If you are using Plesk control panel to host your website and for DNS records you are using cloudflare or Third party DNS server like your domain registrar’s Godaddy, Namecheap etc. You will have to manually add the DNS challenge TXT record every time to issue or renew SSL certificate from Lets encrypt. Manual renewal of ssl certificate every 90 days becomes a problem and puts your site at risk of not having a valid certificate if you forgot to renew.
To fix this issue of “Could not issue/renew Let`s Encrypt certificates” on plesk control panel follow the instructions given below
To enable auto-renewal you can add the following NS records to your third party DNS manager.
For sub-domains only like you can see in screenshot above. Use wildcard certificate so you don’t have to manually add records for all sub-domain. Below record will be used if your main domain and sub-domains are hosted on different servers.
Make sure in Plesk control panel DNS manager is running or set to master mode.
If DNS mode is not set as master then Plesk will not automatically manage the TXT DNS challenge record acme-challenge and Lets encrypt auto-renewal or issue will fail.
After making required changes you can verify by issuing a new ssl certificate without manually add the acme-challenge txt. Also make sure to remove any previous acme challenge TXT records you created earlier manually.
Verify DNS – https://lookmydns.com/
How to Make Plesk More Secure