How to install wildcard certificates in Plesk with Let's Encrypt?

Follow

Comments

46 comments

  • Avatar
    Nikita Nikushkin (Edited )

    Hi @Giuseppe Passanisi!

    "www" of domain alias and subdomain are not added to SANs list and therefore are not secured by Wildcard certificate. This is Let's Encrypt extension bug with ID EXTLETSENC-568 which is planned to be fixed in future updates.

    The workaround is described here:

    www alias, subdomains are not included into the issued wildcard Let's Encrypt Certificate

    2
    Comment actions Permalink
  • Avatar
    Alexandr Redikultsev

    Hi @JB,

    Are you sure that affected sub-domains are actually a sub-domains in terms of business logic or its just a domains that are called like a sub-domains? You can easily understand that by checking whether or not sub-domain has mail settings tab (as there is not mail service for the true sub-domains, not yet at least).

    But in all the cases you can just try to fix relation in the database as described here: https://support.plesk.com/hc/en-us/articles/360000247373-Unable-to-select-a-wildcard-SSL-certificate-for-a-subdomain-in-Plesk-SSL-certificate-is-not-available-for-selection 

    1
    Comment actions Permalink
  • Avatar
    Konstantin Annikov

    Hello, 

    Thank you for the feedback. 

    Actually, in drop down menu the same certificate name (without wildcard) is used. 

    So, in case you updated the certificate, just select the 'Lets Encrypt example.com' certificate for the subdomain as on the screenshot. 

    You can check if the certificate is secure one in Google Chrome after installation. 

    1
    Comment actions Permalink
  • Avatar
    GoldGigsChris

    Hi,

    Thank you for your answers so far.

    I see from the article linked below, that Let's Encrypt wildcard support is now live!

    https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579

    Are there any plans and timetable for wildcard support to be added to the Plesk Let's Encrypt extension?

    Thank you,

    Chris

    1
    Comment actions Permalink
  • Avatar
    Dave Kramer

    I have a domain setup with a wildcard SSL with Lets Encrypt.  Whenever I create a new subdomain (using Plesk API) the subdomain is created with the certificate in the dropdown as "Not Selected".  I can still select the correct wildcard Certificate from the dropdown, but this manual process defeats the purpose of the automation provided by the Plesk API integration that I have made.

    This behavior also occurs when I manually create a subdomain in the Plesk control panel.

    I have run the following query: plesk db "SELECT * FROM domains WHERE name like '%example.com'";

    and the cert_rep_id remains the same regardless of how I change the dropdown called "Certificate"

    How can I get the wildcard certificate to automatically be selected after a new subdomain is created?

     

    1
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello Gianluca

    This article should help to achieve your goal:
    https://support.plesk.com/hc/en-us/articles/360016436973 

    1
    Comment actions Permalink
  • Avatar
    Gunnar (Edited )

    I have made the adjustments to be able to get wildcard lets encrypt certificates. I am now amazed to read in the plesk documentation https://docs.plesk.com/en-US/onyx/administrator-guide/website-management/websites-and-domains/advanced-website-security/securing-connections-with-ssltls-certificates/getting-free-wildcard-ssltls-certificates-from-let’s-encrypt.79603/ that subdomains are not supported with this setup.

    Isn't one of the main reasons for installing a wildcard certificate that all subdomains are secured by default? Whats the added value of wildcard over none wildcard letsencrypt plesk integration.

    In my case i need for a customer to have valid mail.domain.com and smtp.domain.com certificates. So far i have a manual workaround which is leading time and time again to unwanted problems.

    Any help is much appreciated. 

    Two days waiting for approval of this post and still no update. ????

    1
    Comment actions Permalink
  • Avatar
    Alexandr Tumanov

    @Arnaud, currently, it is planned to release the update within one month. However, the release date may be changed.

    1
    Comment actions Permalink
  • Avatar
    Nikita Nikushkin

    Hello @Dave Kramer,

    Yes, the wildcard certificate has to be selected manually for the existing and newly created subdomains

    It is one of the limitations

    Please also note that it is not possible to automate this process by using Plesk tools

    I added a note to the article in order to make this point more clear

    0
    Comment actions Permalink
  • Avatar
    JB

    @Konstantin

    Thanks for your reply. The issue I am having is that the wildcard certificate doesn't appear in the drop down menu for the subdomain as in your example.  The only certificate that appears is 'Lets Encrypt sub3.example.com (sub3.example.com)' which is the previous certificate (not wildcard) created for that subdomain.

    If I create a new subdomain then the wildcard certificate is available so it seems that this issue only effects existing subdomains.

    Any further advice would be much appreciated.

    Thank you 

     

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello @Jeffrey! This feature implementation is currently in progress. 

    After it will be implemented, the article will be updated.

    0
    Comment actions Permalink
  • Avatar
    Arnaud

    what is the Plesk priority in roadmap on this ?

    0
    Comment actions Permalink
  • Avatar
    Julius Huitema

    Hi,

    I know that this feature implementation is currently in progress but could you give me an indication of when this will be usable? Like a couple of days, weeks, months or even years?

