Issue Let's Encrypt Issues with Renewal

[D3nnis3n]

I'm using Let's Encrypt to secure my domains via wildcard certificates. It's set to renew the first day of every month, no matter how old the certificate is.

Unfortunately that hasn't been working for quite a while now and i'm tired of manually renewing now. I get the following via mail for all my domains on the first of each month:

Could not renew Let`s Encrypt certificates for xxx (login xxx). Please log in to Plesk and renew the certificates listed below manually.
Renewal of the following Let`s Encrypt certificates has failed:

* 'Lets Encrypt xxx' [days to expire: xx]
[-] *.xxx
[-] xxx


Invalid response from https://acme-v02.api.letsencrypt.org/acme/order/xxxxx/xxxxxx.
Details:
Type: urn:ietf:params:acme:error:malformed
Status: 404
Detail: No order for ID xxxx

I've followed KB [FIXED BUG] Unable to install a Let's Encrypt certificate: Order's status ("pending") is not acceptable for finalization or No order for ID, the workaround there did not work, but it should be fixed by Plesk in the meanwhile anyway.
I've also followed KB Unable to install a Let´s Encrypt certificate in Plesk: urn:ietf:params:acme:error:malformed, but reinstalling Let's Encrypt didn't help either. I'm unable to get my wildcard certificates renewed automatically. Manually it works. Certificates that are not wildcards, work as well.

I'm using NGINX Reverse Proxy (i believe i read somewhere that might be an issue, but couldn't find it).Plesk is the main DNS server, so that shouldn't be an issue.

Hope someone has an idea.

Using Plesk Obsidian 18.0.28 Update Nr. 2 on Ubuntu 18.04.

 

[learning_curve]

@D3nnis3n Note: We do NOT use the "Keep websites secured" option that's available within the Plesk SSL It! Extension at present (for our own specific reasons) so, ignoring that possible route for solving your problem (others who do use this option may post more information about this possibility for you) when you are running Plesk Obsidian, it does appear that you still cannot auto-renew Wildcard Let's Encrypt Certificates by default in the same, simple way that you can with all the normal NON-Wildcard Let's Encrypt Certificates (& as we are both sucessfully doing already).

You do have to renew all of these type of certificates, manually (& we still do...) which, includes adding the two separate DNS entries that are required, on each of the domains that require a renewal. To be fair, manually renewing these is now a lot easier than it used to be, as Plesk has steadily improved this specific area, but they're not (yet) at the effortless, auto-renewal stage for Wildcard Let's Encrypt Certificates - we think(!) but please do explore the the SSL It option mentioned ^^

If you search the forum(s) you'll see the same/similar question c/w answers, has been asked many times previously. FWIW Using Nginx reverse proxy is pretty unlikely to be the cause of your Wildcard certificate renewal issues, as it appears to function perectly, when you manually renew them (always has for us too).

It's possibly the requirements for updated DNS entries (that must be added manually or added via your own script) that maybe causing the issue? If you still can sucessfully manually renew your Wildcard Let's Encrypt Certificates already (as it appears from your post), then that would confirm what we've mentioned.

 

[D3nnis3n]

Hello,
thanks for your post.

That's weird. The changelog of the extension stated some time ago that renewing wildcard certificates automatically is now supported.
Wonder when that's going to be fixed, if its a known issue? Sure, it's easier. But i still forget it, lol.

 

[seqoi]

That's weird. The changelog of the extension stated some time ago that renewing wildcard certificates automatically is now supported.
Wonder when that's going to be fixed, if its a known issue? Sure, it's easier. But i still forget it, lol.

This is not Plesk issue.

It's not weird. Changelog refers to cases where Plesk internal DNS is used. In such cases Plesk will automatically update mentioned DNS records (txt) on every wildcard cert. renewal. However if you use 3rd party DNS (external) then you'll have to do it manually at external DNS

These kind of questions pop up pretty much every week. In fact one the same forum page 1 you have another user asking about similar issue - Issue - Wildcard subdomain certificate not possible with extern DNS (primary DNS by Registrar)

If you re using external DNS then look in their doc maybe they have api so (maybe) you could connect your Plesk to it and do it automatically (programming script will be needed).

 

[learning_curve]

@D3nnis3n Your last post made us go and double check the SSl it Changelog On release 1.4.0 (dated 4/6/2020) in the changelog, there is this line:

"The CLI can now manage wildcard certificates issue and turning on and off HSTS. To see details, use the plesk ext sslit --help command"

The word used there ^^ is issue not renew which may or may not, be slightly misleading...

However, if you do go and run ext sslit --help in amongst everything else, you will see these two lines:

-wildcard Start to issue a wildcard certificate
-continue Resume issue of a certificate (for example, of a wildcard certificate after a TXT record was added to the DNS server)

That alone would make you think, no, the additional DNS (txt) records still need to be added manually... but then.... the post above by @seqoi would indicated that IF your DNS is managed by Plesk, then this will happen (automatically).

