Auto-renew/issue Let’s Encrypt Wildcard SSL Certificate (Plesk), Cloudflare External DNS
There are many cases nowadays when a user is using Cloudflare External DNS for his domain.
Features offered by Cloudflare (even on free plan) are very usefull and far more advanced (apart of DNS), therefore many users hosted on Plesk or cPanel uses Cloudflare, even if they actually have DNS management part of their server.
Docs for Plesk External DNS Servers and How to Set Up Nameservers in a cPanel & WHM Environment
Let’s Encrypt SSL is a free SSL offered by Plesk and cPanel which can be optained with few clicks, for free.
For cPanel, the Auto SSL is the main location for server SSL management (WHM)
For Plesk, the most common way is SSL It! Extension (Admin Panel)
SSL Providers
There are multiple SSL certificate providers like: DigiCert, GeoTrust, Sectigo, Entrust, Thawte, Comodo, GlobalSign, GoDaddy, SSLs, Network Solutions, SSL2BUY, Gen Digital, RapidSSL, Comodo SSL, Thawte SSL123, but Let’s Encrypt is getting more popular due to inclusion for free in cPanel and Plesk, but even more, due to the free version of his Wildcard SSL.
In case you don’t use Let’s Encrypt Wildcard SSL, the control panel (Plesk or cPanel) can easily do the SSL validation requirements and issue/auto-renew the certificate even if the DNS is external, due to simple file validation.
Let’s Encrypt Wildcard SSL
In this tutorial, i will cover the most common issue and solution with Plesk and Let’s Encrypt Wildcard SSL.
Vikas tried to explain the solution, however, there are many peoples still unable to replicate, as the document is not very clear explaining the solution.
Some complained at [Let’s Encrypt] Cannot renew the certs of wildcard domains which DNS are managed by CloudFlare. or Lets Encrypt auto renew with external DNS possible? or even at Wildcard SSL Certificate Auto Renewals not Working for Let’s Encrypt with External DNS
If you are using the Plesk control panel to host your website and Cloudflare (or a third-party DNS server such as Godaddy or Namesilo) for your DNS records & registrar, you may encounter the challenge of manually adding the DNS TXT record each time you need to issue or renew an Wildcard SSL certificate from Let’s Encrypt. This manual renewal process every 90 days is problematic and creates a risk for your site not having a valid certificate if renewal is overlooked.
Here is the typical email you get as Plesk administrator:
Could not renew Let`s Encrypt certificates for Administrator (login admin). Please log in to Plesk and renew the certificates listed below manually.
Renewal of the following Let`s Encrypt certificates has failed: ** 'Lets Encrypt DOMAIN-NAME' [days to expire: YY] **
To address the issue of “Could not issue/renew Let’s Encrypt certificates” on the Plesk control panel, follow the steps below:
1. In your Cloudflare DNS interface ( part of dash.cloudflare.com/ ), make sure you have the following DNS entry:
Such change will actually tell on DNS request, to look for “_acme-challenge” on the other server location, where is running your website with DNS too.
2. Go to your Plesk Panel, Home -> Subscriptions -> “domain-name” -> Websites & Domains DNS and make sure you enable as Primary.
With such a change, the Plesk installation will automatically manage the zone on various operations (like adding a DNS entry or a subdomain ..). However, ONLY for one option is “delegated” to respond this DNS . For “_acme-challenge” entry only, anything else is still going to Cloudflare DNS.
Ignore possible warnings like “The website’s domain name does not resolve or resolves to a different IP address.”
One possible issue, if this is first time starting to use your server DNS service, make sure the firewall is open on port 53 Both protocols ( TCP/UDP )
If you use latest Ionos Cloud Servers, they are blocking by default such port, so you have to go to “Servers & Cloud Set up and administer servers” (from your Ionos control panel) and lunch something like “cloudpanel.ionos.com/PATH”, called Ionos Infrastructure. Here you go to Network -> Firewall Policies to manage such entries. See also ports by Plesk: https://www.plesk.com/kb/docs/ports-used-by-plesk/
3. At this stage you are actually ready for “auto-renew” which can be done manually or simple wait for system to retry (usually next day)
For manual re-try here are the steps:
Step1)
Go to “SSL/TLS Certificate in Home -> Subscriptions -> -> Websites & Domains and click “Reissue Certificate”
Alternatively you can also go from “SSL It!” Extension
Step2)
Click “Install” from “Install a free basic certificate provided by Let’s Encrypt” from the bottom.
Step3)
Select all necessary options and Click “Get it free”
Step4)
Verify the confirmation screen and click continue.
1 Comment