Getting Free Wildcard SSL/TLS Certificates from Let's Encrypt

You can request wildcard SSL/TLS certificates using the Let’s Encrypt extension version 2.6.0 and later. A single wildcard certificate can be used to secure a main domain together with any number of subdomains, which is useful if you have many subdomains.

Let’s Encrypt uses the ACMEv2 protocol to issue wildcard SSL/TLS certificates, while the Let’s Encrypt extension, by default, uses ACMEv1, which is more stable. To request wildcard SSL/TLS certificates via the Let’s Encrypt extension, first you need to configure it to support ACMEv2.

To configure the Let’s Encrypt extension to support ACMEv2:

  1. Open the panel.ini file for editing.
  2. Add the following lines to the file:
[ext-letsencrypt]
acme-directory-url = "https://acme-v02.api.letsencrypt.org/directory"
acme-protocol-version = "acme-v02"

Now the Let’s Encrypt extension supports the ACMEv2 protocol. You and your customers can now request wildcard SSL/TLS certificates.

To issue a wildcard SSL/TLS certificate:

  1. Go to Websites & Domains, find the domain you want to secure, and click Let’s Encrypt.
  2. Select the “Issue wildcard certificate” checkbox and select the domain aliases you also want to secure (if any).
  3. Click Install (or Renew if the domain is already secured with a Let’s Encrypt certificate).
  4. The Let’s Encrypt extension will add a DNS record necessary for issuing a wildcard SSL/TLS certificate:

    final

    Note: If Plesk does not manage the DNS for the domain, the Let’s Encrypt extension cannot add the DNS record automatically. In this case, you will see the following message: “Please add a DNS record with the following parameters”. Add a DNS record with the specified parameters manually. If you are unsure how to do it, ask your DNS hosting provider for assistance.

  5. Whether the Let’s Encrypt extension adds the DNS record automatically or you do it manually, it can take some time before it propagates. We recommend that you check that the DNS record was added before going to the next step. Here is how you can do it:
    • Run the following command:

      dig -t txt _acme-challenge.<your_domain_name> +short

      If the output matches the record shown by the Let’s Encrypt extension, you can go to the next step.

    • Use a DNS check service, for example, MxToolbox.

      Enter the domain name shown in the Let’s Encrypt extension message (_acme-challenge.example.com in the example above), and then click TXT Lookup. If the TXT record is found and it matches the one shown by the Let’s Encrypt extension, you can go to the next step.

final2 - Copy

Note: If the dig -t txt command or the DNS check service do not show the TXT record, you need to make sure that the domain's NS records exist and point to the Plesk server. To do so in MxToolbox, select and click DNS Check. If no NS records are found or if they do not point to the Plesk server, you need to correct your DNS settings. If Plesk does not manage the DNS for the domain and you are unsure how to do it, ask your DNS hosting provider for assistance.

  1. Click Continue.

Your wildcard SSL/TLS certificate is now issued and installed. The certificate automatically secures the following objects:

  • The main domain.
  • Aliases you have chosen to secure.
  • "www" subdomains for the main domain and each selected alias you have chosen to secure.
  • Webmail.

The following objects are not secured by default:

  • Subdomains
  • Wildcard subdomains

You can secure them manually:

  1. Go to Websites & Domains and find the subdomain you want to secure
  2. Click Hosting Settings.
  3. Select the "SSL/TLS support" checkbox.
  4. From the "Certificate" menu, select the wildcard SSL/TLS certificate.
  5. Click OK.