Generate SAN SSL with Plesk provider - error: 1013

Hello!

I've a hybrid config, one half with docker labels, another half with file based dynamic configuration. Let's see the first, relevant section from docker-compose.yml file (EMAILADDRESS = a valid e-mail address, DOT = dot):

services:
  traefik:
    container_name: core-traefik
    image: "traefik:latest"
    network_mode: bridge
    command:
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --providers.docker
      - --providers.file.directory=/data/config
      - --providers.file.watch=true
      - --log.level=ERROR
      - --certificatesresolvers.leresolver-http.acme.httpchallenge=true
      - --certificatesresolvers.leresolver-http.acme.httpchallenge.entrypoint=web
      - --certificatesresolvers.leresolver-http.acme.email=EMAILADDRESS
      - --certificatesresolvers.leresolver-http.acme.storage=/data/acme-http.json
      - --certificatesresolvers.leresolver-dns-plesk.acme.dnschallenge=true
      - --certificatesresolvers.leresolver-dns-plesk.acme.dnschallenge.provider=plesk
      - --certificatesresolvers.leresolver-dns-plesk.acme.email=EMAILADDRESS
      - --certificatesresolvers.leresolver-dns-plesk.acme.storage=/data/acme-dns-plesk.json
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    environment:
      PLESK_SERVER_BASE_URL: ""
      PLESK_USERNAME: ""
      PLESK_PASSWORD: ""
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - traefik_data:/data

I've an another containar with this service labels, SSL works perfectly:

    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.webproxy-https.service=webproxy"
      - "traefik.http.routers.webproxy-https.rule=Host(`client.subdomainDOTmydomainDOTcom`) || HostRegexp(`.+\\.client\\.subdomain\\.mydomain\\.com`)"
      - "traefik.http.routers.webproxy-https.entrypoints=websecure"
      - "traefik.http.routers.webproxy-https.tls=true"
      - "traefik.http.routers.webproxy-https.tls.certresolver=leresolver-dns-plesk"
      - "traefik.http.routers.webproxy-https.tls.domains[0].main=client.subdomainDOTmydomainDOTcom"
      - "traefik.http.routers.webproxy-https.tls.domains[0].sans=*.client.subdomainDOTmydomainDOTcom"
      - "traefik.http.services.webproxy.loadbalancer.server.port=8080"

But if I create a file based dynamic configuration like this:

  routers:
    myservice-https:
      rule: Host(`portal.subdomainDOTmydomainDOTcom`)
      entrypoints: "websecure"
      service: "myservice-https"
      tls:
        certResolver: "leresolver-dns-plesk"
        domains:
        - main: "portal.subdomainDOTmydomainDOTcom"
          sans:
            - "proxy.portal.subdomainDOTmydomainDOTcom"
            - "*.proxy.portal.subdomainDOTmydomainDOTcom"

SSL could be not generated. Error message:

2024-12-31T19:00:14Z ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [portal.subdomainDOTmydomainDOTcom proxy.portal.subdomainDOTmydomainDOTcom .proxy.portal.subdomainDOTmydomainDOTcom]: error: one or more domains had a problem:\n[portal.subdomainDOTmydomainDOTcom] [portal.subdomainDOTmydomainDOTcom] acme: error presenting token: plesk: failed to get site: error: 1013 - Site does not exist\n" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["portal.subdomainDOTmydomainDOTcom","proxy.portal.subdomainDOTmydomainDOTcom",".proxy.portal.subdomainDOTmydomainDOTcom"] providerName=leresolver-dns-plesk.acme routerName=myservice-https@file rule=Host(portal.subdomainDOTmydomainDOTcom)

Can anyone please help me what is the problem and a resolution?

Thanks!

After switch to DEBUG level log, I've found some related issues:

If I add LEGO_DISABLE_CNAME_SUPPORT: true as environment variable, the SSL certificate still not generated, but the error message changed:

2024-12-31T19:58:11Z ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [portal.subdomainDOTmydomainDOTcom proxy.portal.subdomainDOTmydomainDOTcom .proxy.portal.subdomainDOTmydomainDOTcom]: error: one or more domains had a problem:\n[portal.subdomainDOTmydomainDOTcom] [portal.subdomainDOTmydomainDOTcom] acme: error presenting token: plesk: failed to add record: error: 1007 - DNS record '_acme-challenge.portal.subdomainDOTmydomainDOTcom. IN TXT KTx3lYJqwRW73OiB8AWEmyqHme145pPsAJs6l3MFdLY' already exists.\n" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["portal.subdomainDOTmydomainDOTcom","proxy.portal.subdomainDOTmydomainDOTcom",".proxy.portal.subdomainDOTmydomainDOTcom"] providerName=leresolver-dns-plesk.acme routerName=myservice-https@file rule=Host(portal.subdomainDOTmydomainDOTcom)

Finally, I could solve the problem. I have a local DNS server which cached all records. I've changed the certificate resolver DNS records to open DNS servers:


      - --certificatesresolvers.leresolver-dns-plesk.acme.dnschallenge.resolvers[0]=1.1.1.1
      - --certificatesresolvers.leresolver-dns-plesk.acme.dnschallenge.resolvers[1]=1.0.0.1

And keep the LEGO_DISABLE_CNAME_SUPPORT environment variable.

Maybe this information will help to others in the future.