• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Forwarded to devs SSL Wildcard renewal not working with DNS service disabled

DennisAm

Basic Pleskian
TITLE:
SSL Wildcard renewal not working with DNS service disabled
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE:
Version 17.8.11 Update #67, ‪CentOS Linux 7.6.1810 (Core)‬, SSL It! 1.1.1-521
PROBLEM DESCRIPTION:
I can issue wildcard SSL certificates without issues in SSL It when the DNS Service on the server is disabled, but autorenewal doesn't seem to work, as we keep getting these emails mentioning that autorenewal failed:

upload_2019-9-11_11-5-55.png

The certificate validity mentioned in the email (81 days) matches the one on the certificate (1-12-2019):

upload_2019-9-11_11-10-9.png

When I try to renew the certificate manually through SSL It!, I go through the "Reissue certificate screen":

upload_2019-9-11_11-13-8.png

I then am asked again to set up the DNS record (which exactly matches the one I've already set, so I can just click "Reload"):

upload_2019-9-11_11-14-55.png

The certificate is then renewed/installed without any problems:

upload_2019-9-11_11-20-29.png

So, there seems to be a problem in the automated renewal of SSL certificates through the SSL It! extension when the DNS Service on the server is disabled/removed.​
STEPS TO REPRODUCE:
  1. Disable/remove the DNS server server-wide through Updates and Upgrades
  2. Issue a wildcard certificate for a domain, you will be asked to set up a DNS record for _acme-challenge.YOURDOMAIN.TLD
  3. Validate the DNS record; your certificate will be issued successfully and will have a validity of 3 months.
  4. Wait some days until Plesk tries to renew the certificate automatically; you will receive the email as mentioned above ("Could not renew - DNS service is not enabled"). You will get this email (almost) every day again.
  5. Renewing the certificate manually through the Plesk/SSL It! extension works without any problems.
ACTUAL RESULT:
Domain wildcard certificate auto-renewal throws an error and sends an email to the admin that the DNS Service on the server isn't enabled.​
EXPECTED RESULT:
Domain wildcard certificate auto-renews without any problems.​
ANY ADDITIONAL INFORMATION:
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM:
Confirm bug
 
Last edited:
Could you please re-format your post? Links to screenshots/attachments doesn't work correctly.
Thanks.
 
From developer:

This is not a bug and the behaviour of automatic keep-secured is correct.
The notification is about it.
 
Hi Igor,

Thanks for forwarding the issue to the developers.

However, the following is the case:
  • Issuing a wildcard certificate is possible without the DNS service in Plesk (Plesk will instruct which DNS records need to be set)
  • Renewing (auto-updating) a wildcard certificate is not possible without the DNS service.
Are you sure this works as designed? Why would I be able to issue a wildcard certificate without the DNS service, when it can't be renewed? Since Let's Encrypt certificates are only valid for 90 days, this doesn't make sense, as we now have to renew all wildcard certificates manually through the Plesk interface. This sounds a bit like a half-built, incomplete solution to me.

Could you please consider asking the developers again about this? Thank you in advance.
 
In general, DNS TXT record depends on token in the current DNS challenge. The DNS challenge is valid for a limited period of time. As far as I remember - it's a month in case of Let's Encrypt.
I then am asked again to set up the DNS record (which exactly matches the one I've already set, so I can just click "Reload"):
Thus, I'd like to clarify if enough time passed between those certificate issuing attempts. It looks like they were performed one by one - so it's expected that DNS TXT record wasn't changed.

By default, Plesk tries to renew certificate 2 months after issuing. That means that DNS challenge used for the first issuing gets invalid, and DNS TXT record must be updated to renew the certificate. This is the point of challenge - to prove that you're still the owner of the domain (domain's DNS zone). Please check the following threads:

Question about renewal certificate with dns challenge
Do DNS Challenge Records have an expiration?

When DNS zone is hosted in Plesk, it's possible to update DNS record and pass the challenge automatically. However, Plesk can't manage DNS zone hosted separately, and such wildcard certificates should be updated manually.

We have a documentation bug PTD-1813 to provide more detailed information regarding wildcard certificates auto-renewal.
 
Thank you, I wasn't aware that the DNS TXT records for _acme-challenge only have a limited validity. Makes sense. We will then switch to issuing SSL-certificates for the separate subdomains instead of with a wildcard certificate.

Would indeed be great if the Plesk documentation can be updated to reflect this information. Thank you for the clear explanation :)
 
Back
Top