Issue Let's Encrypt Wildcard (and others) certificate without main domain in SAN (use DNS-01 challenge only)
Currently the Let's Encrypt Wildcard requires that main domain would be hosted on the Plesk server, and pass the HTTP-01 challenge as well as DNS-01 for Let's Encrypt.
However for issue the Wildcard Let's encrypt require only DNS-01 challenge.
The HTTP-01 limits the causing the issue since not always the main domain is hosted on the same server as the subdomains.
-
Damjan Skerjanc commented
If we are hosting only mail/webmail on our plesk and want to secure mail services, but the main site is hosted elsewhere ( shopify, ... ), it is quite annoying that this does not work with only DNS-01 challenge, because we have to do it all manually
-
Dimitris Kotsonis commented
challenge on http-01 makes it impossible to issue certificates (e.g. for email) when the site is hosted on a different ip address than plesk. this is a big problem for us.
-
Moritz Witte commented
I have another service running under the main SAN, so I cant really renew my certificate without having to switch the DNS record. That is sadly not how DNS-01 should work..
-
goetschiusarchives commented
HTTP-01 challenge creates a firewall security issue preventing certificate renewal.
DNS-01 challenge option must be made available. -
Anonymous commented
This is an exceptionally unfortunate design decision on Plesk's behalf. This means that a domain needs to be moved to the Plesk server BEFORE issuing an SSL cert, which means that either the corresponding website will be down completely until the SSL cert has been issued, or it will be served on HTTP only. Either way, a terrible design decision.
-
Vincent Lauton commented
See https://letsencrypt.org/docs/challenge-types/ --> DNS-01 challenge
This would make validation easier for certain users and with official plugins can support external DNS providers for automatic record creation, as well as making full use of LetsEncrypt's verification options
-
b.pedini commented
1 man hour job to implement + 3 man hours job to test and verify:
add an optional checkbox (like the ones for securing "www" and "webmail"), to "Force DNS-01 verification", maybe under an "Advanced features" section. -
Jan commented
Another (easier) option would be to just verify all with the DNS-01 challenge and not use HTTP-01 at all as there are different occasians where HTTP challenges are problematic.
-
Kevin commented
The Plesk extension uses by default http-01 challenge, which doesn't work when the website is hosted on a private IP address.
The must be an option to choose the dns-01 challenge as proffered one. This functionality is currently missing :|
-
Dominic commented
Described in https://tools.ietf.org/html/draft-ietf-acme-acme-06#section-8.4
The problems with mail/webmail/lists subdomains could be obsolete, because a _acme_challenge.lists.domain.tld txt record could be challenged.
So no problems with webroots etc.