How to Install and Auto-Renew Let's Encrypt SSL in Plesk: Complete 2026 Guide

Priya

Content Writer & Researcher

Last Updated: 6 May 2026

How to Install and Auto-Renew Lets Encrypt SSL in Plesk: Complete 2026 Guide

🖥️

SSL Headaches on Your Plesk Server? We'll Sort It Out

Let's Encrypt failures and broken auto-renewals create SSL downtime that damages user trust and SEO rankings. CloudHouse's server management team will configure SSL correctly, set up monitoring, and ensure your certificates never expire unexpectedly.

🔧 Book Free Diagnosis Call Now WhatsApp

🖥️12,400+PCs Fixed

⭐4.9★Google Rating

⚡<15 minAvg. Response

🛡️ISO 27001Certified

Let's Encrypt has become the default SSL solution for Plesk-managed servers — it's free, trusted by all major browsers, and renews automatically. But sysadmins running Plesk servers know the frustration: a certificate that worked fine suddenly stops auto-renewing, or a new domain's SSL install fails with a cryptic DNS validation error.

This guide covers the complete Let's Encrypt setup in Plesk, including the pre-setup DNS checks that prevent most failures, per-domain and wildcard certificate configuration, and the specific troubleshooting steps for the most common auto-renewal failures.

💡 None of these worked? Skip the guesswork.

Get Expert Help →

Prerequisites Before Installing Let's Encrypt in Plesk

Skipping these checks is the most common reason Let's Encrypt installations fail. Before clicking anything in Plesk:

1Verify DNS is pointing to your server

Let's Encrypt validates domain ownership by making an HTTP request to your domain. If DNS hasn't propagated yet or points to a different server, the validation will fail. Check DNS resolution before attempting installation:

dig A yourdomain.com @8.8.8.8
dig A www.yourdomain.com @8.8.8.8

Both should return your server's IP address. If they don't, wait for DNS propagation before proceeding.

2Enable SSL/TLS support in Hosting Settings

Navigate to Domains > yourdomain.com > Hosting & DNS > Hosting Settings. Enable the "SSL/TLS support" checkbox. Without this, the Let's Encrypt extension cannot install a certificate for the domain.

3Confirm the Let's Encrypt extension is installed

In Plesk, go to Extensions > My Extensions. Verify "Let's Encrypt" appears in the installed list. If not, install it from Extensions > Extensions Catalog > search "Let's Encrypt."

4Check port 80 is accessible

Let's Encrypt's HTTP challenge requires port 80 to be open and responding. Verify with:

curl -I http://yourdomain.com

A redirect or 200 response confirms port 80 is accessible. A connection refused error means a firewall rule is blocking Let's Encrypt's validation crawler.

1Navigate to the domain's SSL/TLS Certificates section

In Plesk, go to Domains > yourdomain.com > Hosting & DNS > SSL/TLS Certificates. Click the Get it free button in the Let's Encrypt section at the top of the page.

2Configure the certificate scope

On the Let's Encrypt certificate request form:

Email address — Enter a valid email for expiry notifications
Include www subdomain — Check this to cover both yourdomain.com and www.yourdomain.com
Include mail subdomain — Check this if your mail server uses this domain (covers mail.yourdomain.com)
Include webmail subdomain — Check to cover Plesk's webmail interface

3Click "Get it free" to install

Plesk contacts Let's Encrypt's servers, completes the domain validation challenge, and installs the certificate automatically. The process takes 15-60 seconds under normal conditions.

4Verify the certificate is active

After installation, the SSL/TLS Certificates page should show:

Let's Encrypt [yourdomain.com]
Valid until: [date ~90 days from now]
Auto-renew: Enabled

Test the SSL installation with an external checker: navigate to https://yourdomain.com and verify the padlock appears, or use SSL Labs' server test.

1Enable SSL for Plesk's mail service

Go to Tools & Settings > Mail Server Settings. Under "SSL/TLS certificate for mail," select the Let's Encrypt certificate you just installed for your main domain (if the mail server uses the same hostname as your domain) or install a separate certificate for your mail hostname.

2Install SSL for the server hostname

If your server's hostname (e.g., server1.yourdomain.com) is different from your website domain, install a separate Let's Encrypt certificate for it. Go to Tools & Settings > SSL/TLS Certificates (Plesk) and click "Get it free."

1Check Plesk's scheduled task for Let's Encrypt

Go to Tools & Settings > Scheduled Tasks (System). Look for a task named "Let's Encrypt" or "letsencrypt." It should run daily (or at minimum weekly). If no such task exists, the extension may not be installed correctly — reinstall it from Extensions > My Extensions > Let's Encrypt > Reinstall.

2Trigger a manual renewal test

From the Plesk server via SSH, run:

plesk ext letsencrypt --renew-all

This forces Plesk to attempt renewal for all Let's Encrypt certificates. Review the output for errors. Certificates with more than 30 days remaining won't renew (this is intentional behavior — Let's Encrypt only renews within 30 days of expiry).

3Check the renewal log

tail -n 100 /var/log/plesk/panel.log | grep -i "letsencrypt\|ssl\|certbot"

Troubleshooting: When Let's Encrypt Fails in Plesk

These are the most common failure scenarios and their fixes:

Error: "DNS challenge used another IP address"

This happens when your domain's DNS resolves to a different IP than your Plesk server. Common cause: the domain uses Cloudflare's proxy (orange cloud). Temporarily switch Cloudflare DNS to "DNS only" (grey cloud) during Let's Encrypt installation, then re-enable the proxy after the certificate installs.

