• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question Wildcard SSL Certificates with DNS API how?!

U

user8374

New Pleskian
Hello,

since Plesk cannot use Wildcard SSL certs via Webinterface WITHOUT using own nameserver , I need a solution...

I can generate valide wildcard certs with acme.sh and an external nameserver which supports dns api. But the renewal is a pain in the ***... I have to assign the new cert to plesk which is impossible, because I can not delete the old one when it is using by the domain. Furthermore it seems possible to have certs with the same name .

How can i update/assign a renewed cert via command line (to replace the old one) to add it to a crontab script? I searched here, but there seems no real solution.

And no. I dont want to use the letsencrypt plugin from plesk, because it only supports wildcard certs when plesk also controls the dns / nameserver.
 
Well, you could just directly overwrite the certificate files in /opt/psa/var/certificates/ with your new ones and then "nginx -s reload" or whatever the other servers need to reread them ...
 
I have a solution for your problem.
Just like you I'm running DNS on a separate server and the several Plesk servers did not have the DNS-extension running.
I have the Plesk Letsencrypt certificate system working in such an environment. I'll explain:

The solution is that you use DNS-delegation. On the authoritative DNS-server you need to create an NS-record named _acme-challenge.yourdomain.com and point that to yourdomain.com.
You can put such an NS-record in your template and every new domain will have one.
But maybe you're not using a Plesk server as your authoritative DNS, I do.
All DNS-records, beside _acme-challenge.yourdomain.com, will remain on your main server.

When Letsencrypt wants to verify the TXT-record, it will not look for that on your authoritative DNS, but on the webserver.
This means that you need to install, just like I did, the DNS-extension again on your webservers.
That DNS-server only needs to have 1 record, a TXT-record _acme-challenge.yourdomain.com.
In the template I have "unconfigured" as value.

Whenever Plesk renews the certificate, it will change the TXT-record on that server.
I have this working in a production environment.

There's more info here:

Question - Wildcard certificates depend on DNS being installed

I have, for years, chosen to have DNS on a seperate Plesk server instead of the servers on which the domains of my clients are configured. This gives me several advantages, but also disadvantages. When Plesk implemented support for wildcard certificates I noticed that I suddenly had to create...
talk.plesk.com talk.plesk.com
 
You must log in or register to reply here.

Similar threads

S
Question Trying to enable "Keep Websites Secured" via API
Replies
2
Views
419
simonrp
S
JohnBee
Question Anyone know how to add SSL certificate for mail subdomains
Replies
1
Views
370
ChristophRo
ChristophRo
R
Issue SSL/TLS cert for mail server not updating (Lets Encrypt)
Replies
2
Views
907
tessa67
T
futureweb
Question Issues with SSL Certificate Renewal for Mail Services in Plesk: Seeking Automated Solution via CLI or API
Replies
8
Views
1K
futureweb
futureweb
T
Resolved Lets Encrypt renewal - wildcard seems to want to use http challenge
Replies
2
Views
2K
TomBoB
T
Back
Top