Question 2 different Lets encrypt certificates for the same (sub)domain

[Dukemaster]

Hi at all,
please, I don't want to see problems where is nothing unsual and everything alright.
But since the todays update of Lets encrypt extension, more the update few days ago since it's possible to create a certificate for the whole server PLESK, IPs, mail and default domains. This is amazing.
For this I had to create an extended certificate hardly by my own (Multi domain.com) one month ago.
Now PLESK + Lets Encrypt offer this great service ! ! !

I wonder about the fact that for the sub domain, which is also my servers hostname and points to servers default IPv4 and IPv6, 2 certificates are created. My hope and question is that they don't have side effects in successful running services like IP (network) and mainly Email.
For my hostname I created a subdomain. In the settings of the subdomain I created a Letsencrypt certificate like for all other domains/subdomains too.
But now by the new feature creating serverwide certificates in other repository I realized that they have the same domain name (in this case subdomain name) server.arox.eu.
For the process itself it sounds logic, but there appear questions for the correct functionality of e.g. securing emails.
In other words which certificate shall I use for the subdomain settings server.arox.eu in the subscription area?
Better like usual the subdomain special certificate, or perhaps to have a allround setup to take the server repository certificate?

From my stomach feeling I would take two different certificates, each for the depending service, means 1 for (subdomain webhosting) and 1 for securing Plesk server/hostname/mail/IP.
- Additional question is: How to find out for which service the Plesk certificates are used? (Tools & settings - Security - SSL/TLS Certificates)




Greets

 

[Bitpalast]

The configuration as it is seems correct to me. You are using the server wide certificate to secure the Plesk panel and e-mail service, and you are using a certificate to secure the virtual host.

What I do not know is if Let's Encrypt will continuously allow multiple certificates to be issued for the same domain name at the same time. This is rather unusual and caused by a strategic mistake to name the server and panel the same like the production virtual host domain.

 

[Dukemaster]

Yes this seems to be a problem with a wide range.
I'm at the point now, that my problems with HSTS could only be caused by two things. One could be the not used IPv6 or a kind of misconfiguration with it or with certificates.
The problem could be that point that I use a subdomain as hostname. The subdomain has it's certificate and the since a few days Lets encrypt creates automatically a serverwide certificate with the same domain name. This must end in conflicts due to cross-dependencies.

Thanks for help.

 

[UFHH01]

Hi Dukemaster,

apart from what @Peter Debik already stated, are you aware, that Let's Encrypt will offer WILDCARD certificates next year? Due to the fact that you are trying to configure a "perfect server/domain configuration" for some time now, it might reduce costs and efforts, if you wait for these new certificates ( just MY opinion! )

 

[Dukemaster]

Absolutely right, @UFHH01 and @Peter Debik . I have 380% green A.
When I've time I like to read the interesting messages in the great XFrame Options...thread.
Nevertheless I have a real problem since two days which kills my nerves and is more important as everything else.
An old story about domains redirecting to "Default Plesk Page" only by the changing the webhosting IP. More somewhere else.
Thanks and lot of greets

 

[learning_curve]

.....The problem could be that point that I use a subdomain as hostname......

......The configuration as it is seems correct to me. You are using the server wide certificate to secure the Plesk panel and e-mail service, and you are using a certificate to secure the virtual host.....

......apart from what @Peter Debik already stated, are you aware, that Let's Encrypt will offer WILDCARD certificates next year? Due to the fact that you are trying to configure a "perfect server/domain configuration" for some time now, it might reduce costs and efforts, if you wait for these new certificates ( just MY opinion! )

To add a little info @Dukemaster we have a setup similar to your own and we use some services from the same hosting supplier as you do. We also have a sub-domain as a hostname too but..... In our case, the chosen domain name, the host name specific sub-domain (and therefore the Plesk panel and e-mail service) plus all the other sub-domains on that domain are fully secured with only one SSL certificate. The big difference is that this is not a free issue Let's Encryt SSL Certificate, but a purchased, Wildcard * SSL Certificate for one domain.

For all the other domains, the excellent free issue Let's Encrypt SSL Certificates are applied and all work correctly. There is one slight minus doing things this way, in that a Qualys SSL test will report a name mismatch within the full certificate path for any of the Let's Encrypt SSL Certificate secured domains. However, that doesn't prevent them obtaining a Qualys SSL test A+ score thanks to other settings being correct (including HSTS > XFrame Options...thread ) And... lots and lots of other site / server testing tools ignore the full certificate path anyway and focus primarily on an individual domain's setup / spec etc. It's possible to solve this very small glitch right now if we were concerned about it, by purchasing an even more expensive Wildcard * SSL Tyre Certificate much better known as a SAN SSL Certificate. That's a different subject / topic / option from this thread though and one that we don't currently see any milage in (for us anyway). We didn't know about it before this thread, but @UFHH01 has advised above of a great (free) answer that's on it's way from Let's Encrypt and his opinion seems very sound based on that good news!

 

[Dukemaster]

both nameservers are running now with their own IPv4 in PLESK WEBHOSTING. Two weeks ago I had configured each one as A record and also with reverse mapping to point IP to them and vice versa in providers domain and IP panel.
The last thing was Plesk webhosting IP instead the standard IPv4 until last week. This was also the reason why I suspected that the server certificate is responsible for perhaps a misconfiguration of myself or Plesk. Because like I wrote Qualys gave red T and said my server certificate name is there instead of domain name in certificate.

@UFHH01 yes...you can't imagine that I'm someone who likes to wait one year or longer for special features by updates for forum, gallery, blog, calendar, database software over the period of exactly 11 years. Waiting is our passion...who learns to wait has the best chances for successful running systems.

Qualys SSL test A+ score thanks to other settings being correct

Before I also used two QuickSSL Premium certificates for years, but only the cheapest, never wildcards. Therefor would be no need. But I ever hated this way of money making by such services which cost the issuer cents or few dollars for their servers and sold for hundreds of dollars. Exactly these ways of generating money by nothing destroys the economy in the whole world. Everyone on Internet wants only one thing - it's our money, mostly by subscriptions, like states by taxes. Money for nothing and the chicks for free. I think I have HSTS but it's not displayed by Qualys anymore. This game started that ONLY for .EU domains HSTS was displayed without www. two months ago
@UFHH01 told me to better send this as a bug report to Qualys. It's a dirty kind of game with testings and the money making philosophy behind it, but for us paying people they sell this as big security. I laugh about this games, they so old like Internet too.And in my websites okay I want also make money, but only for surving, not to be the rich. I want more give people something to learn how the world rules. Giving makes more happy instead of crazy money collecting.
THANKS GOD FOR LETS ENCRYPT together developed with and for AMAZING PLESK.

Greets

 

[learning_curve]

......But I ever hated this way of money making by such services which cost the issuer cents or few dollars for their servers and sold for hundreds of dollars......

Agreed but... you can purchase a suitable, heavily discounted Wildcard SSL certifcate, direct from your existing hosting supplier. (look on your hosting account for details on GeoTrust QuickSSL Premium Wildcard Certifcates). Unlike external sourced SAN Certificates, it's not expensive this way and it's nowhere near hundreds of dollars (or the equivalent in Euros for you we guess) Indeed, the last Annual, Business SSL (GeoTrust QuickSSL Premium Wildcard) that we purchased was the equivalent of approx $32 at today's exchange rates...