Error: "Too many certificates issued"

Let's Encrypt limits certificate issuance to 50 certificates per domain per week and 5 failures per account per hour. If you've hit the limit (common when testing or after repeated failed installs), wait until the rate limit window resets (shown in the error message).

Auto-renewal fails for renamed certificates

Plesk's Let's Encrypt auto-renewal looks for a certificate named exactly "Lets Encrypt yourdomain.com". If you renamed the certificate in Plesk's certificate manager, auto-renewal will fail silently. Solution: delete the renamed certificate and reinstall via the Let's Encrypt extension — it will create a correctly named certificate.

Error: "Connection refused" or "Timeout" during validation

Let's Encrypt's validation crawler couldn't reach your domain on port 80. Check:

Plesk's firewall (Tools & Settings > Firewall) — port 80 must be open
CSF/iptables rules aren't blocking the Let's Encrypt IP ranges
No .htaccess rules redirect /.well-known/acme-challenge/ requests to HTTPS before validation completes

SSL certificate works in browser but Plesk still shows "No SSL"

Try reassigning the certificate: go to SSL/TLS Certificates for the domain, select the Let's Encrypt certificate, and click "Install." Then clear Plesk's cache: plesk repair web -domain-name yourdomain.com.

Installing Let's Encrypt for Multiple Domains

If you manage many domains in Plesk, installing Let's Encrypt one-by-one is tedious. Use Plesk's CLI to batch-install certificates:

# Install for a single domain via CLI
plesk ext letsencrypt --issue -domain yourdomain.com -mail [email protected] -include-www 1

# Renew all certificates
plesk ext letsencrypt --renew-all

# List all Let's Encrypt certificates and their expiry dates
plesk ext letsencrypt --list

For bulk installation across all hosted domains, you can script this using Plesk's domain list:

plesk db -Ne "select name from domains where webspace_id=0 and hosting_type='vrt_hst'" |   while read domain; do
    plesk ext letsencrypt --issue -domain "$domain" -include-www 1
  done

Wildcard SSL Certificates With Let's Encrypt in Plesk

Standard Let's Encrypt in Plesk uses HTTP validation, which cannot issue wildcard certificates. For wildcard SSL (*.yourdomain.com), you need DNS validation. Plesk supports this through the SSL It! extension, which integrates with DNS providers like Cloudflare to automate DNS challenge responses for wildcard certificates.

To install SSL It!: go to Extensions > Extensions Catalog, search "SSL It!", install it, then configure your DNS provider API credentials. SSL It! handles both wildcard issuance and auto-renewal automatically.

FAQs

How often does Plesk auto-renew Let's Encrypt certificates?

Plesk's Let's Encrypt extension checks certificate expiry daily and renews any certificate that is within 30 days of expiring. Let's Encrypt certificates are valid for 90 days, so auto-renewal triggers around the 60-day mark. You can force immediate renewal via CLI: plesk ext letsencrypt --renew-all.

Can I use Let's Encrypt for all domains on my Plesk server?

Yes, but each domain's DNS must point to your server's IP, and port 80 must be accessible for HTTP validation. Let's Encrypt has rate limits: 50 certificates per registered domain per week. For servers hosting hundreds of domains, spread installations over time or use a staging environment to test.

Why does Let's Encrypt fail for domains behind Cloudflare?

When Cloudflare's proxy is enabled (orange cloud icon), the HTTP validation challenge from Let's Encrypt hits Cloudflare's edge servers, not your Plesk server — causing validation to fail. Switch the DNS record to "DNS only" (grey cloud) temporarily during certificate issuance. After the certificate installs, you can re-enable Cloudflare's proxy.

How do I install Let's Encrypt on a subdomain in Plesk?

Subdomains work the same as main domains: navigate to the subdomain in Plesk's domain list, go to Hosting & DNS > SSL/TLS Certificates, ensure SSL/TLS support is enabled in Hosting Settings, then click "Get it free" in the Let's Encrypt section. The subdomain must resolve to your server's IP before attempting installation.

My Let's Encrypt certificate expired even though auto-renewal was enabled. Why?

The most common causes: (1) The certificate was renamed after installation, breaking Plesk's auto-renewal lookup. (2) Port 80 was blocked by a firewall rule change. (3) The domain's DNS changed to a different IP. Check the Plesk panel log for the specific error: tail -n 200 /var/log/plesk/panel.log | grep letsencrypt.

Get the Free Linux Server Admin Cheatsheet (PDF)

Essential commands for server management, networking, and troubleshooting — all on one printable page.

Running Linux servers? Let us manage them for you.

Our Managed Linux Server plans cover updates, security hardening, monitoring, and 24/7 incident response — so your servers stay up and your team stays focused.

Proactive OS patching and security updates
24×7 monitoring with instant alerting
Backup configuration and disaster recovery
Dedicated Linux engineers on call

See Pricing Plans →

What our customers say

“Our production server went down at 2 AM. CloudHouse had it back online in under 20 minutes. Incredible response time.”

Arun S.

CTO, SaaS Startup

“They migrated our entire infrastructure from Ubuntu 18 to 22 with zero downtime. Couldn't have asked for better.”

Deepak N.

DevOps Lead

Frequently Asked Questions

Plesk's Let's Encrypt extension checks certificate expiry daily and renews any certificate within 30 days of expiring. Let's Encrypt certificates are valid for 90 days, so auto-renewal triggers around the 60-day mark. You can force immediate renewal via CLI: plesk ext letsencrypt --renew-all.

Book your free 15-minute diagnosis

A certified technician will call you back within 15 minutes during business hours.

Share this article

Comments (0)

Loading comments...