Plesk for Windows
Plesk for Linux
kb: technical
ext: le
ABT: Group A
Applicable to:
- Plesk for Linux
- Plesk for Windows
Symptoms
-
External DNS is used for the domain example.com.
-
Cannot renew wildcard certificate with the following messages received by Plesk administrator:
CONFIG_TEXT: Cannot renew LE: Skip wildcard certificate renewal for the domain 'example.com'. TXT record could not be created automatically. Try to renew domain certificate manually.
Cause
TXT record has not been added or updated on domain example.com on external DNS side: when external DNS is used it is required to add TXT record manually each time to re-issue Let's Encrypt certificate.
Resolution
- Add TXT record on external DNS side
- Log into Plesk
- Re-issue certificate in Domains > example.com > SSL/TLS Certificates.
Comments
4 comments
I have the same situation and have had it for some years now. I always to what you suggested, I manually edit the TXT record on my external DNS zone (in the OVH company's panel) and then I manually re-issue the certificate. Although this works fine, it's a pity it can't work as it works automatically with a single certificate.
I think this happens because the DNS is handled by my domain provider (OVH). How can I delegate this into my Plesk server so the DNS entries that are in Plesk are the ones that rule?
Carlos Martínez Gadea If you want to manage DNS from Plesk you can refer here https://support.plesk.com/hc/en-us/articles/360021907393--How-to-use-DNS-with-a-Plesk-server. You will need to point your NSs in OVH to Plesk. Please check the first section of the article.
This really is a pain in the butt. Why does it have to change the TXT record every time it renews? I renewed a whole bunch of certs today and then still got the notice about 6 hours later that it can't renew even though they were already renewed.
Can this maybe be made to work when using AWS Route 53 directly through Plesk using the official plugin? After all, all DNS changes are still made in Plesk first, it should be easy to allow the SSL It! plugin to update the DNS for the certificate it wants to renew. It's kind of silly to constantly have humans login to the server to renew expired certificates, it's just a copy-paste exercise within Plesk itself. Would write a script myself, but the API/CLI does not allow fetching the required value for the new TXT record from Let's Encrypt, it's only displayed in the interface.
Perhaps this also holds for other DNS services when Plesk is used to update the DNS?
Alternatively, why not create an overview in Plesk which all certificates in Plesk, which should be manually updated, and when? Perhaps even with the new TXT record values attached, so one can quickly go manually update all the DNS-records, possibly even just copy-pasting them in a simple CLI script.
Now we're depended on filtering the barrage of emails to find out which certificates should be renewed each week, it's so much work that should really be automated. Since most emails are for certificates that are already removed and can thus never be updated, it's quite a bit of work and not exactly an ideal workflow. How hard could it be to just display all certificates and their expiration date, and whether they can automatically be renewed or need a manual DNS change in Plesk? This latter solution would also be very handy for those using an external DNS server that does not sync from Plesk.
Please sign in to leave a comment.