• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx

  • We are developing a new feature in Plesk that will help you promote your websites or business on social media. We want to conduct a one-hour online UX test to present the prototype and collect feedback. If you are interested in the feature, please book a meeting via this link.
    Thank you in advance!
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue Check SSL certificates from command line

PeterKi

Regular Pleskian
Server operating system version
Ubuntu Linux 22.04.1 LTS
Plesk version and microupdate number
plesk obsidian 18.0.50u2 WebAdmin Edition
I have 2 domains configured on my Ubuntu server and in the web interface both of them show up as secured by let's encrypt certificates.
As it is very cumbersome to check the expiration dates from the web GUI, I used to use a script which extracts the expiration dates from the certs on the file system.
This worked well on my previous server with Ubuntu 20, but after migrating to an Ubuntu 22 server, I am missing a certificate file.
ls /opt/psa/var/modules/letsencrypt/etc/live/* only lists a general _plesk_domain and 1 of my domains.
My 2nd domain is missing, although the web interface shows the certificate for it.

Are the certificates stored somewhere else now?

for Cert in $(ls /opt/psa/var/modules/letsencrypt/etc/live/*/cert.pem) do echo $Cert cat $Cert | openssl x509 -dates -noout 2>&1 | sed -e 's/^notBe/ &/' -e 's/^notA/ &/' done
 
Hmm, strange.
Do you have an explanation why there is no subdir for my 2nd domain then?
From the web gui I see that the ssl cert for my 1st domain is valid to June 4th and my 2nd domain is valid to May 13th.
From the cert.pem files under the given path, I get:
notBefore=Mar 6 09:32:40 2023 GMT
notAfter=Jun 4 09:32:39 2023 GMT
which matches with my 1st domain.
And I get
notBefore=Feb 15 10:45:43 2023 GMT
notAfter=May 16 10:45:42 2023 GMT
for the /_plesk_domain/cert.pem.
Nothing matches though with the May 13th which I get from the web gui.

Is there a way to manually renew the SSL certificate so that I can test if the cert.pem file possibly gets created?
 
Hi PeterKi!

As it is very cumbersome to check the expiration dates from the web GUI
Just a quick question. What way have you used to check the expiration in GUI?
  • Opening "SSL/TLS Certificates" for each existing domain.
  • Opening "Extensions / My Extensions / SSL It!".
1678457560957.png
  • Other way.



I have tried your script on my server and got the next output,
Bash:
/opt/psa/var/modules/letsencrypt/etc/live/_plesk_domain/cert.pem
 notBefore=Feb 17 17:48:12 2023 GMT
 notAfter=May 18 17:48:11 2023 GMT
/opt/psa/var/modules/letsencrypt/etc/live/api.example.org/cert.pem
 notBefore=Feb 14 10:38:08 2023 GMT
 notAfter=May 15 10:38:07 2023 GMT
/opt/psa/var/modules/letsencrypt/etc/live/demo.example.org/cert.pem
 notBefore=Feb 17 20:48:08 2023 GMT
 notAfter=May 18 20:48:07 2023 GMT
/opt/psa/var/modules/letsencrypt/etc/live/staging.example.org/cert.pem
 notBefore=Feb 14 11:40:33 2023 GMT
 notAfter=May 15 11:40:32 2023 GMT
/opt/psa/var/modules/letsencrypt/etc/live/example.org/cert.pem
 notBefore=Dec 18 16:16:25 2022 GMT
 notAfter=Mar 18 16:16:24 2023 GMT

As you can see, I got quite similar results. But it is also important to check that all required certificates are used in a web-server configuration (as an example, see "example.org").



If you use nginx, what about this example of code, does it show data for two domains (it finds certificates that really used as part of the nginx configuration)?
Code:
for Cert in $(grep ssl_certificate /etc/nginx/plesk.conf.d/vhosts/*.conf | awk '{ print $3 }' | uniq | tr -d ';');
do
  openssl x509 -in $Cert -text -noout 2>&1 | egrep -e '(Not Before|Not After|DNS:)';
done
 
Last edited:
I did check the expiration from Websites & Domains then expanding the domain and clicking on SSL/TLS Certificates under Security.
Your way is much easier though, as it directly shows the expiration dates.
I have configured my domains solely with plesk and both are available through https:// .
Still, I am wondering why there is no cert.pem file for my 2nd domain.

Is there a way in the web gui or on the command line to manually renew the certificates?
 
One option: Reissue Certificate, the "Install" button for Let's Encrypt.
Thanks for the hint.
I was reluctant because when I had clicked on 'Reissue Certificate' before, I only saw a list of SSL certs I needed to buy but no re-issue button.
Now, I did click on the 'Install' button for the Let's Encrypt certificatea at the very bottom, which then brought me to a screen where I could issue a new certificate for the 2nd domain.
After I had done this, the missing file for the 2nd domain did appear in /opt/psa/var/modules/letsencrypt/etc/live/*/cert.pem.
Now the cert files look as they should.
I suppose that the problem came with the plesk migration.

In the meantime, I did also find another way to get the expiration dates from a script which doesn't need any files from the file system:
for Dom in myDom1 myDom2 do echo $Dom echo 'Q' | openssl s_client -connect localhost:465 -servername $Dom -showcerts 2>&1 | grep -i before done
 
Back
Top