Pre-requirements
- Access to the Plesk control panel as an administrator.
- Ensure Plesk has the necessary permissions to write DNS records.
- Wildcard SSL certificate generation capability (e.g., Let's Encrypt).
Issue
When generating a wildcard SSL certificate, the _acme-challenge TXT record is not created, and the following error is logged in /var/log/plesk/panel.log after enabling debug mode.
Cause
This issue is caused by missing or incorrect NS records for the domain. Without proper NS records, DNS validation cannot occur, leading to the failure to create the required _acme-challenge record.
Resolution
To resolve the issue, you must correct the NS records for the domain:
Steps to Correct NS Records for Wildcard SSL
- Log into your Plesk control panel.
- Navigate to Domains > example.com > Hosting & DNS > DNS Settings.
- Verify that the NS records are correctly configured. They must point to a valid DNS server hostname.
- Update the NS records if necessary.
- Click Update to apply the changes.
- Regenerate the wildcard SSL certificate. Plesk should now be able to create the
_acme-challengerecord.
Steps to Add NS Records Server-Wide for All Domains
- Go to Tools & Settings > DNS Template in Plesk.
- Add or correct the NS records in the template for all domains.
- Apply the changes to all hosted domains.
Gotchas to Avoid
- Make sure your NS records point to valid and registered DNS server hostnames.
- If Plesk cannot create the
_acme-challengerecord, double-check that the NS records have been updated correctly.
Linux Command to Check Wildcard SSL DNS Challenges
dig TXT _acme-challenge.example.comFor more information, visit our Knowledge Base.
