Issue Lets Encrypt certificate renew issue

[PeopleInside]

Hi, after the few month in Plesk I see issues with Lets Encrypt certificate renew.
An email received from Plesk alert me "Could not issue/renew Let`s Encrypt certificates".

When I logged in in Plesk I discovered the renew process was blocked because of the wild certificate.
I have DNS managed outside of Plesk on CloudFlare, seems the content of the DNS record that is necessary for issue the wild certificate, change on cert renew so I need every time the certificate is renew to login in CloudFlare, change the secret key in the record and reload in Plesk the wild cert?

How can I resolve this?
Also seems after my main domain cert was renewed was no more valid also for email and I need go on domains, find the related domain and told to Plesk to use that new renew certificate also for email to see email certificate work after the renew. I expect all this can be automated without my manual intervention but how?

Thanks.
Will get a reply, let's see

 

[PeopleInside]

Maybe the issue is that I need put somewhere ( I don't know where ) CloudFlare API for allow Let's Encrypt extension process to verify DNS and issue Wild Card certificate but how? I found this discussion but I don't know what to do.

 

[eliamarsura]

I confirm that if you want a wildcard certificate, you have to go inside cloudflare and manually change the value of _acme-challenge TXT record each 90 days.
The issue of a Wildcard Let's Encrypt request obligatorily this type of verification, there's no other way.

That I know, actually, there's no extensions wich "push" the new TXT record from plesk to Cloudflare automatically. The post you mentioned doesn't seems talk about this.

You can avoid this manual step unchecking the "wildcard" option. Doing this Let's Encrypt will be able to do the verification without requesting a TXT record and you will have the certificate for:

• www.youdomain.com
• youdomain.com (without www)
• webmail.youdomain.com

But you could have another problem..... if you have the cloudflare's proxy active for youdomain.com, the challenge will fail and Let's Encrypt can't issue the certificate.

 

[PeopleInside]

I confirm that if you want a wildcard certificate, you have to go inside cloudflare and manually change the value of _acme-challenge TXT record each 90 days.
The issue of a Wildcard Let's Encrypt request obligatorily this type of verification, there's no other way.

That I know, actually, there's no extensions wich "push" the new TXT record from plesk to Cloudflare automatically. The post you mentioned doesn't seems talk about this.

You can avoid this manual step unchecking the "wildcard" option. Doing this Let's Encrypt will be able to do the verification without requesting a TXT record and you will have the certificate for:

• www.youdomain.com
• youdomain.com (without www)
• webmail.youdomain.com

But you could have another problem..... if you have the cloudflare's proxy active for youdomain.com, the challenge will fail and Let's Encrypt can't issue the certificate.

Thanks, for now I removed wildcard from all domain.
It's unthinkable that I should get an email error and need a manual action every 90 or less days.
Thank you.

 

[eliamarsura]

Yes, it's really uncomfortable.
But Let's Encrypt must be sure that you are the owner of the entire domain before gives you a wildcard certificate.
Otherwise it would be a serious security problem.