Issue Check SSL certificates from command line

[PeterKi]

Server operating system version

Ubuntu Linux 22.04.1 LTS

Plesk version and microupdate number

plesk obsidian 18.0.50u2 WebAdmin Edition

I have 2 domains configured on my Ubuntu server and in the web interface both of them show up as secured by let's encrypt certificates.
As it is very cumbersome to check the expiration dates from the web GUI, I used to use a script which extracts the expiration dates from the certs on the file system.
This worked well on my previous server with Ubuntu 20, but after migrating to an Ubuntu 22 server, I am missing a certificate file.
ls /opt/psa/var/modules/letsencrypt/etc/live/* only lists a general _plesk_domain and 1 of my domains.
My 2nd domain is missing, although the web interface shows the certificate for it.

Are the certificates stored somewhere else now?

for Cert in $(ls /opt/psa/var/modules/letsencrypt/etc/live/*/cert.pem) do echo $Cert cat $Cert | openssl x509 -dates -noout 2>&1 | sed -e 's/^notBe/ &/' -e 's/^notA/ &/' done

 

[Peter Debik]

The directory is correct.

 

[PeterKi]

Hmm, strange.
Do you have an explanation why there is no subdir for my 2nd domain then?
From the web gui I see that the ssl cert for my 1st domain is valid to June 4th and my 2nd domain is valid to May 13th.
From the cert.pem files under the given path, I get:
notBefore=Mar 6 09:32:40 2023 GMT
notAfter=Jun 4 09:32:39 2023 GMT
which matches with my 1st domain.
And I get
notBefore=Feb 15 10:45:43 2023 GMT
notAfter=May 16 10:45:42 2023 GMT
for the /_plesk_domain/cert.pem.
Nothing matches though with the May 13th which I get from the web gui.

Is there a way to manually renew the SSL certificate so that I can test if the cert.pem file possibly gets created?

 

[AYamshanov]

Hi PeterKi!

As it is very cumbersome to check the expiration dates from the web GUI

Just a quick question. What way have you used to check the expiration in GUI?

• Opening "SSL/TLS Certificates" for each existing domain.
• Opening "Extensions / My Extensions / SSL It!".

• Other way.

---

I have tried your script on my server and got the next output,

/opt/psa/var/modules/letsencrypt/etc/live/_plesk_domain/cert.pem
 notBefore=Feb 17 17:48:12 2023 GMT
 notAfter=May 18 17:48:11 2023 GMT
/opt/psa/var/modules/letsencrypt/etc/live/api.example.org/cert.pem
 notBefore=Feb 14 10:38:08 2023 GMT
 notAfter=May 15 10:38:07 2023 GMT
/opt/psa/var/modules/letsencrypt/etc/live/demo.example.org/cert.pem
 notBefore=Feb 17 20:48:08 2023 GMT
 notAfter=May 18 20:48:07 2023 GMT
/opt/psa/var/modules/letsencrypt/etc/live/staging.example.org/cert.pem
 notBefore=Feb 14 11:40:33 2023 GMT
 notAfter=May 15 11:40:32 2023 GMT
/opt/psa/var/modules/letsencrypt/etc/live/example.org/cert.pem
 notBefore=Dec 18 16:16:25 2022 GMT
 notAfter=Mar 18 16:16:24 2023 GMT

As you can see, I got quite similar results. But it is also important to check that all required certificates are used in a web-server configuration (as an example, see "example.org").

---

If you use nginx, what about this example of code, does it show data for two domains (it finds certificates that really used as part of the nginx configuration)?

for Cert in $(grep ssl_certificate /etc/nginx/plesk.conf.d/vhosts/*.conf | awk '{ print $3 }' | uniq | tr -d ';');
do
  openssl x509 -in $Cert -text -noout 2>&1 | egrep -e '(Not Before|Not After|DNS:)';
done

 

[PeterKi]

I did check the expiration from Websites & Domains then expanding the domain and clicking on SSL/TLS Certificates under Security.
Your way is much easier though, as it directly shows the expiration dates.
I have configured my domains solely with plesk and both are available through https:// .
Still, I am wondering why there is no cert.pem file for my 2nd domain.

Is there a way in the web gui or on the command line to manually renew the certificates?

 

[AYamshanov]

From GUI

• Websites & Domain / example.org / SSL/TLS Certificates,
  • One option: Reissue Certificate, the "Install" button for Let's Encrypt.
  • Another option: Unassign Certificate and then issue a new certificate.
  • btw, there is a KB article, https://support.plesk.com/hc/en-us/articles/115001934469

From CLI

• https://support.plesk.com/hc/en-us/articles/360035099354

 

[AYamshanov]

Still, I am wondering why there is no cert.pem file for my 2nd domain.

Could it be the same wildcard certificate that is installed on these two domain/subdomain?

 

[PeterKi]

One option: Reissue Certificate, the "Install" button for Let's Encrypt.

Thanks for the hint.
I was reluctant because when I had clicked on 'Reissue Certificate' before, I only saw a list of SSL certs I needed to buy but no re-issue button.
Now, I did click on the 'Install' button for the Let's Encrypt certificatea at the very bottom, which then brought me to a screen where I could issue a new certificate for the 2nd domain.
After I had done this, the missing file for the 2nd domain did appear in /opt/psa/var/modules/letsencrypt/etc/live/*/cert.pem.
Now the cert files look as they should.
I suppose that the problem came with the plesk migration.

In the meantime, I did also find another way to get the expiration dates from a script which doesn't need any files from the file system:
for Dom in myDom1 myDom2 do echo $Dom echo 'Q' | openssl s_client -connect localhost:465 -servername $Dom -showcerts 2>&1 | grep -i before done