Applicable to:
- Plesk for Linux
- Plesk for Windows
Question
How to use Let's Encrypt for wildcard certificates in order to secure subdomains like sub1.example.com, sub2.example.com, etc.?
Answer
Wildcard certificates could be installed using the following procedure:
- Log in to Plesk
-
Go to Domains > example.com > SSL/TLS Certificates > Install a free basic certificate provided by Let's Encrypt > Choose the Secure the wildcard domain option > Click Get it free to renew it:
After clicking the Install button, Let's Encrypt will either add a DNS TXT record on its own (if Plesk server is authoritative DNS for the domain) or will provide with the instructions on how to add this record (if DNS is managed by an external server):
After completing with DNS configuring and the DNS TXT _acme-challenge.<domain> record resolves properly, click the Continue button to issue the certificate.
Note: This iteration of Let's Encrypt wildcard certificate has several limitations:
-
A wildcard certificate is only assigned to the main domain.
To apply it to subdomains, go to Hosting Settings of each subdomain and chose the new wildcard Let's Encrypt certificate in the Certificate drop-down menu.
-
New subdomains do not get the wildcard certificate automatically. It has to be selected for them manually as well.
-
Wildcard certificates can only be issued manually from the Let's Encrypt screen of a domain. Certificates issued from domain creation screen or with the enabled keep secured option on the service plan will always issue plain (non-wildcard) Let's Encrypt certificates.
-
Wildcard certificates will not be renewed automatically if the DNS zone is managed by an external DNS server.
Comments
49 comments
Let's Encrypt have announced a delay - See https://community.letsencrypt.org/t/acmev2-and-wildcard-launch-delay/53654
Does the current Let's Encrypt Plesk extension version already include the ability to automatically provide wildcard certificates as soon as Let's Encrypt start to offer them? Or will there be a new version that I'll need to download sometime in the future?
Thanks
@Chris,
It may be required to update Let's Encrypt extension to get the support for this feature in future.
Hi,
Thank you for your answers so far.
I see from the article linked below, that Let's Encrypt wildcard support is now live!
https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579
Are there any plans and timetable for wildcard support to be added to the Plesk Let's Encrypt extension?
Thank you,
Chris
@Chris,
Yes, we have plans to add the support of wildcards certificates. However, as for now, Plesk Let's Encrypt extension has few limitations that do not allow it to support wildcard certificates. Currently, we cannot provide any ETA.
what is the Plesk priority in roadmap on this ?
@Arnaud, currently, it is planned to release the update within one month. However, the release date may be changed.
Great news ! Thanks for having taken this into account in short term roadmap !
- Arnaud
Is there an update on this?
@Mark, as it previously stated, it is planned within one month. There is no exact date. Just keep an eye on Plesk extension updates.
@Alexandr,
for which Plesk versions will the wildcard support be available. ONYX 17.017, 17.5.3 or higher?
I'm currently running 17.0.17 and would need to know whether I need to have to upgrade to higher version, so I can prepare upfront.
Thanks in advance
@Hisham, the update will be for Let's Encrypt extension that should be compatible with all Onyx versions, but I cannot guarantee this.
Therefore, I suggest you upgrading your server up to 17.8
Is there an update on this?
Hello @Jeffrey! This feature implementation is currently in progress.
After it will be implemented, the article will be updated.
Hi,
I know that this feature implementation is currently in progress but could you give me an indication of when this will be usable? Like a couple of days, weeks, months or even years?
Thank you very much!
Julius
@Julius Huitema,
Hello! Unfortunately, we don't have such information :( The implementation of the feature requires a careful testing. It is hard to say for sure how much time it will take.
I suggest to "Follow" this article to be notified as soon as the new information is available.
Hallo,
geht das denn jetzt wie oben beschrieben? Erstellung WildCard-Zertifikat? Ich habe wie oben beschrieben auf v2 umgestellt, bekomme aber dennoch nicht die Möglichkeit zur WildCard-Erstellung?
So how does one currently auto-renew wildcard LE certs? Something we can put in cron?
Hello @Nico Dorn!
I confirm that above instructions are valid.
In case the option for issuing wildcards certificates still not available, I recommend checking the following:
1. Make sure that Let's Encrypt extension is up to date: https://support.plesk.com/hc/en-us/articles/115000159173
2. Check this article: https://support.plesk.com/hc/en-us/articles/360006833233
Hello @Tomaz!
Currently, auto-renewal of wildcard certificates is not implemented in any way - not in Plesk or through the command line, so cron here will not work - it is possible to do only through Plesk manually.
