• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question Wildcard SSL Certificates with DNS API how?!

user8374

New Pleskian
Hello,

since Plesk cannot use Wildcard SSL certs via Webinterface WITHOUT using own nameserver , I need a solution...

I can generate valide wildcard certs with acme.sh and an external nameserver which supports dns api. But the renewal is a pain in the ***... I have to assign the new cert to plesk which is impossible, because I can not delete the old one when it is using by the domain. Furthermore it seems possible to have certs with the same name .

How can i update/assign a renewed cert via command line (to replace the old one) to add it to a crontab script? I searched here, but there seems no real solution.

And no. I dont want to use the letsencrypt plugin from plesk, because it only supports wildcard certs when plesk also controls the dns / nameserver.
 
Well, you could just directly overwrite the certificate files in /opt/psa/var/certificates/ with your new ones and then "nginx -s reload" or whatever the other servers need to reread them ...
 
I have a solution for your problem.
Just like you I'm running DNS on a separate server and the several Plesk servers did not have the DNS-extension running.
I have the Plesk Letsencrypt certificate system working in such an environment. I'll explain:

The solution is that you use DNS-delegation. On the authoritative DNS-server you need to create an NS-record named _acme-challenge.yourdomain.com and point that to yourdomain.com.
You can put such an NS-record in your template and every new domain will have one.
But maybe you're not using a Plesk server as your authoritative DNS, I do.
All DNS-records, beside _acme-challenge.yourdomain.com, will remain on your main server.

When Letsencrypt wants to verify the TXT-record, it will not look for that on your authoritative DNS, but on the webserver.
This means that you need to install, just like I did, the DNS-extension again on your webservers.
That DNS-server only needs to have 1 record, a TXT-record _acme-challenge.yourdomain.com.
In the template I have "unconfigured" as value.

Whenever Plesk renews the certificate, it will change the TXT-record on that server.
I have this working in a production environment.

There's more info here:

 
Back
Top