• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion
  • Inviting everyone to the UX test of a new security feature in the WP Toolkit
    For WordPress site owners, threats posed by hackers are ever-present. Because of this, we are developing a new security feature for the WP Toolkit. If the topic of WordPress website security is relevant to you, we would be grateful if you could share your experience and help us test the usability of this feature. We invite you to join us for a 1-hour online session via Google Meet. Select a convenient meeting time with our friendly UX staff here.

Question Wildcard SSL Certificates with DNS API how?!

U

user8374

New Pleskian
Hello,

since Plesk cannot use Wildcard SSL certs via Webinterface WITHOUT using own nameserver , I need a solution...

I can generate valide wildcard certs with acme.sh and an external nameserver which supports dns api. But the renewal is a pain in the ***... I have to assign the new cert to plesk which is impossible, because I can not delete the old one when it is using by the domain. Furthermore it seems possible to have certs with the same name .

How can i update/assign a renewed cert via command line (to replace the old one) to add it to a crontab script? I searched here, but there seems no real solution.

And no. I dont want to use the letsencrypt plugin from plesk, because it only supports wildcard certs when plesk also controls the dns / nameserver.
 
Well, you could just directly overwrite the certificate files in /opt/psa/var/certificates/ with your new ones and then "nginx -s reload" or whatever the other servers need to reread them ...
 
I have a solution for your problem.
Just like you I'm running DNS on a separate server and the several Plesk servers did not have the DNS-extension running.
I have the Plesk Letsencrypt certificate system working in such an environment. I'll explain:

The solution is that you use DNS-delegation. On the authoritative DNS-server you need to create an NS-record named _acme-challenge.yourdomain.com and point that to yourdomain.com.
You can put such an NS-record in your template and every new domain will have one.
But maybe you're not using a Plesk server as your authoritative DNS, I do.
All DNS-records, beside _acme-challenge.yourdomain.com, will remain on your main server.

When Letsencrypt wants to verify the TXT-record, it will not look for that on your authoritative DNS, but on the webserver.
This means that you need to install, just like I did, the DNS-extension again on your webservers.
That DNS-server only needs to have 1 record, a TXT-record _acme-challenge.yourdomain.com.
In the template I have "unconfigured" as value.

Whenever Plesk renews the certificate, it will change the TXT-record on that server.
I have this working in a production environment.

There's more info here:

Question - Wildcard certificates depend on DNS being installed

I have, for years, chosen to have DNS on a seperate Plesk server instead of the servers on which the domains of my clients are configured. This gives me several advantages, but also disadvantages. When Plesk implemented support for wildcard certificates I noticed that I suddenly had to create...
talk.plesk.com talk.plesk.com
 
You must log in or register to reply here.

Similar threads

futureweb
Question Issues with SSL Certificate Renewal for Mail Services in Plesk: Seeking Automated Solution via CLI or API
Replies
8
Views
345
futureweb
futureweb
T
Resolved Lets Encrypt renewal - wildcard seems to want to use http challenge
Replies
2
Views
1K
TomBoB
T
Hangover2
Forwarded to devs SSL It! breaks renewal and usage of Let's Encrypt wildcard certificates when subdomains are involved
2
Replies
29
Views
6K
Hangover2
Hangover2
H
Resolved Wildcard SSL Certificate Auto Renewals not Working for Let's Encrypt with External DNS
Replies
6
Views
4K
NickSick
N
C
Question SSL certificate location for Prosody import
Replies
7
Views
2K
Kaspar
K
Back
Top