Please vote for implementation of this feature in our UserVoice:
https://plesk.uservoice.com/forums/184549-feature-suggestions/suggestions/35024611-implement-renewal-of-let-s-encrypt-wildcard-certif
I have made the adjustments to be able to get wildcard lets encrypt certificates. I am now amazed to read in the plesk documentation https://docs.plesk.com/en-US/onyx/administrator-guide/website-management/websites-and-domains/advanced-website-security/securing-connections-with-ssltls-certificates/getting-free-wildcard-ssltls-certificates-from-let’s-encrypt.79603/ that subdomains are not supported with this setup.
Isn't one of the main reasons for installing a wildcard certificate that all subdomains are secured by default? Whats the added value of wildcard over none wildcard letsencrypt plesk integration.
In my case i need for a customer to have valid mail.domain.com and smtp.domain.com certificates. So far i have a manual workaround which is leading time and time again to unwanted problems.
Any help is much appreciated.
Two days waiting for approval of this post and still no update. ????
Hello @Gunnar,
Thank you for the feedback. Indeed, currently, the required certificate needs to be chosen manually (the steps are provided in the documentation and in this article).
The limitations are expected to be resolved in future updates.
Hi @Ivan, @Nikita,
I have registered a domain name and I'm trying to issue a wildcard certificate for a website hosted on a private IP using the Plesk Let's Encrypt plugin. Plesk also does not manage the DNS for the domain, I'm using 3rd party name servers. So in my case the http-01 and tls-01 challenges won't work for me. This is why I'm trying to issue the certificate using the dns-01 challenge.
I have enabled the ACMEv2 protocol in panel.ini and I do see now the option to issue wildcard certificate, but after I click Install, the plugin doesn't show me the page with the required TXT record and instructions (like in the 2nd screenshot of this help article). The plugin directly does a dns lookup and therefore the dns-01 challenge fails.
Please advise if I'm missing something or there is an issue/bug in the Let's Encrypt plugin.
I have followed the instructions in the two help articles below:
1. Getting Free Wildcard SSL/TLS Certificates from Let's Encrypt: https://docs.plesk.com/en-US/onyx/administrator-guide/website-management/websites-and-domains/advanced-website-security/securing-connections-with-ssltls-certificates/getting-free-wildcard-ssltls-certificates-from-let%E2%80%99s-encrypt.79603/
2. Is it possible to use Let's Encrypt for wildcard certificates?: https://support.plesk.com/hc/en-us/articles/115000490174
The error that I'm getting from Plesk is:
Please make sure that your domain is correct and the DNS A record(s) for that domain
contain(s) the right IP address.
Details
Details:
Type: urn:ietf:params:acme:error:unknownHost
Status: 400
Detail: No valid IP addresses found for XXXXXXX.training
I would appreciate your immediate attention to this matter.
Hello, @Kalin T.
The error message you are providing (Detail: No valid IP addresses found for ... ) is actually returned not by the plugin, but by Let's Encrypt itself.
Usually it means that Let's Encrypt was not able to get an IP address of XXXXXXX.training.
Issuing wildcard certificates works in the following manner:
1. example.com -- http-01
2. *.example.com -- dns-01
So http-01 challenge should be passed. However, as far as I understand, XXXXXXX.training has some local IP globally like 10.51.*... and Let's Encrypt just could not get there.
Actually this is not entirely true:
> After clicking the Install button, Let's Encrypt will either add a DNS TXT record on its own (if Plesk server is authoritative DNS for the domain) or will provide with the instructions on how to add this record (if DNS is managed by an external server)
I don't have the DNS component installed (because I don't need it, and when I don't need something I simply uninstall it), and the Let's Encrypt extension fails with this error:
Remove DNS record failure: DNS service is not enabled
The extension should work even if the DNS service is not installed, giving the instructions to add the TXT record as stated in this document.
Please let me know if there is a workaround, or I need to wait for a fix, if any will be provided. Thx!
Hello @Nexbit,
Indeed, such an issue is confirmed as a bug of Let's Encrypt extension with ID EXTLETSENC-558:
It's really annoying that since 3months there is no Fix for such an important feature
Hi @Jacques Hien,
The issue is still not fixed, but as far as I know, it is not in the backlog and the work is ingoing. Please, subscribe to the following article to be notified when it will be fixed: https://support.plesk.com/hc/en-us/articles/360011442113
Thankyou! This Article was very helpful.
I have installed a wildcard certificate successfully as per the instructions, but the certificate is not appearing in the drop down under the Hosting Settings of subdomains.
Hello,
Thank you for the feedback.
Actually, in drop down menu the same certificate name (without wildcard) is used.
So, in case you updated the certificate, just select the 'Lets Encrypt example.com' certificate for the subdomain as on the screenshot.
You can check if the certificate is secure one in Google Chrome after installation.
Please sign in to leave a comment.