Issue No automatic renewal of wildcard certificates when dns is set as secondary in plesk

[Xio]

On daily basis I’m getting errors by mail for renewing the lets encrypt wildcard certificates.

Skip wildcard certificate renewal for the domain 'XXX'. TXT record could not be created automatically. Try to renew domain certificate manually.

This seems to be related to the fact that I’m using a external dns server and the plesk dns is acting as a secondary name server. When I enable dns as master the error is not reported anymore but then I have a conflict on the machine itself.

I think it would be best that the lets encrypt renewal process doesn’t try to create a txt record when dns is set as secondary.

Running the latest plesk version on a centos 7 machine.

 

[G J Piper]

There is currently no way to automatically update wildcard certificates when using an external DNS server because the DNS record must be changed every time it is renewed. It is possible some custom script could be created to adjust it through your DNS provider's API if it exists.

 

[Xio]

Strange because if I manually renew the certificate the same ID as TXT record is given

 

[bulent]

Yepp, confirm.
When using external DNS (I haven't installed bind) sertificates cannot be renewed automatically. Manually works fine.

 

[Xio]

On this page, in the comments, I think this bug is confirmed. However I do not have access to the link mentioned.

Unable to install wildcard Let's Encrypt certificate on Plesk server: Remove DNS record failure: DNS service is not enabled

 

[learning_curve]

@Xio The posts by @G J Piper and @bulent are both completely correct. We use external DNS and don't use Plesk at all for this specific function, but currently, we do receive incorrect daily e-mails, advising us that several wildcard Let's Encrypt certificates cannot be renewed, even though (worst case) they are still 89 days away from expiring

The incorrect e-mail bug was confirmed as a bug some time ago, but was recently updated to include the SS It Extention combined with external DNS. FWIW The additional entry was: EXTSSLIT-610: "Error appears trying to autorenew wildcard certificate if DNS service is uninstalled"

Can't comment on why the link has now been made Plesk internal access only, but when it was viewable, it did confirm this as a bug that will be fixed. For reference, here's an older POST on the same subject when the link was still readable.

 

[Xio]

Thank you @learning_curve

Now the link that was previously closed has been accessible again. However it seems it is not applicable for the latest major plesk version. Also they refer to another number instead of EXTSSLIT-610

 

[learning_curve]

Now the link that was previously closed has been accessible again. However it seems it is not applicable for the latest major plesk version. Also they refer to another number instead of EXTSSLIT-610

You perhaps may have mis-understood which link? The link meant was this one: Plesk Help Center That's still not readable and will be why you can't see the reference number quoted. It definitely does relate to the latest major Plesk Verison i.e. Obsidian (plus the interaction with the associated Plesk extentions) because we had & still have this problem ourselves, for which, we raised a Plesk service ticket. The bug ID was the conclusion. Our forum sig shows our Plesk setup etc

FWIW We use a non-Plesk, external source for Wildcard - Multi-Domain - Let's Encrypt Certificates (SANS) but they too, cannot be renewed automaticaly. They still need a manual process / text DNS entries etc on each domain in order to complete the renewal process, but fortunately, there are no erroneous, e-mail reminders currently with any of those!

 

[Xio]

I know I was talking about my link that was previously not accessible for me. Now it is.

Unable to install wildcard Let's Encrypt certificate on Plesk server: Remove DNS record failure: DNS service is not enabled

I’m monitoring the changelog to see if the number you mentioned gets fixed.

 

[learning_curve]

...I was talking about my link that was previously not accessible for me. Now it is.
Unable to install wildcard Let's Encrypt certificate on Plesk server: Remove DNS record failure: DNS service is not enabled I’m monitoring the changelog to see if the number you mentioned gets fixed.

Ahhh that ^^ link has always been accessible for us.

If understood correctly, your original post was about why you can't automatically renew Wildcard Let's Encrypt Certificates? That's been answered by several other posts above, so you should be fine with that now?

Then there was the question about receiving incorrect e-mails advising that Wildcard Let's Encrypt Certificates can't be renewed automatically (even when they were not actually due for renewal)? That's been answered above too, but you are waiting to see the number in the change-log as a fix confirmation. Okay, well this may be easier than you think, because even if Plesk don't post that number in the change-log (they don't always post every specific detail) then after a future upgrade, the e-mails will stop if / when Plesk have finally fixed it Until then, like us, you'll get them daily unfortunately...

