Applicable to:
- Plesk for Linux
- Plesk for Windows
Question
How to use Let's Encrypt for wildcard certificates in order to secure subdomains like sub1.example.com, sub2.example.com, etc.?
Answer
This feature is available starting from Let's Encrypt 2.6.0 and it can be done through one of the following methods:
Click on a section to expand
- Log in to Plesk
-
Go to Domains > example.com > SSL/TLS Certificates > Issue Certificate > Choose the Secure the wildcard domain option > Click Get it free to renew it:
After clicking the Install button, Let's Encrypt will either add a DNS TXT record on its own (if Plesk server is authoritative DNS for the domain) or will provide with the instructions on how to add this record (if DNS is managed by an external server):
After completing with DNS configuring and the DNS TXT _acme-challenge.<domain> record resolves properly, click the Continue button to issue the certificate.
-
Log in to Plesk.
-
Go to Domains > example.com > Let's Encrypt check the Issue a wildcard SSL/TLS certificate option and click on Install
After clicking the Install button, Let's Encrypt will either add a DNS TXT record on its own (if Plesk server is authoritative DNS for the domain) or will provide with the instructions on how to add this record (if DNS is managed by an external server):
Note: On Windows, if Bind DNS server is used, the record should be added manually under Domains > example.com > DNS Settings. Such certificates will also not be renewed automatically. This behavior has been registered as a bug and will be fixed in one of the future product updates.
After completing with DNS configuring and the DNS TXT_acme-challenge.<domain>record resolves properly, click the Continue button to issue the certificate
This iteration of Let's Encrypt wildcard certificate has several limitations:
-
A wildcard certificate is only assigned to the main domain.
To apply it to subdomains, go to Hosting Settings of each subdomain and chose the new wildcard Let's Encrypt certificate in the Certificate drop-down menu.
-
New subdomains do not get the wildcard certificate automatically. It has to be selected for them manually as well.
-
Wildcard certificates can only be issued manually from the Let's Encrypt screen of a domain. Certificates issued from domain creation screen or with the enabled keep secured option on the service plan will always issue plain (non-wildcard) Let's Encrypt certificates.
-
Wildcard certificates will not be renewed automatically.
Note: since Let's Encrypt version 2.7.0 expired wildcard certificates are automatically renewed.
These limitations will be fixed in future releases.
Additional information
Instead of Let's certificates, custom wildcard certificates can be added as usual according to the following article: How to install SSL certificate for a domain in Plesk
Comments
46 comments
@Konstantin
Thanks for your reply. The issue I am having is that the wildcard certificate doesn't appear in the drop down menu for the subdomain as in your example. The only certificate that appears is 'Lets Encrypt sub3.example.com (sub3.example.com)' which is the previous certificate (not wildcard) created for that subdomain.
If I create a new subdomain then the wildcard certificate is available so it seems that this issue only effects existing subdomains.
Any further advice would be much appreciated.
Thank you
Hi @JB,
Are you sure that affected sub-domains are actually a sub-domains in terms of business logic or its just a domains that are called like a sub-domains? You can easily understand that by checking whether or not sub-domain has mail settings tab (as there is not mail service for the true sub-domains, not yet at least).
But in all the cases you can just try to fix relation in the database as described here: https://support.plesk.com/hc/en-us/articles/360000247373-Unable-to-select-a-wildcard-SSL-certificate-for-a-subdomain-in-Plesk-SSL-certificate-is-not-available-for-selection
So I have a situation where a client has created a wildcard subdomain in Plesk, *.domain.com, for a particular web app. This site hosts user profiles with the URL format 'user.domain.com'. I created a wildcard cert per the intructions above, but I'm unable to select it in the hosting setting for the wildcard domain. Also, the Let's Encrypt cert and shortcut is missing altogether for this wildcard subdomain too.
Is it possible to use the Let's Encrypt wildcard in this scenario, or another way to configure it? Thanks!
@Justin, yes, it is possible. I tested that and may confirm. Could you please confirm that:
1. You issued wildcard for domain.com
2. *.domain.com created inside the same subscription as a subdomain.
3. Also, do you use please Linux or Windows?
i noticed that with wildcard LE it doesn't generate the www subdomain for alias.
Is there a way to fix that?
Hi @Giuseppe Passanisi!
"www" of domain alias and subdomain are not added to SANs list and therefore are not secured by Wildcard certificate. This is Let's Encrypt extension bug with ID EXTLETSENC-568 which is planned to be fixed in future updates.
The workaround is described here:
www alias, subdomains are not included into the issued wildcard Let's Encrypt Certificate
Thank you for help :-)
I have a domain setup with a wildcard SSL with Lets Encrypt. Whenever I create a new subdomain (using Plesk API) the subdomain is created with the certificate in the dropdown as "Not Selected". I can still select the correct wildcard Certificate from the dropdown, but this manual process defeats the purpose of the automation provided by the Plesk API integration that I have made.
This behavior also occurs when I manually create a subdomain in the Plesk control panel.
I have run the following query: plesk db "SELECT * FROM domains WHERE name like '%example.com'";
and the cert_rep_id remains the same regardless of how I change the dropdown called "Certificate"
How can I get the wildcard certificate to automatically be selected after a new subdomain is created?
Hello @Dave Kramer,
Yes, the wildcard certificate has to be selected manually for the existing and newly created subdomains
It is one of the limitations
Please also note that it is not possible to automate this process by using Plesk tools
I added a note to the article in order to make this point more clear
Same problem that have @Dave Kramer
i need to automatically assign wildcard SSL to my subdomains.
there is not any solution for this????
Hello @Luis,
The comment from my colleague Nikita is still actual.
As soon as there'll be any changes in the configuration for subdomains logic, the article will be updated.
Can't issue SSL based on acme-v02, my panel.ini contains,
[ext-letsencrypt]
acme-directory-url = "https://acme-v02.api.letsencrypt.org/directory"
acme-protocol-version = "acme-v02"
Restarted Plesk and tried many times, still it insists to use web site challenge and not DNS, what should I do?
Hello Fouad Ahmed Fouad
The option "acme-protocol-version = "acme-v02" allows getting wildcard certificates as they're obtained via DNS-challenge only.
Regular certificates by design are issued the same way as in acme-v01.
More information may be found here: https://docs.plesk.com/en-US/obsidian/administrator-guide/78586/
Hello, it's possibile to execute the "Reload" function of this page via CLI instead to wait for Plesk to check the existence of the TXT record?
Hello Gianluca
This article should help to achieve your goal:
https://support.plesk.com/hc/en-us/articles/360016436973
Thank you very much Ivan Postnikov
Please sign in to leave a comment.