Resolved Let's encrypt - auto-renew with external primary DNS server?

[vic666]

All the domains hosted on my Plesk server are managed through an external DNS server. As far as I understand, this setup is not compatible with automatically renewing certificates from Let's Encrypt because the Plesk server needs direct access to the DNS records. So, for this to work, Plesk needs to be the primary name server. Is that correct?

If yes, is there a way to easily transfer the existing DNS records over to Plesk without me having to type each record manually?

 

[learning_curve]

All the domains hosted on my Plesk server are managed through an external DNS server. As far as I understand, this setup is not compatible with automatically renewing certificates from Let's Encrypt because the Plesk server needs direct access to the DNS records. So, for this to work, Plesk needs to be the primary name server

All of our DNS is managed on external DNS servers too. Assuming you have configured both your Plesk & your external DNS properly, using external DNS servers is compatible with automatically renewing certificates from Let's Encrypt. Having said that, If they are *Wildcard certificates from Let's Encrypt, then you'll need to renew those manually. They will not autorenew, because of the DNS entry that is required for certificate verification purposes at each renewal. (Edit)

Is that correct?

See above, hence no, that is not correct.

If yes, is there a way to easily transfer the existing DNS records over to Plesk without me having to type each record manually?

See above again, but this is not needed.

 

[vic666]

Hi l_c, thanks for your reply.

Clearly, what you propose, works, thank you for that. When I worked with the wildcard domain, I had to manipulate my DNS records and add a TXT record (_acme-challenge.example.com). This does not seem to be the case when I just secure the domain itself and the www subdomain, I'm not being asked to change anything in DNS. Can you confirm this is what you meant?

I'm just a bit confused with your statement that "two DNS entries are required for cert verification purposes". Which two entries are you referring to? It seems to me that it's just the one TXT record I mentioned.

 

[learning_curve]

When I worked with the wildcard domain, I had to manipulate my DNS records and add a TXT record (_acme-challenge.example.com). This does not seem to be the case when I just secure the domain itself and the www subdomain, I'm not being asked to change anything in DNS. Can you confirm this is what you meant?

Yes that is eaxctly what was meant

....It seems to me that it's just the one TXT record I mentioned.

With only one domain on the *wildcard certificate, yes you're correct. It's only one TXT record for verification purposes.
If there is more than one domain and/or more levels of sub-domains say, the number of TXT records for verification purposes increases.
Sorry. Can see now that that wasn't made clear enough in the original post, so have corrected that for any future readers of this thread.