• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved assign certificate to host from terminal

bsssrl

New Pleskian
I'm using: plesk 12.0.18_build1200140610.21 os Ubuntu 14.04.

I'm trying to associate a certificate from terminal.

I'm able to generate certificate and add it to plesk for a specific domain executing this:

plesk bin certificate -c mycert -domain mydomain.com -key-file /path/to/mydomain.com/privkey.pem -cert-file /path/to/mydomain.com/cert.pem -cacert-file /path/to/mydomain.com/fullchain.pem

Now I should go to plesk on browser, reach host settings related to mydomain.com and under security select mycert. I hope I can do the same from terminal. How?

I find very useful this guide: certificate: SSL/TLS Certificates . But seems to miss the last step to assign mycert to mydomain.com virtual host.

Also tried to use --assign-cert, but it works at ip level and it's not what I want.
 
Last edited:
Hi bsssrl,

Also tried to use --assign-cert, but it works at ip level and it's not what I want.
Pls. note, that the following commands list your depending certificates:

Code:
plesk bin certificate --list -domain YOUR-DOMAIN.COM
plesk bin certificate --list -admin

... while the example commands assign the depending certificates to the selected domain and it's used IP:
Code:
plesk bin certificate --assign-cert "YOUR-CERT-NAME_AS_LISTED_WITH_YOUR_PREVIOUS-COMMANDS" -domain YOUR-DOMAIN.COM -ip XXX.XXX.XXX.XXX
Code:
plesk bin certificate --assign-cert "YOUR-CERT-NAME_AS_LISTED_WITH_YOUR_PREVIOUS-COMMANDS" -admin YOUR-DOMAIN.COM -ip XXX.XXX.XXX.XXX
( where XXX.XXX.XXX.XXX should be replaced with the IP, which the domain uses )


If you experience any issues here, when using these commands, pls. consider to provide the output of the used commands for further investigations, pls and note as well the following informations:


Sometimes, it is as well a good idea to change the log - level ( TEMPORARILY! ), to get more informations in Plesk - log - files:

 
The right command in my case is:
Code:
plesk bin subscription -u mydomain.com -certificate-name mycert -ssl true

To be more complete when I tried to use --assign-cert in this way:
Code:
plesk bin certificate --assign-cert mycert -domain mydomain.com -ip myip

I have this situation:
  1. https://your-domain.com from browser works as expected
  2. other domains with the same ip doesn't use the certificate
  3. in plesk the certificate results used x times, where x is the number of subscriptions with the same ip
  4. for each subscription under hosting settings no certificate is selected
  5. under IP Addresses the certificate is associated to ip
So in order to disassociate the certificate I've to go to IP Addresses and select self signed certificate.

I'm using plesk with italian localization so menu voices and plesk sections names may be different from literal translation.
 
Where can I find on which domain this default certificate is used?
Go to Plesk database:

# plesk db

Retrieve the default certificate ID:

MariaDB [psa]> select id from certificates where name='default certificate';
+----+
| id |
+----+
| 1 |
+----+
1 row in set (0.00 sec)

Find the domain to which the certificate was assigned:

MariaDB [psa]> select d.name from domains d inner join hosting h on h.dom_id = d.id where h.certificate_id = 1;
+----------------------+
| name |
+----------------------+
| example.com |
| example1.com |
+----------------------+
2 rows in set (0.00 sec)
 
If I use a cron job to renew a certificate, I'm guessing I have to:
1) remove the certificate from the domain it's assigned to
Bash:
plesk bin certificate --remove "my certificate" -domain my.domain
2) create a new certificate with the same name under the domain
Bash:
plesk bin certificate --create "my certificate" -domain my.domain -key-file /root/.acme.sh/my.domain/my.domain.key -cert-file /root/.acme.sh/my.domain/my.domain.cer -cacert-file /root/.acme.sh/my.domain/fullchain.cer -csr-file /root/.acme.sh/my.domain/my.domain.csr
3) assign the certificate to the domain
Code:
plesk bin certificate --assign-cert "my certificate" -domain my.domain -ip ###.###.###.###

Before removing it do I have to unassign it? Or is that done automatically when I remove it? Because if I try removing an assigned certificate from the Plesk interface it gives an error saying it's in use. If I have to unassign it first, how is that done from the command line? In fact after trying to automate this I'm finding two certificates of the same name under my.domain. However it does seem that the new certificate is correctly assigned to the domain...

I believe I'm looking to avoid the IP assignment also, looking at the output it seems that the certificate is trying to be assigned to other services such as proftpd which isn't strictly necessary, I have a self signed certificate for that already.

Also, how would I go about assigning the certificate to the mail and webmail from the command line? It looks like this should do the trick:

Bash:
plesk bin mailserver.exe --set-certificate "my certificate" -certificate-repository my.domain

But seeing that in the more recent updates Plesk allows each mail domain to have it's own mail certificate, will this only affect the mail for this domain?
 
Last edited:
Seeing that Letsencrypt wildcard certificates have been given support in Plesk for a while now, I have been however finding that Plesk is not able to automatically renew my certificates because I use gandi.net as my registrar and DNS record holder, and Plesk doesn't use gandi's API, Plesk is limited to very few registrars / external DNS services so far. So I've been manually setting the new acme challenge in my DNS records in order to complete the renewal. But I can't stand doing these kinds of manual tasks so I've been looking how to automate the process from the command line with a cron task.

Well after a number of attempts, I believe I have found the best and simplest way to update a certificate for a domain. There is no need to unassign or remove. Once the certificate has a given name such as "Letsencrypt wildcard mydomain", you can simply issue update using the same certificate name but based on the new certificates issued. You can also update the mail certificate in a similar manner. Here is my currently working script (I'm using ACME.SH, which has built-in support for Gandi Live DNS):

Code:
/usr/local/bin/acme.sh/acme.sh --issue --dns dns_gandi_livedns -d mydomain.com -d *.mydomain.com -d *.subdomain.mydomain.com

plesk bin certificate --update "LetsEncrypt wildcard_mydomain.com" -domain mydomain.com -key-file /root/.acme.sh/mydomain.com/mydomain.com.key -cert-file /root/.acme.sh/mydomain.com/mydomain.com.cer -cacert-file /root/.acme.sh/mydomain.com/fullchain.cer -csr-file /root/.acme.sh/mydomain.com/mydomain.com.csr

plesk bin certificate --update "LetsEncrypt wildcard_mydomain.com" -domain subdomain.mydomain.com -key-file /root/.acme.sh/mydomain.com/mydomain.com.key -cert-file /root/.acme.sh/mydomain.com/mydomain.com.cer -cacert-file /root/.acme.sh/mydomain.com/fullchain.cer -csr-file /root/.acme.sh/mydomain.com/mydomain.com.csr

plesk bin subscription_settings --update mydomain.com -mail_certificate 'Lets Encrypt wildcard_mydomain.com'

Doing this from the command line rather than from the Plesk interface also has the advantage that you can request more than one wildcard from Letsencrypt in the same certificate, in my specific case I'm wildcarding both the base domain and a specific subdomain, so I can reuse the same certificate on both the domain and the subdomain (seeing that in this case I have a few fourth level domains).

So I just save the above in /usr/local/bin/renewLetsEncryptMyDomain.sh , make it executable and add a crontask:

Code:
#automate command line renewal of the letsencrypt certificate for mydomain.com, subdomain and fourth level domains, and mail certificate for same domain
25      4       1       *       *       /usr/local/bin/renewLetsEncryptMyDomain.sh
 
Last edited:
Back
Top