Resolved Certificate, small problem

[Pleskie]

Hello,

Today I found out that one of my domains which I don't often use had stopped working. When I try opening the website I get a connection error.

The error log says:

"RSA certificate configured for mydomain.com:443 does NOT include an ID which matches the server name"

I assumed that somehow the default certificate went missing. Is that possible?

So I tried installing a Let's Encrypt certificate and the website worked. But the webmail won't let me login and still gives an error. I do see the login screen and am able to enter username and password. But after logging in I get an error screen saying "The website cannot display the page".

I tried the Let's Encrypt certificate for the webmail, but that doesn't work (because it's only for (www.)mydomain.com). How do I install a default certificate for the webmail? Is that possible?

Could anything else be wrong?

 

[UFHH01]

Hi Pleskie,

pls. consider to use the SEARCH from this forum, because your question has been asked and answered several times.

=> https://talk.plesk.com/search/search?&keywords="Let’s+Encrypt"+"webmail"

Example answer at => #57​

 

[Pleskie]

Hi UFHH01,

My question was not how to use webmail and Let's Encrypt.

My question is why my website became inaccessible.

I got this error message:

"RSA certificate configured for mydomain.com:443 does NOT include an ID which matches the server name"

What does this message mean? I see this message more often in my error logs. It's there for one or 2 days. Then it's gone for a while and a few days later it comes back ... and so on.

I restored a back-up from only a few hours before I noticed my website was no longer reachable. After restoring the backup, my site was back alive.
Any idea what could have happened?

In addition to this:

When I go to the Hosting Setting of the domain there is this option:

"To secure transactions with your site, use SSL/TLS protocol, which encrypts all data and transfers it over a secure connection. To employ SSL/TLS, install an SSL/TLS certificate on the site, and then select it below."

I have selected this option.

For the certificate there are 2 options:

- Not selected
- default certificate (other repository)

I have it set to "Not selected". Is that alright? Or should I pick "default certificate (other repository)"? I don't know what's the difference.

 

[UFHH01]

Hi Pleskie,

when you state:

My question was not how to use webmail and Let's Encrypt.

I come to the conclusion, that you missed to READ the mentioned links, which is o.k., but due to the fact that your additional question was:

How do I install a default certificate for the webmail? Is that possible?

I still consider to read the suggestions to find your answer directly in previous posts here in this forum.

"RSA certificate configured for mydomain.com:443 does NOT include an ID which matches the server name"

This message is totally o.k. and expected, since Let's Encrypt - certificates for your domain only covers www.YOUR-DOMAIN.COM and YOUR-DOMAIN.COM .

In order to secure your "webmail" subdomain, you have to go a different way, which is very well explained in the above mentioned links.

I have it set to "Not selected". Is that alright? Or should I pick "default certificate (other repository)"? I don't know what's the difference.

This depends on your desire. "Not selected" means, that your domain "www.YOUR-DOMAIN.COM" and "YOUR-DOMAIN.COM" will not be secured with a choosen certificate. HTTPS is not possible this way, or only with error messages that you already know. You might as well experience further issues for your website, if you configured the domain with "HSTS" ( = HTTP Strict Transport Security ).
You missed to provide the information, if the "default" certificate is the "Plesk self-signed certificate". I personally wouldn't recommend to use this anymore, because it is very easy to install free Let's Encrypt certificates with Plesk and you are then able to offer HTTPS - connections without issues/errors/problems.

 

[Pleskie]

>> This message is totally o.k. and expected, since Let's Encrypt - certificates for your domain only covers www.YOUR-DOMAIN.COM and YOUR-DOMAIN.COM .

I understand ... but Let's Encrypt was not installed. Only yesterday for a small period of time, just for testing purposes. This error messages appears for many months, but only 1 or 2 days ... then it's gone again.

>> This depends on your desire. "Not selected" means, that your domain "www.YOUR-DOMAIN.COM" and "YOUR-DOMAIN.COM" will not be secured with a choosen certificate.

But will they be secured by some sort of default certificate, or do I have to choose this "default certificate (other repository)" then? I don't know what is meant by "other repository".

>> You missed to provide the information, if the "default" certificate is the "Plesk self-signed certificate".

I did not create any self-signed certificate.

 

[UFHH01]

Hi Pleskie,

o.k. I see that we have some missing informations here... I'm trying to inform you some more:

With each Plesk installation, Plesk install a so called "self-signed" certificate. It is not valid for any domain and no cert authority accepts it, because this is just a self-signed certificate, with no verification at all. This specific certificate is named "default", when you installed Plesk. If you don't change it, Plesk will even secure your Plesk Control Panel with this default certificate, but each browser will tell you, that you can't trust this certificate, because it is a self-signed one.

You are certainly able to secure your domain with a self-signed certificate, but just as described above, no browser will accept that and will certainly notice you about it.​

 

[Pleskie]

Thanks UFHH01

For this domain I didn't install any certificate. I did not select any certificate either. It's not a problem since the domain is not being used yet.
I DO use the email of this domain though, and I use SSL/TLS for security. This seems to work, so there seems to somehow be a certificate in use.
Is that correct? I assume that if there wasn't a certificate, sending and receiving mail while using SSL/TLS woud fail. Do you agree?

