Hi @jansch,
In this case it appears that you probably requested both the wildcard and the base domain and Plesk preferred the HTTP-01 challenge over the DNS-01 challenge for the base domain authorization. In turn, Plesk apparently didn’t have a manual option for the base domain.
Basically, you’re experiencing a usability tradeoff between the case where users want Plesk to fully automate the certificate issuance and renewal process, and the case where this can’t be done and where you need to set a DNS record manually. In your situation, it would be preferable if Plesk simply asked you to set the DNS record manually, but Plesk’s logic effectively detected a case where almost all users would want it to be done automatically, then attempted to go ahead with that case, and then failed.
It’s not totally clear to me what the ideal user interface solution to this would be from Plesk’s point of view, but I think you’ll need to contact Plesk and discuss it. Basically, it seems that you want either of the following:
(1) If a certificate request includes both an authorization that can only be obtained with DNS-01 and another authorization that can be obtained with DNS-01 or HTTP-01, Plesk should nonetheless attempt to use DNS-01 for both authorizations, not only the DNS-01 authorization.
or
(2) There should be a user interface feature to tell Plesk “no, in fact I want to obtain this certificate through performing a manual authentication step even if it appears that it might be possible to automate it”,
or
(3) There should be a user interface feature to tell Plesk “I want to explicitly select the preference for challenge types to be used to obtain this certificate, rather than using Plesk’s defaults”.
Currently Plesk probably doesn’t offer any of these cases and is instead optimizing for the typical user’s expectations in a way that doesn’t work well when you combine wildcards and non-wildcards within the same cert.