 

[msfilho]

This can be achieved automaticaly by pointing your subdomain "_acme-challenge" on your external DNS Server to your Plesk DNS Server using NS record.
* DNS Service must be enabled for the domain on Plesk

With this solution, you can keep managing the domain outside Plesk and have auto renew for Let's Encrypt wildcard certificate working properly.

It follows the protocol and is recommended by Let's Encrypt (Challenge Types - Let's Encrypt - Free SSL/TLS Certificates):

Since Let’s Encrypt follows the DNS standards when looking up TXT records for DNS-01 validation, you can use CNAME records or NS records to delegate answering the challenge to other DNS zones. This can be used to delegate the _acme-challenge subdomain to a validation-specific server or zone. It can also be used if your DNS provider is slow to update, and you want to delegate to a quicker-updating server.

As example, the most used service, follow the Cloudflare docs: Delegating Subdomains Outside of Cloudflare

 

[learning_curve]

@msfilho The previously mentioned erroneous e-mails issue was fixed by Plesk, ages ago now, so that bit of the thread is redunant anyway.
However, that's a very handy tip for using autorenewal on Let's Encrypt wildcard certificates. Thanks!

 

[ollosolucions]

This can be achieved automaticaly by pointing your subdomain "_acme-challenge" on your external DNS Server to your Plesk DNS Server using NS record.
* DNS Service must be enabled for the domain on Plesk

With this solution, you can keep managing the domain outside Plesk and have auto renew for Let's Encrypt wildcard certificate working properly.

It follows the protocol and is recommended by Let's Encrypt (Challenge Types - Let's Encrypt - Free SSL/TLS Certificates):



As example, the most used service, follow the Cloudflare docs: Delegating Subdomains Outside of Cloudflare

Thanks a lot for the autorenewal wildcard certificates using Cloudflare!

 

[steel]

This can be achieved automaticaly by pointing your subdomain "_acme-challenge" on your external DNS Server to your Plesk DNS Server using NS record.
* DNS Service must be enabled for the domain on Plesk

With this solution, you can keep managing the domain outside Plesk and have auto renew for Let's Encrypt wildcard certificate working properly.

It follows the protocol and is recommended by Let's Encrypt (Challenge Types - Let's Encrypt - Free SSL/TLS Certificates):



As example, the most used service, follow the Cloudflare docs: Delegating Subdomains Outside of Cloudflare

I just registered to say that this actually helped me, too. (ionos VPS - DNS-Management on ionos)
Side reference: How to properly set-up ou DNS Zone delegation for the "_acme-challenge" subdomain? -> gave me enough confidence to keep trying, because I could not figure out what the problem was in my case.

Turns out using the config similar to described as in the link + opening port 53 (DNS) in ionos firewall (...) helps to do the trick...! (I hope this helps anyone who's also been banging his/her head because of this...!)

 

[learning_curve]

I just registered to say that this actually helped me, too. (ionos VPS - DNS-Management on ionos)
Side reference: How to properly set-up ou DNS Zone delegation for the "_acme-challenge" subdomain? -> gave me enough confidence to keep trying, because I could not figure out what the problem was in my case.

Turns out using the config similar to described as in the link + opening port 53 (DNS) in ionos firewall (...) helps to do the trick...! (I hope this helps anyone who's also been banging his/her head because of this...!)

Our previous posts on this thread are old now and things have moved on (as always...) FWIW We also use DNS Management via IONOS not Plesk (although we use IONOS Cloud Servers not VPS like you do) For some time now we've used cron / acme.sh to renew all our Let's Encrypt Certificates (Normal / *Wildcard / Multi Domain / *Wildcard Multi Domain etc) simply by using the IONOS API and the acme.sh IONOS interface This works perfectly, everytime (for us anyway).

NB This is a different approach / solution, to the one posted earlier in this thread by @msfilho but there is a similarity, in one part of the names used on GitHub (as within the links @msfilho posted, there is a link to a link...) Meaning: GitHub - joohoi/acme-dns: Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely. is clearly not GitHub - acmesh-official/acme.sh: A pure Unix shell script implementing ACME client protocol The use of "acme" in both of the titles and urls being a possible cause for any confusion between the two, when dealing with the DNS aspect here.