In 2016 the revolutionary new Certificate Authority Lets Encrypt flipped the internet SSL paradigm completely upside down by making it easy to obtain and install free domain-verified SSL/TLS certificates, completely free of charge in order to encourage total encryption across the internet. In June of 2017 Let’s Encrypt announced that they had issued their 100 millionth certificate.
In March of 2018 Let’s Encrypt pushed forward with another huge advancement: free wildcard certificate support. Wildcard certificates had long been expensive to obtain, often costing as much as a dozen individual certificates. Now finally, the flexibility of having a single SSL for multiple subdomains was available - for free!
As of July of 2018, this feature is also available directly within Plesk with the Let’s Encrypt extension version 2.6.0, making it even easier to implement.
In this article, we’re going to show you exactly how the process works. As always, if you get stuck and need help, or would prefer one of our technicians to do this on your behalf, reach out to our Support team and we’ll be happy to help!
Reminder: Wildcard SSLs secure one domain and any subdomains you wish to create based on that domain. So for example, a single wildcard certificate could secure example.com, www.example.com, support.example.com, and blog.support.com, but not anotherexample.com, example-blog.com, or any other separate domains. There is a type of SSL/TLS certificate that does this, called a multi-domain certificate, but that’s a topic for another article.
Configuring Plesk for Wildcard SSL/TLS Support
Plesk Compatibility
Wildcard SSL/TLS certificates can be issued using the Let’s Encrypt extension version 2.6.0 or later when installed to Plesk 12.5 or Onyx. This extension is supported on systems running Linux or WIndows 2012 or later.
Update: As of the January 17, 2019 update of the Let’s Encrypt Plugin to version 2.7.2, the extension now includes additional support for ECDSA certificates; a newer alternative to the standard RSA algorithm. As such, we are including values to enable installation of this new certificate type in the instructions below.
Installing the Let’s Encrypt Module
If you haven’t done so yet, you can install the Let’s Encrypt extension from the Plesk Extensions Catalog by searching for Let’s Encrypt. If you need the extension files for a manual installation, you can download them from the Plesk extensions page, or directly at https://www.plesk.com/extensions/letsencrypt/.
Configuring ACMEv2 Support
With the Let’s Encrypt extension installed, you will next need to manually configure the Plesk panel.ini file. This file controls certain aspects of the behavior of both Plesk and some Plesk extensions that cannot be managed via the user interface. Therefore, you will need to edit this file manually using an editor.
The panel.ini file should be located in one of the following locations, depending on which operating system you are using:
- (Plesk for Linux) /usr/local/psa/admin/conf/panel.ini
- (Plesk for Windows) %plesk_dir%\admin\conf\panel.ini
Once located, open the panel.ini file for editing and add the following lines to the file:
[ext-letsencrypt]
acme-directory-url = "https://acme-v02.api.letsencrypt.org/directory"
acme-protocol-version = "acme-v02"
key-algorithm = ECDSA
ecdsa-curve-name = prime256v1
Note: The key-algorithm and ecdsa-curve-name values above are not strictly required to enable the installation of wildcard certificates, but are related to the implementation of the ECDSA algorithm mentioned in the Plesk Compatibility section above. Therefore, addition of these lines is strictly optional at this time.
Be sure to save your changes, and you’re done; no restart required (for a change!)
Congratulations - you and your clients are ready to issue wildcard SSL/TLS certificates on your own server!
How to Issue a Wildcard SSL/TLS Certificate
Issuing the Certificate to the Primary Domain
- Log into your Plesk installation.
- Choose the Domain you want to secure form the Domains list, available under the Hosting Services menu, and click on the domain name to access it’s hosting options.
- From the Websites & Domains tab, click on the Let’s Encrypt option.
- Check the Issue wildcard certificate checkbox and select any other domain aliases you also want to secure.
- Click Install (or Renew if the domain has already been secured with a Let’s Encrypt certificate previously).
- You will be presented with a screen like the one below informing you that the Let’s Encrypt certificate installation process will also add a TXT DNS record necessary for issuing a wildcard SSL/TLS certificate.
Note: If Plesk does not manage the DNS for the domain (ie: your domain’s DNS is hosted on another server or at another provider), the Let’s Encrypt extension cannot add the DNS record automatically. In this case, you will see the following message:
“Please add a DNS record with the following parameters”.
You will need to add this DNS record at your DNS server or service provider manually. If you are unsure how to do it, ask your DNS hosting provider for assistance, or reach out to our Support team and we will assist you. - The TXT record you just added will take some time to propagate, no matter if you added it manually or Let’s Encrypt added it automatically. We recommend that you verify that the DNS record was added successfully and has propagated before going to the next step.
There are several ways to check propagation of a DNS record:
- Run the following command in the bash Linux shell, substituting your own domain name in the example command below
dig -t txt _acme-challenge.<your_domain_name> +short @4.2.2.1
Note: We use the Level 3 Communications DNS server 4.2.2.1 in the example above, but you can substitute it for one of your choosing, such as Google’s 8.8.8.8 or CloudFlare’s 1.1.1.1 servers - Or run the following command in Windows PowerShell or Command Prompt, substituting your own domain name in the example command below
nslookup.exe -q=txt _acme-challenge.<your_domain_name> 4.2.2.1
Note: We use the Level 3 Communications DNS server 4.2.2.1 in the example above, but you can substitute it for one of your choosing, such as Google’s 8.8.8.8 or CloudFlare’s 1.1.1.1 servers - Use a DNS lookup service, for example, MxToolBox or What’s My DNS
Again, you will enter _acme-challenge.<your_domain_name> when prompted for the TXT record to query
If the TXT record is found and it matches the one shown by the Let’s Encrypt extension, you may click Continue to complete the SSL installation.
Note: If the none of the options above show the TXT record, you may just need to wait a little longer for propagation to occur. Propagation of a new record usually takes a moment, depending on your DNS service provider’s publishing timeframe, but updating or correcting an existing record may take up to 24-72 hours.
As always, if you want a second pair of eyes to help troubleshoot, or to confirm you’ve done everything correctly, our Support team is always available and willing to do so.
Your wildcard SSL/TLS certificate is now issued and installed for the domain name selected, and the aliases chosen during installation. This should include the following:
- The main domain.
- Aliases you have chosen to secure.
- "www" subdomains for the main domain and each selected alias you have chosen to secure.
- Webmail.
If you wish to secure additional subdomains or wildcard subdomains, proceed to the next section of this article for further instructions.
Applying the Certificate to Subdomains and Wildcard Subdomains
You’re almost done! There are only a few steps left if you want to secure subdomains in addition to the primary domain and aliases selected above. Assuming that you’re still logged into Plesk, complete the following steps for each subdomain you wish to secure:
- On your primary domains Websites & Domains tab, locate the subdomain you wish to secure
- Click Hosting Settings.
- Select the SSL/TLS support checkbox.
- From the Certificate menu, select the wildcard SSL/TLS certificate you just installed.
- Click OK to apply the SSL to your subdomain.