Question Let's Encrypt SSL certificate issuance on new subdomain take too long

[tertek]

Server operating system version

AlmaLinux 8.10 (Cerulean Leopard)

Plesk version and microupdate number

v18.0.72

On Plesk Obsidian v18.0.72 provided by Hosting Provider.

We are creating new subdomains for one domain via Rest API. Plesk automatically adds Let's Encrypt certificates after subdomain creation. This process takes in average 25 minutes, sometimes 45 minutes and in rare past cases 2 hours.

I have tried issuing the certificate after the subdomain has been created. I used REST API, on the CLI endpoint according to the Plesk Docs (How to issue a SSL/TLS certificate for a domain via REST API?) but it did not show any more effect other beeing logged in the action protocol and issuing the cert after 45 minutes.

I know that the Let's Encrypt Issue Speed can be related to many factors including DNS. However, I was wondering if there is a best practise in this case to issue new Let's Encrypt Certificates on newly created subdomain with minimal waiting time?

As I have seen there is also the possibility to issue certificates with the sslit extension. Would it be a better approach?

 

[Kaspar]

We are creating new subdomains for one domain via Rest API. Plesk automatically adds Let's Encrypt certificates after subdomain creation. This process takes in average 25 minutes, sometimes 45 minutes and in rare past cases 2 hours.

That sounds about right. The check for certification renewals and new domains to be secured with a certificate is runs once every hour. If, for what ever reason, the attempt to issue Let's Encrypt certificate failed, it's tried again the next hour (and so on). There is no option to speed this up. However, you can issue certificates manually or automate the issuing process via command line or REST API.

I have tried issuing the certificate after the subdomain has been created. I used REST API, on the CLI endpoint according to the Plesk Docs (How to issue a SSL/TLS certificate for a domain via REST API?) but it did not show any more effect other beeing logged in the action protocol and issuing the cert after 45 minutes.

Issuing a certificate via command line (or the REST API) should be pretty much instant (give or take a minute for the whole processes to finish). What's the exact API call you're using and what's the API response you're getting when issuing a certificate?

As I have seen there is also the possibility to issue certificates with the sslit extension. Would it be a better approach?

SSL it! is the extension that allows you (as a user) issues Let's Encrypt certificates. If you're making REST API calls, you're actually already utilizing the extension to issue an LE certificate for you. Without the SSL it! is the extension you can not issue LE certificates via Plesk.

 

[tertek]

I was issuing a certificate for the parent domain as well. After I removed the parent domain argument from the API call, the certificate was issued in a minute or less.

What's the exact API call you're using and what's the API response you're getting when issuing a certificate?

API call to issue certificate:

curl --request POST \
  --url https://plesk.host.tld/api/v2/cli/extension/call \
  --header 'accept: application/json' \
  --header 'authorization: REDACTED' \
  --header 'content-type: application/json' \
  --data '{
  "params": [
    "--exec",
    "letsencrypt",
    "cli.php",
    "-d",
    "foo.example.comm",
    "-m",
    "admin@example.com"
  ]
}'

API response:

{
  "code": 0,
  "stdout": "",
  "stderr": ""
}

@Kaspar
Thank you!!!