Question Renewing Let's Encrypt with external DNS servers

[klowet]

Server operating system version

Debian 12

Plesk version and microupdate number

18.0.60

Hi

A client has problems renewing the Let's Encrypt certificates for his websites.
He is using external DNS servers, not linked to his Plesk server.

** 'Lets Encrypt example.com' [days to expire: 27] **
[-] *.example.com
[-] example.com

Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/33964115XXXX.
Details:
Type: urn:ietf: params:acme:error:unauthorized
Status: 403
Detail: Incorrect TXT record "UZ39H4i9vmwPb9fWX4qo_B2MTqBcf2oyIGOV6-_H2UU" found at _acme-challenge.example.com

Is the TXT _acme record updated every time the certificate is renewed? In other words, does he have to manually update the TXT records of his domains each 3 months?
Or is something else in my Plesk configuration wrong?

Thanks

 

[Kaspar]

Is the TXT _acme record updated every time the certificate is renewed? In other words, does he have to manually update the TXT records of his domains each 3 months?

Yes

Or is something else in my Plesk configuration wrong?

No

Only Let's Encrypt certificates with the wildcard option enabled need authentication/verification via DNS. If you don't want that, you or your client can manually re-issue an certificates for the domain without the Wildcard option enabled.

 

[learning_curve]

Hi
A client has problems renewing the Let's Encrypt certificates for his websites.
He is using external DNS servers, not linked to his Plesk server.

Is the TXT _acme record updated every time the certificate is renewed? In other words, does he have to manually update the TXT records of his domains each 3 months?

Or is something else in my Plesk configuration wrong?

Thanks

Yes

No

Only Let's Encrypt certificates with the wildcard option enabled need authentication/verification via DNS. If you don't want that, you or your client can manually re-issue an certificates for the domain without the Wildcard option enabled.

The correct replies from @Kaspar already answer your questions @klowet but FWIW we also use external DNS (exclusively) but we renew all our Let's Encrypt SSL Certificates (for non-wildcard certificates / wildcard certificates / SAN certificates) via cron and API access for all of the preceding by using acme.sh which works perfectly every time.

 

[klowet]

Only Let's Encrypt certificates with the wildcard option enabled need authentication/verification via DNS. If you don't want that, you or your client can manually re-issue an certificates for the domain without the Wildcard option enabled.

Ohh okay! That explains it. To be sure:

A wildcard certificate does require a new _acme TXT record each renewal. And a non-wildcard certificate does not. Correct?

When he should use the Plesk DNS and wildcard certificates, the _acme TXT is updated automatically. Correct?

Thanks

 

[Kaspar]

Ohh okay! That explains it. To be sure:

A wildcard certificate does require a new _acme TXT record each renewal. And a non-wildcard certificate does not. Correct?

Yes. However to clarify this a bit further and avoid any confusion: a non-wildcard certificate does not require a DNS record at all.

When he should use the Plesk DNS and wildcard certificates, the _acme TXT is updated automatically. Correct?

Yes

 

[klowet]

Clear. Thanks!