• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Issue [Let's Encrypt] Cannot renew the certs of wildcard domains which DNS are managed by CloudFlare.

Brownsugar

Brownsugar

New Pleskian
This problem has affected me for a long time.
I have some domains that use the DNS managed by CloudFlare, so Let's Encrypt extension can't modify the TXT record when renewing the wildcard certs.
Any solution for this? Thanks.
 
Last edited:
Brownsugar said:
This problem has affected me for a long time.
I have some domains that use the DNS managed by CloudFlare, so Let's Encrypt extension can't modify the TXT record when renewing the wildcard certs.
Any solution for this? Thanks.
Click to expand...
Some Plesk services cannot work if DNS is not managed locally, like the local mail system with SpamAssassin, etc...

For Let's Encrypt there is a setting to switch from ACME protocol version 2 back to version 1 (Documented here: Managing Let’s Encrypt Settings at the end of the page).

Basically you can set "acme-protocol-version" to "acme-v01" in panel.ini and Let's Encrypt will use the old challenge that uses a file in a vhost directory instead a TXT value in the DNS.

Unfortunately ACME v1 does not support wildcard domains. But maybe it could be a workaround for your situation.


Until a few months ago was possible to use Plesk Let's Encrypt with wildcard support (ACME v2) and CloudFlare via the so called CNAME flattening, but then CloudFlare decided to remove the CNAME flattening from free accounts, forcing users to use CloudFlare DNS instead the local one with CNAME to cache only the "www" or other subdomain.
 
When you create an NS-record for acme-challenge.<domain> which you point to the Plesk server then Plesk is able to change the TXT-record for that domain.

I have no Cloudflare, but I do have a separate DNS-server for all my domains and have this setup working for a year now.
You do need to run Plesk's DNS service on the webserver, though.
It then only manages the acme-challenge.<domain>.

I don't know how Letsencrypt handles the A-record not pointing to the Plesk-server. Maybe it doesn't check for that when using Cloudflare.

Question - Wildcard SSL Certificates with DNS API how?!

Hello, since Plesk cannot use Wildcard SSL certs via Webinterface WITHOUT using own nameserver , I need a solution... I can generate valide wildcard certs with acme.sh and an external nameserver which supports dns api. But the renewal is a pain in the ***... I have to assign the new cert to...
talk.plesk.com talk.plesk.com
 
Last edited:
mr-wolf said:
When you create an NS-record for acme-challenge.<domain> which you point to the Plesk server then Plesk is able to change the TXT-record for that domain.

I have no Cloudflare, but I do have a separate DNS-server for all my domains and have this setup working for a year now.
You do need to run Plesk's DNS service on the webserver, though.
It then only manages the acme-challenge.<domain>.

I don't know how Letsencrypt handles the A-record not pointing to the Plesk-server. Maybe it doesn't check for that when using Cloudflare.

Question - Wildcard SSL Certificates with DNS API how?!

Hello, since Plesk cannot use Wildcard SSL certs via Webinterface WITHOUT using own nameserver , I need a solution... I can generate valide wildcard certs with acme.sh and an external nameserver which supports dns api. But the renewal is a pain in the ***... I have to assign the new cert to...
talk.plesk.com talk.plesk.com
Click to expand...

This works. This should be noted in the extension description.

Just add a NS record in CloudFlare (remember to delete existing "_acme-challenge" TXT record first), then solve the problem.
1627526395244.png
 
mr-wolf said:
I don't know how Letsencrypt handles the A-record not pointing to the Plesk-server. Maybe it doesn't check for that when using Cloudflare.
Click to expand...
It doesn't need to check the host when using dns-based verification. Control of DNS trumps control of host when it comes to proving ownership of the domain.
 
You must log in or register to reply here.

Similar threads

M
Issue Let's Encrypt Bulk Domain Renewal
Replies
4
Views
452
MacGyver
M
C
Question Plesk with Cloudflare Proxy DNS Records and Letsencrypt..
Replies
0
Views
947
cpulove
C
sweetp
Question SSL renewed/created hook?
Replies
2
Views
338
sweetp
sweetp
C
Question How can I secure my Mail with Letsencrypt next to Cloudflares Origin Certificate in Plesk?
Replies
4
Views
994
cpulove
C
D
Question Renewing Let's encrypt automatically
Replies
6
Views
2K
iainh
I
Back
Top