Issue Let's Encrypt uses wrong ACME challenge type

[stifu]

Hi

I use Plesk as a DNS Server for a domain. The mailserver and some subdomains are set up on the plesk instance as well. However, the main A DNS record points to an external server.

This means, that the HTTP-01 challenge can not be used.

When I try to issue a Let's Encrypt certificate, it always try to use the HTTP-01 challenge. Even if I want to issue a wildcard certificate, which cannot be done using this challenge, according to the docs.

Could not issue an SSL/TLS certificate for DOMAIN
Details
Could not request a Let's Encrypt SSL/TLS certificate for DOMAIN.



Go to http://DOMAIN/.well-known/acme-challenge/TOKEN

and сheck if the authorization token is available.

If it is, try to request the certificate again. If the token is not available, there may be an issue with your DNS configuration.

Your domain in Plesk is hosted on the IP address(es): PLESK-IP, but the DNS challenge used another IP: REMOTE-IP.

Make sure that the IP address(es) specified in the domain's DNS zone match the IP address(es) the domain is hosted on.

If it does not help or if you cannot find an issue with your DNS configuration, use this KB article for troubleshooting.

How can make it use the DNS-01 challenge, where a TXT record is created under _acme-challenge .DOMAIN, which would work perfectly fine for what I need.
For now, I will have to temporarily change the A record to the IP address of the plesk instance every time I have to renew the certificate, which is not exactly great.

I would just buy a certificate to use on both servers, but sadly, the main website is hosted by webflow, which does not allow you to upload custom certificates.


I'm working with Plesk Obsidian Web Pro Edition Version 18.0.29 Update #2 on Windows.
Plesk Obsidian v18.0.29_build20200818.13 os_Windows 2012/2016/2019

 

[mr-wolf]

You're (wrongly?) assuming that the DNS-01 does not check for the A-record to point server issuing the request.
I'm not 100% sure that's a dependency as I don't see that described here: Challenge Types

A wildcard certificate can NOT be issued using the HTTP-01 challenge, which means Plesk IS doing a DNS-01 challenge and it's not doing a HTTP-01 challenge as you falsely assume.

Your webserver could do the DNS-01 challenge.
On the DNS-server you will have to create an NS-record _acme-challenge.<domain> pointing to <domain>
This means that the webserver then has to do the LetsEncrypt-challenge AND the DNS-01 challenge.

This means you still need a (bought) wildcard certificate for your mailserver.
You may as well use the HTTP-01 challenge for the webserver.

BTW...
You can't create an NS-record with the Plesk's DNS-server.
Read this post of mine for a solution: _acme.challenge

I'm running my DNS-server on a seperate Plesk server.
This means I would have to manually enter the TXT-record each time on my Plesk webservers that do NOT run the DNS Plesk Service.

Or should I say DID not.
I have enabled the Plesk DNS Service on all my webservers and they are now all running the _acme-challenge.<domain> TXT-record.
Only those records as the main DNS-service is still on the seperate Plesk server.
That one is hosting an NS-record for _acme-challenge.<domain> which delegates that subdomain to the webserver.