Issue cert on Plesk with a different IP


#1

Hello,

I am trying to issue a wildcard over plesk (DNS disabled).

I followed the following procedure: https://support.plesk.com/hc/en-us/articles/115000490174-Is-it-possible-to-use-Let-s-Encrypt-for-wildcard-certificates-

As DNS is disabled, I would expect this to come up:

However, I get this:

Why does it need to be on the same IP address? Web based issuer like https://zerossl.com/free-ssl/#crt can also do it from another IP. Why can’t plesk?


#2

Hi,

Do you mind to double check if you really requested a wildcard certificate?

If the answer is yes,
You might need to contact plesk support for this issue…


#3

Hi @jansch,

In this case it appears that you probably requested both the wildcard and the base domain and Plesk preferred the HTTP-01 challenge over the DNS-01 challenge for the base domain authorization. In turn, Plesk apparently didn’t have a manual option for the base domain.

Basically, you’re experiencing a usability tradeoff between the case where users want Plesk to fully automate the certificate issuance and renewal process, and the case where this can’t be done and where you need to set a DNS record manually. In your situation, it would be preferable if Plesk simply asked you to set the DNS record manually, but Plesk’s logic effectively detected a case where almost all users would want it to be done automatically, then attempted to go ahead with that case, and then failed.

It’s not totally clear to me what the ideal user interface solution to this would be from Plesk’s point of view, but I think you’ll need to contact Plesk and discuss it. Basically, it seems that you want either of the following:

(1) If a certificate request includes both an authorization that can only be obtained with DNS-01 and another authorization that can be obtained with DNS-01 or HTTP-01, Plesk should nonetheless attempt to use DNS-01 for both authorizations, not only the DNS-01 authorization.

or

(2) There should be a user interface feature to tell Plesk “no, in fact I want to obtain this certificate through performing a manual authentication step even if it appears that it might be possible to automate it”,

or

(3) There should be a user interface feature to tell Plesk “I want to explicitly select the preference for challenge types to be used to obtain this certificate, rather than using Plesk’s defaults”.

Currently Plesk probably doesn’t offer any of these cases and is instead optimizing for the typical user’s expectations in a way that doesn’t work well when you combine wildcards and non-wildcards within the same cert.


#4

In Certbot jargon which is not exactly applicable to Plesk, we might say that Plesk is autoselecting authenticators dynamically on the basis of the individual authorization; it always prefers HTTP-01 challenges and always selects its equivalent of the webroot authenticator for them, whereas for DNS-01 challenges it always selects its equivalent of the manual authenticator for them. This works well for non-wildcard certs (all authorizations end up using webroot, which most users prefer) and decently for wildcard certs (users are correctly prompted to perform the manual authentication step), but not for cases that mix wildcard and base domain in the same cert (if the webroot authenticator can’t correctly solve the challenge), or where users specifically wanted to use the manual authenticator.

This analogy will only help people who are especially familiar with Certbot, but many people in our community (and maybe some of the Plesk developers) are pretty familiar with Certbot, so I thought I’d post it even though it will be helpful only to a few people.

If it’s any consolation, Certbot also has a huge, complicated set of usability tradeoffs around the problem of selecting authenticators!


#5

@schoen Thank you for this very sophisticated answer!

I have worked with certbot before and there is one remaining question: If plesk seems to use http challenge AND dns challenge, does it issue 2 certificates instead of put the SN in one cert? (one for domain.tld with http-01 and one for *.domain.tld with dns-01)

As far as I know certbot, you can only choose one challenge per request, right?


#6

I suspect that it’s still getting just one certificate (if it succeeds).

It’s a little subtle: you can only choose one authenticator plugin per request, but the authenticator plugin can potentially be capable of handling more than one challenge type, and may use more than one challenge type in practice over the course of the request. The two examples that I can think of are:

  • a mixed wildcard and non-wildcard certificate request with --manual --preferred-challenges http (where the user would be prompted to satisfy the DNS-01 challenge for the wildcard name and the HTTP-01 challenge for the non-wildcard)

  • using --nginx or --apache to request a certificate where some names were already issued under the same account and other names are new (the authenticator will do TLS-SNI-01 challenges for the old names and HTTP-01 challenges for the new names)


#7

Update: Plesk has created a uservoice entry and created a KB entry.

Although I don’t think they got it totally right as the uservoice is about “removing” the main domain instead of changing the challenge… whatever :slight_smile: Vote for it if you found your way here because of this problem.