentication, then you have two DNS records for `_acme-challenge.example.com` and automatic renewals works fine on the VPS with HTTP-01 and the same thing goes fine for Plesk with DNS-01.
It shouldn't be both hard nor time consuming for an update like this; yet it could save hours and hours of work of us, the IT professionals that get asked once or twice a year to host emails on one server and the website on the other, and everytime we scream to God and ask ourselves why we accepted the job only to have to say "no, the system can't do that" to the customers who then turn away and never look back at us an possibly spread a bad word.
Yes, worst case scenario, all solvable with a simple checkbox. That's the message I'm trying to spread here!



References:
Let's Encrypt extension
Question - Creating SSL Certificate using Let's Encrypt for mail-only domain
Question - Let's Encrypt (wildcard) certificate for mail-only domain ("solved" with https://support.plesk.com/hc/en-us/articles/360010008800, which is not actually a solution but rather a workaround that has to be done at every renewal)
Use "Let's encrypt" to secure IMAP/POP/SMTP connections
Cannot issue wildcard Let's Encrypt certificate in Plesk [...]

Wouldn't it be nice to have "more control" over the Let's Encrypt extension (or the SSL It!, same problem exists), and try to solve the majority of these issues with a simple checkbox that costs a couple of man hours to write the code for?

Thank you all for the time and consideration;
Bryan.
 
Last edited:
yes please, I can't issue a wild cert now on Obsedian because Plesk do use http challenge only and I tried editing panel.ini so to use DNS challenge and it didn't work for 2 hours, what should we do to even manually solve this problem? the web site is hosted on a server and mail and webmail is hosted on another Plesk server, what should we do to issue Let's encrypt SSL.
 
So, two years later and still no solution?

We see so many customers switching to Wix (and similar) for their website but still want to use our service for email.
But good luck with that, as they can no longer use it in a secure way* and it causes so many headaches on our and the customers side...

* as a workaround we
a) switch/force customers to use the plesk servers name for incoming/outgoing mail
b) use a custom roundcube webmail url
c) fiddle around with the plesk templates to have the http://webmail.domain.tld vhost automatically redirect to https://our-custom-roundcube-url
 
So agree...
Please don't see below as criticism, but as constructive criticism. :)

Some while back a few surveys asked if we thought separating out website and email hosting would be a good idea. Was I happy to read that. Seems not many others thought so, though.

I actually had compiled a long doc about all the advantages of that... but each time i started to post it I thought, naahh, and deleted it again. Have by now deleted that doc completely.

Part of that was:
Instead of having one security cert, have two. One purely for website related stuff. Secure maindomain.com and ftp.maindomain.com for example [FTP still isn't secured at all although it is part of the default DNS template], and use the separate second one purely for mail related stuff. Secure mail.maindomain.com and webmail.maindomain.com
This separation of main / ftp.main and mail.main / webmail.main would be the {near-}perfect solution for above problem. You simply don't have/use the website hosting one, only the email one.
Vice versa, for those only doing website, they won't need the email one at all.
Those that do website and email will have two separate security certs. One for hosting, one for mail related.

And if I may - just my personal opinion - by switching the mail related stuff away from maindomain.com to it's own mail.maindomain.com [as is standard for many other things] you don't have this above hassle that when the website is on WIX etc, you can't use the autodiscover, and an automated email setup at all as you have to use an MX entry for the server instead of for maindomain.com .

Anyway, I have to agree with above poster. Just my two pennys worth of thought. Am aware that having that separation and having two certs comes with its own downsides. ;)
 
Back
Top