• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Forwarded to devs SSL Wildcard renewal not working with DNS service disabled

DennisAm

DennisAm

Basic Pleskian
TITLE:
SSL Wildcard renewal not working with DNS service disabled
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE:
Version 17.8.11 Update #67, ‪CentOS Linux 7.6.1810 (Core)‬, SSL It! 1.1.1-521
PROBLEM DESCRIPTION:
I can issue wildcard SSL certificates without issues in SSL It when the DNS Service on the server is disabled, but autorenewal doesn't seem to work, as we keep getting these emails mentioning that autorenewal failed:

upload_2019-9-11_11-5-55.png

The certificate validity mentioned in the email (81 days) matches the one on the certificate (1-12-2019):

upload_2019-9-11_11-10-9.png

When I try to renew the certificate manually through SSL It!, I go through the "Reissue certificate screen":

upload_2019-9-11_11-13-8.png

I then am asked again to set up the DNS record (which exactly matches the one I've already set, so I can just click "Reload"):

upload_2019-9-11_11-14-55.png

The certificate is then renewed/installed without any problems:

upload_2019-9-11_11-20-29.png

So, there seems to be a problem in the automated renewal of SSL certificates through the SSL It! extension when the DNS Service on the server is disabled/removed.​
STEPS TO REPRODUCE:
  1. Disable/remove the DNS server server-wide through Updates and Upgrades
  2. Issue a wildcard certificate for a domain, you will be asked to set up a DNS record for _acme-challenge.YOURDOMAIN.TLD
  3. Validate the DNS record; your certificate will be issued successfully and will have a validity of 3 months.
  4. Wait some days until Plesk tries to renew the certificate automatically; you will receive the email as mentioned above ("Could not renew - DNS service is not enabled"). You will get this email (almost) every day again.
  5. Renewing the certificate manually through the Plesk/SSL It! extension works without any problems.
ACTUAL RESULT:
Domain wildcard certificate auto-renewal throws an error and sends an email to the admin that the DNS Service on the server isn't enabled.​
EXPECTED RESULT:
Domain wildcard certificate auto-renews without any problems.​
ANY ADDITIONAL INFORMATION:
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM:
Confirm bug
 
Last edited:
Could you please re-format your post? Links to screenshots/attachments doesn't work correctly.
Thanks.
 
From developer:

This is not a bug and the behaviour of automatic keep-secured is correct.
The notification is about it.
 
Hi Igor,

Thanks for forwarding the issue to the developers.

However, the following is the case:
  • Issuing a wildcard certificate is possible without the DNS service in Plesk (Plesk will instruct which DNS records need to be set)
  • Renewing (auto-updating) a wildcard certificate is not possible without the DNS service.
Are you sure this works as designed? Why would I be able to issue a wildcard certificate without the DNS service, when it can't be renewed? Since Let's Encrypt certificates are only valid for 90 days, this doesn't make sense, as we now have to renew all wildcard certificates manually through the Plesk interface. This sounds a bit like a half-built, incomplete solution to me.

Could you please consider asking the developers again about this? Thank you in advance.
 
In general, DNS TXT record depends on token in the current DNS challenge. The DNS challenge is valid for a limited period of time. As far as I remember - it's a month in case of Let's Encrypt.
DennisAm said:
I then am asked again to set up the DNS record (which exactly matches the one I've already set, so I can just click "Reload"):
Click to expand...
Thus, I'd like to clarify if enough time passed between those certificate issuing attempts. It looks like they were performed one by one - so it's expected that DNS TXT record wasn't changed.

By default, Plesk tries to renew certificate 2 months after issuing. That means that DNS challenge used for the first issuing gets invalid, and DNS TXT record must be updated to renew the certificate. This is the point of challenge - to prove that you're still the owner of the domain (domain's DNS zone). Please check the following threads:

Question about renewal certificate with dns challenge
Do DNS Challenge Records have an expiration?

When DNS zone is hosted in Plesk, it's possible to update DNS record and pass the challenge automatically. However, Plesk can't manage DNS zone hosted separately, and such wildcard certificates should be updated manually.

We have a documentation bug PTD-1813 to provide more detailed information regarding wildcard certificates auto-renewal.
 
Thank you, I wasn't aware that the DNS TXT records for _acme-challenge only have a limited validity. Makes sense. We will then switch to issuing SSL-certificates for the separate subdomains instead of with a wildcard certificate.

Would indeed be great if the Plesk documentation can be updated to reflect this information. Thank you for the clear explanation :)
 
You must log in or register to reply here.

Similar threads

Hangover2
Forwarded to devs SSL It! breaks renewal and usage of Let's Encrypt wildcard certificates when subdomains are involved
2
Replies
28
Views
6K
marcoherzog
M
futureweb
Question Issues with SSL Certificate Renewal for Mail Services in Plesk: Seeking Automated Solution via CLI or API
Replies
8
Views
288
futureweb
futureweb
D
Issue Automatic renewal via SSLit doesn't work for wildcard certificates
Replies
0
Views
510
D3nnis3n
D
K
Question Renewing Let's Encrypt with external DNS servers
Replies
5
Views
243
klowet
K
Azurel
Resolved SSL Certificate urgent issue with timezones
Replies
1
Views
917
Azurel
Azurel
Back
Top