We can't confirm this ^^ as ALL of our DNS is managed outside of Plesk, so obviously, we're still doing this task manually!

Regardless, it seems that this is currently, only available via CLI any way and not via the Plesk Panel.

So, for all of our benefits (assuming that you are using Plesk DNS...) maybe you can check, test the renew process but via CLI and post the results?

 

[D3nnis3n]

If you re using external DNS then look in their doc maybe they have api so (maybe) you could connect your Plesk to it and do it automatically (programming script will be needed).

If you read my OP again, you will see that i stated that Plesk is controlling my main DNS. Hence your whole post assumed something that is not true.

"The CLI can now manage wildcard certificates issue and turning on and off HSTS. To see details, use the plesk ext sslit --help command"

Afaik i read that on a different changelog (one solely for the extension) that seems to be no longer available. It was last year, though. Renewing wildcards did work for a while, but then SSLit came it stopped working. Otherwise my mind is ****ing me.

 

[D3nnis3n]

No, my mind is not ****ing me, see attachment.
So, this is a bug. What's gonna be done about it?

 

[seqoi]

If you read my OP again, you will see that i stated that Plesk is controlling my main DNS. Hence your whole post assumed something that is not true.

If you read my response again you'll see that I specifically said "if" and "similar" hence my response was true and i didn't assumed anything wrong. Because i knew what i am saying perhaps doesn't go with your specific issue. In my trying to help I was referring to overall nature of a problem not your specific. I can see how this could irritate you though, but i was trying to put focus on something. My bad.

 

[learning_curve]

No, my mind is not ****ing me, see attachment.So, this is a bug. What's gonna be done about it?

Wow! 2018! We definitely didn't see that back in 2018... BUT... we didn't use SSL it (at all) on Plesk Onyx, which maybe why?

Edit: Although we did use all of the Let's Encrypt functionality...

FWIW The changelog we looked at and extracted those lines from (re: release 1.4.0 dated 4/6/2020) is indeed, solely on the Plesk Obsidian Extension itself, together with all the other post & previous changelog entries too.

As you are using Plesk DNS, what were the results of the suggested test @D3nnis3n ? i.e. the "...check, test the renew process but via CLI and post the results?"

 

[D3nnis3n]

If you read my response again you'll see that I specifically said "if" and "similar" hence my response was true and i didn't assumed anything wrong. Because i knew what i am saying perhaps doesn't go with your specific issue. In my trying to help I was referring to overall nature of a problem not your specific. I can see how this could irritate you though, but i was trying to put focus on something. My bad.

But the message was totally irrelevant to my issue. That's like when i go to some random thread in the forums and ask "How much does the fish cost, if you wanted to buy one?". I wonder how'd you feel if someone posted that to your thread? I was clearly pointing out a bug in the software as i got all prerequisites and the extension is supposed to be able to do it, but it doesn't.

Wow! 2018! We definitely didn't see that back in 2018... BUT... we didn't use SSL it (at all) on Plesk Onyx, which maybe why?

I do think it has something to do with that. Executing the Cronjob for LetsEncrypt to renew Certificates is no longer working, but was back then when SSLit wasn't used.

As you are using Plesk DNS, what were the results of the suggested test @D3nnis3n ? i.e. the "...check, test the renew process but via CLI and post the results?"

I'm not sure how relevant that is to my issue of automatic renewal. I already confirmed that i can issue Wildcard Certificates via the panel with no issues, as well as re-issue (it's not a renewal) there. I'll look into it on monday after weekend, though.

 

[D3nnis3n]

The CLI is broken for me, it yields this no matter what i do.

Invalid command: 'default'
exit status 3

 

[learning_curve]

I'm not sure how relevant that is to my issue of automatic renewal. I already confirmed that i can issue Wildcard Certificates via the panel with no issues, as well as re-issue (it's not a renewal) there. I'll look into it on monday after weekend, though

Yes, fully understood the issuing and re-issuing of Wildcard Certificates via the panel with no issues, as we already can and regularly do the same. To be fair, the only relevance of that test was to related to the suggestion that it might be a current bug. We can't do it the auto-renewal test ourselves (as we have external DNS)

The CLI is broken for me, it yields this no matter what i do.

But than this ^^ might be the answer... Although at this stage, it won't be clear if this is a specific setup issue, or, if it is a generic bug - until other users test it too?

 

[D3nnis3n]

So, how can i report a bug to Plesk? Typically a staff guy watched the threads and created one on their own, but they didn't this time.

 

[learning_curve]

@D3nnis3n It's a pinned thread, right at the top of this section of the forum: Important - PLEASE FOLLOW THIS INSTRUCTION IF YOU BELIEVE THAT FOUND A BUG!

 

[D3nnis3n]

Thanks, i tried. Given everything implies that this should work and i cannot get it to work on a new Plesk instance either, i have hopes devs might find something.