• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Question Wildcard SSL Certificates with DNS API how?!

U

user8374

New Pleskian
Hello,

since Plesk cannot use Wildcard SSL certs via Webinterface WITHOUT using own nameserver , I need a solution...

I can generate valide wildcard certs with acme.sh and an external nameserver which supports dns api. But the renewal is a pain in the ***... I have to assign the new cert to plesk which is impossible, because I can not delete the old one when it is using by the domain. Furthermore it seems possible to have certs with the same name .

How can i update/assign a renewed cert via command line (to replace the old one) to add it to a crontab script? I searched here, but there seems no real solution.

And no. I dont want to use the letsencrypt plugin from plesk, because it only supports wildcard certs when plesk also controls the dns / nameserver.
 
Well, you could just directly overwrite the certificate files in /opt/psa/var/certificates/ with your new ones and then "nginx -s reload" or whatever the other servers need to reread them ...
 
I have a solution for your problem.
Just like you I'm running DNS on a separate server and the several Plesk servers did not have the DNS-extension running.
I have the Plesk Letsencrypt certificate system working in such an environment. I'll explain:

The solution is that you use DNS-delegation. On the authoritative DNS-server you need to create an NS-record named _acme-challenge.yourdomain.com and point that to yourdomain.com.
You can put such an NS-record in your template and every new domain will have one.
But maybe you're not using a Plesk server as your authoritative DNS, I do.
All DNS-records, beside _acme-challenge.yourdomain.com, will remain on your main server.

When Letsencrypt wants to verify the TXT-record, it will not look for that on your authoritative DNS, but on the webserver.
This means that you need to install, just like I did, the DNS-extension again on your webservers.
That DNS-server only needs to have 1 record, a TXT-record _acme-challenge.yourdomain.com.
In the template I have "unconfigured" as value.

Whenever Plesk renews the certificate, it will change the TXT-record on that server.
I have this working in a production environment.

There's more info here:

Question - Wildcard certificates depend on DNS being installed

I have, for years, chosen to have DNS on a seperate Plesk server instead of the servers on which the domains of my clients are configured. This gives me several advantages, but also disadvantages. When Plesk implemented support for wildcard certificates I noticed that I suddenly had to create...
talk.plesk.com talk.plesk.com
 
You must log in or register to reply here.

Similar threads

T
Resolved Lets Encrypt renewal - wildcard seems to want to use http challenge
Replies
2
Views
1K
TomBoB
T
Hangover2
Forwarded to devs SSL It! breaks renewal and usage of Let's Encrypt wildcard certificates when subdomains are involved
2
Replies
26
Views
5K
Kaspar
K
H
Resolved Wildcard SSL Certificate Auto Renewals not Working for Let's Encrypt with External DNS
Replies
6
Views
3K
NickSick
N
C
Question SSL certificate location for Prosody import
Replies
7
Views
2K
Kaspar
K
D
Issue Lets Encrypt Not Successful over port 80
Replies
8
Views
292
Daiv
D
Back
Top