challenge on http-01 makes it impossible to issue certificates (e.g. for email) when the site is hosted on a different ip address than plesk. this is a big problem for us.

I have another service running under the main SAN, so I cant really renew my certificate without having to switch the DNS record. That is sadly not how DNS-01 should work..

HTTP-01 challenge creates a firewall security issue preventing certificate renewal.
DNS-01 challenge option must be made available.

This is an exceptionally unfortunate design decision on Plesk's behalf. This means that a domain needs to be moved to the Plesk server BEFORE issuing an SSL cert, which means that either the corresponding website will be down completely until the SSL cert has been issued, or it will be served on HTTP only. Either way, a terrible design decision.

See https://letsencrypt.org/docs/challenge-types/ --> DNS-01 challenge

This would make validation easier for certain users and with official plugins can support external DNS providers for automatic record creation, as well as making full use of LetsEncrypt's verification options

1 man hour job to implement + 3 man hours job to test and verify:
add an optional checkbox (like the ones for securing "www" and "webmail"), to "Force DNS-01 verification", maybe under an "Advanced features" section.

Another (easier) option would be to just verify all with the DNS-01 challenge and not use HTTP-01 at all as there are different occasians where HTTP challenges are problematic.

The Plesk extension uses by default http-01 challenge, which doesn't work when the website is hosted on a private IP address.

The must be an option to choose the dns-01 challenge as proffered one. This functionality is currently missing :|

Described in https://tools.ietf.org/html/draft-ietf-acme-acme-06#section-8.4

The problems with mail/webmail/lists subdomains could be obsolete, because a _acme_challenge.lists.domain.tld txt record could be challenged.
So no problems with webroots etc.