    Thank you very much!
    Julius

    0
    Comment actions Permalink
  • Avatar
    Fouad Ahmed Fouad

    Can't issue SSL based on acme-v02, my panel.ini contains,

    [ext-letsencrypt]
    acme-directory-url = "https://acme-v02.api.letsencrypt.org/directory"
    acme-protocol-version = "acme-v02"

    Restarted Plesk and tried many times, still it insists to use web site challenge and not DNS, what should I do?

    0
    Comment actions Permalink
  • Avatar
    tomaz

    So how does one currently auto-renew wildcard LE certs? Something we can put in cron?

    0
    Comment actions Permalink
  • Avatar
    Jan Bludau

    Thank you for help :-)

    0
    Comment actions Permalink
  • Avatar
    GoldGigsChris

    Let's Encrypt have announced a delay - See https://community.letsencrypt.org/t/acmev2-and-wildcard-launch-delay/53654

    Does the current Let's Encrypt Plesk extension version already include the ability to automatically provide wildcard certificates as soon as Let's Encrypt start to offer them?    Or will there be a new version that I'll need to download sometime in the future?

    Thanks

    0
    Comment actions Permalink
  • Avatar
    Anton Maslov

    @Justin, yes, it is possible. I tested that and may confirm. Could you please confirm that:

    1. You issued wildcard for domain.com

    2. *.domain.com created inside the same subscription as a subdomain.

    3. Also, do you use please Linux or Windows?

    0
    Comment actions Permalink
  • Avatar
    Leander Seyffer

    Thankyou! This Article was very helpful.

    0
    Comment actions Permalink
  • Avatar
    Gianluca (Edited )

    Thank you very much Ivan Postnikov

    0
    Comment actions Permalink
  • Avatar
    JUSTIN BUCKLEY

    So I have a situation where a client has created a wildcard subdomain in Plesk, *.domain.com, for a particular web app. This site hosts user profiles with the URL format 'user.domain.com'. I created a wildcard cert per the intructions above, but I'm unable to select it in the hosting setting for the wildcard domain. Also, the Let's Encrypt cert and shortcut is missing altogether for this wildcard subdomain too. 

    Is it possible to use the Let's Encrypt wildcard in this scenario, or another way to configure it? Thanks!

     

    0
    Comment actions Permalink
  • Avatar
    Nexbit

    Actually this is not entirely true:

    > After clicking the Install button, Let's Encrypt will either add a DNS TXT record on its own (if Plesk server is authoritative DNS for the domain) or will provide with the instructions on how to add this record (if DNS is managed by an external server)

    I don't have the DNS component installed (because I don't need it, and when I don't need something I simply uninstall it), and the Let's Encrypt extension fails with this error:

    Remove DNS record failure: DNS service is not enabled

    The extension should work even if the DNS service is not installed, giving the instructions to add the TXT record as stated in this document.

    Please let me know if there is a workaround, or I need to wait for a fix, if any will be provided. Thx!

    0
    Comment actions Permalink
  • Avatar
    Anzhelika Khapaknysh

    Hello @Nico Dorn!

    I confirm that above instructions are valid.

    In case the option for issuing wildcards certificates still not available, I recommend checking the following:

    1. Make sure that Let's Encrypt extension is up to date: https://support.plesk.com/hc/en-us/articles/115000159173 
    2. Check this article: https://support.plesk.com/hc/en-us/articles/360006833233 

    0
    Comment actions Permalink
  • Avatar
    Hisham

    @Alexandr,

    for which Plesk versions will the wildcard support be available. ONYX 17.017, 17.5.3 or higher?
    I'm currently running 17.0.17 and would need to know whether I need to have to upgrade to higher version, so I can prepare upfront.

    Thanks in advance

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello Fouad Ahmed Fouad

    The option "acme-protocol-version = "acme-v02" allows getting wildcard certificates as they're obtained via DNS-challenge only.

    Regular certificates by design are issued the same way as in acme-v01.

    More information may be found here: https://docs.plesk.com/en-US/obsidian/administrator-guide/78586/

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello @Luis,

    The comment from my colleague Nikita is still actual.

    As soon as there'll be any changes in the configuration for subdomains logic, the article will be updated.

    0
    Comment actions Permalink
  • Avatar
    Artyom Volov

    Hello @Tomaz!

    Currently, auto-renewal of wildcard certificates is not implemented in any way - not in Plesk or through the command line, so cron here will not work - it is possible to do only through Plesk manually.

    Please vote for implementation of this feature in our UserVoice:
    https://plesk.uservoice.com/forums/184549-feature-suggestions/suggestions/35024611-implement-renewal-of-let-s-encrypt-wildcard-certif

    0
    Comment actions Permalink
  • Avatar
    Mark

    Is there an update on this?

    0
    Comment actions Permalink
  • Avatar
    Alexandr Tumanov

    @Chris,

    It may be required to update Let's Encrypt extension to get the support for this feature in future.

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov (Edited )

    Hello @Nexbit,

    Indeed, such an issue is confirmed as a bug of Let's Encrypt extension with ID EXTLETSENC-558:

    At the moment, there is no workaround available.
    Consider following the article to be notified when the bug is fixed - the article will be updated.
     
    Currently, there is no exact ETA.
    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request