• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Question Renewing Let's Encrypt with external DNS servers

K

klowet

Basic Pleskian
Server operating system version
Debian 12
Plesk version and microupdate number
18.0.60
Hi

A client has problems renewing the Let's Encrypt certificates for his websites.
He is using external DNS servers, not linked to his Plesk server.

** 'Lets Encrypt example.com' [days to expire: 27] **
[-] *.example.com
[-] example.com

Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/33964115XXXX.
Details:
Type: urn:ietf: params:acme:error:unauthorized
Status: 403
Detail: Incorrect TXT record "UZ39H4i9vmwPb9fWX4qo_B2MTqBcf2oyIGOV6-_H2UU" found at _acme-challenge.example.com
Click to expand...

Is the TXT _acme record updated every time the certificate is renewed? In other words, does he have to manually update the TXT records of his domains each 3 months?
Or is something else in my Plesk configuration wrong?

Thanks
 
klowet said:
Is the TXT _acme record updated every time the certificate is renewed? In other words, does he have to manually update the TXT records of his domains each 3 months?
Click to expand...
Yes

klowet said:
Or is something else in my Plesk configuration wrong?
Click to expand...
No

Only Let's Encrypt certificates with the wildcard option enabled need authentication/verification via DNS. If you don't want that, you or your client can manually re-issue an certificates for the domain without the Wildcard option enabled.
 
klowet said:
Hi
A client has problems renewing the Let's Encrypt certificates for his websites.
He is using external DNS servers, not linked to his Plesk server.
Click to expand...
klowet said:
Is the TXT _acme record updated every time the certificate is renewed? In other words, does he have to manually update the TXT records of his domains each 3 months?
Click to expand...
klowet said:
Or is something else in my Plesk configuration wrong?

Thanks
Click to expand...

Kaspar said:
Yes
Click to expand...
Kaspar said:
No
Click to expand...
Kaspar said:
Only Let's Encrypt certificates with the wildcard option enabled need authentication/verification via DNS. If you don't want that, you or your client can manually re-issue an certificates for the domain without the Wildcard option enabled.
Click to expand...
The correct replies from @Kaspar already answer your questions @klowet but FWIW we also use external DNS (exclusively) but we renew all our Let's Encrypt SSL Certificates (for non-wildcard certificates / wildcard certificates / SAN certificates) via cron and API access for all of the preceding by using acme.sh which works perfectly every time.
 
Kaspar said:
Only Let's Encrypt certificates with the wildcard option enabled need authentication/verification via DNS. If you don't want that, you or your client can manually re-issue an certificates for the domain without the Wildcard option enabled.
Click to expand...
Ohh okay! That explains it. To be sure:

A wildcard certificate does require a new _acme TXT record each renewal. And a non-wildcard certificate does not. Correct?

When he should use the Plesk DNS and wildcard certificates, the _acme TXT is updated automatically. Correct?

Thanks
 
klowet said:
Ohh okay! That explains it. To be sure:

A wildcard certificate does require a new _acme TXT record each renewal. And a non-wildcard certificate does not. Correct?
Click to expand...
Yes. However to clarify this a bit further and avoid any confusion: a non-wildcard certificate does not require a DNS record at all.

klowet said:
When he should use the Plesk DNS and wildcard certificates, the _acme TXT is updated automatically. Correct?
Click to expand...
Yes
 
You must log in or register to reply here.

Similar threads

S
Question let's encrypt TXT record and nameserver-problem
Replies
2
Views
538
SiegbertG
S
R
Issue Problems Issuing a Let's Encrypt Certificate
Replies
6
Views
829
Robin McDermott
R
W
Question Wanted: Best practice for certificates (Lets Encrypt) two separate Plesk servers for www and mail
2
Replies
20
Views
2K
W4ru
W
T
Issue SSL certificate renewal under cloudflare
Replies
0
Views
592
theplaza
T
D
Question no TXT challenge proposed in Let's encrypt
Replies
2
Views
781
djovanov
D
Back
Top