I still wonder though why this message pops up now and then. It appears in the error log of the domain, but like I said ... not al the time.

"RSA certificate configured for mydomain.com:443 does NOT include an ID which matches the server name"

What causes this error?


You say that by default there is a certificate installed. It's not accepted by the browser, but for this domain that's not a problem since it's not active yet.
But can you confirm that my mail is being send through a secure connection (SSL/TLS) out of the box? That's my main concern right now.

 

[UFHH01]

Hi Pleskie,

"RSA certificate configured for mydomain.com:443 does NOT include an ID which matches the server name"

This points again directly to what I stated before. "mydomain.com:443" = HTTPS => The certificate might still be the "default" one that Plesk installed for your. You either configured your IP ( Home > Tools & Settings > IP Addresses > XXX.XXX.XXX.XXX - where XXX.XXX.XXX.XXX is a placeholder for your individual IP ) with the default certificate, choosing the default site as "mydomain.com", or you choosed to define the default certificate for your domain "mydomain.com" in your hosting settings at Home > Subscriptions > YOUR-DOMAIN.COM > Hosting Settings .
If you desire further informations here, pls. consider to shoot some screenshots, so that people willing to help you have something to start with further investigations.

I DO use the email of this domain though, and I use SSL/TLS for security. This seems to work, so there seems to somehow be a certificate in use.
Is that correct? I assume that if there wasn't a certificate, sending and receiving mail while using SSL/TLS woud fail. Do you agree?

This is something complete different and has got nothing to do with your webserver - configuration. Pls. be informed, that for your mail - server, Plesk again will install a self-signed certificate ( if you don't change that ). SSL/TLS - usage may as well work with such a self-signed certificate from Plesk.

You say that by default there is a certificate installed. It's not accepted by the browser, but for this domain that's not a problem since it's not active yet.
But can you confirm that my mail is being send through a secure connection (SSL/TLS) out of the box? That's my main concern right now.

Yes - confirmed.


Why don't you investigate yourself, WHICH certificate is used, by opening the HTTPS - URL => https://mydomain.com with your browser?

And to check, which certificate is used on your mail - server for a specific domain, you may find it usefull, to visit for example: => http://www.checktls.com/index.html ... type in a valid eMail - address and click on "Try it".

 

[Pleskie]

Hello UFHH01,

Ik checked and the certificate is indeed a Plesk certificate, so that seems alright.

I'm still not sure though why I was getting the error message. I changed a few settings so hopefully things will be allright now.
I'll keep an eye on it and if it reappears, I'll check back here ;-) For now everything seems to be alright again. Thanks.

* One last question. When I check my maillog, I see a lot of attempts from obscure domains (e.g. gw.viagra-on.com) that try to enter/hack my mailserver with mail addresses like [email protected]
I assume these 'hack' attempts happen with any server in the world and are 'normal' ?

 

[UFHH01]

* One last question. When I check my maillog, I see a lot of attempts from obscure domains (e.g. gw.viagra-on.com) that try to enter/hack my mailserver with mail addresses like [email protected]
I assume these 'hack' attempts happen with any server in the world and are 'normal' ?

Correct. Pls. consider to use Fail2Ban for such Script-Kiddies.

 

[Pleskie]

I already use Fail2Ban, but there isn't a jail that protects against attacks like these

 

[UFHH01]

Hi Pleskie,

even that my answer is off-topic for your thread, I just answered an older thread with possible equal situations. => #10


Pls. consider to use ONE thread for each of your issues/errors/problems/questions, so that people using search engines don't get confused and irritated with a thread and it's thread-title, where the thread-posts have nothing to do with the initial post and it's title.

 

[Pleskie]

Holy **** ... you started about Fail2Ban

Well in all honesty ... I don't know how to add a custom jail that's not in the Plesk Panel.
When I have time maybe i'll have to dive in to this. For now I'll just have to deal with messy logs I suppose :-s
As long as they don't /can't break in, it's not a threat. I assume Plesk has protected everything in a decent way.

 

[daanse]

Hi Pleskie,


This points again directly to what I stated before. "mydomain.com:443" = HTTPS => The certificate might still be the "default" one that Plesk installed for your. You either configured your IP ( Home > Tools & Settings > IP Addresses > XXX.XXX.XXX.XXX - where XXX.XXX.XXX.XXX is a placeholder for your individual IP ) with the default certificate, choosing the default site as "mydomain.com", or you choosed to define the default certificate for your domain "mydomain.com" in your hosting settings at Home > Subscriptions > YOUR-DOMAIN.COM > Hosting Settings .
If you desire further informations here, pls. consider to shoot some screenshots, so that people willing to help you have something to start with further investigations.

HI @UFHH01 ,

does that mean, if i choose "default Certificate" in that Dropdown within a IP that the Warnings will be gone? Before i change Warning Level as in KB Article, my Question would be if it can be solved via GUI and if i don't need to assigne a Certificate to my IP.
Otherwise, why should i assigne a Certificate to the IP?
I have those Warnings in my Log Files (full of them) and my Certificate from my Hostname is assigned to that IP.