• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Resolved Expired SSL certificate keeps showing

Ruben

Ruben

New Pleskian
Two years ago I bought an SSL certificate from Thawte, which I used to secure my Plesk installation on server.domain.com.

Now that the two years are over, I got a message in my browser that Plesk is not longer secure, so I wanted to replace it with a common Let's Encrypt certificate. I removed the Thawte from the list of certificates, got a wildcard certificate for domain.com and went over to Settings > SSL certificate to select 'Let's Encrypt domain.com' as the certificate for securing Plesk. This is accepted, yet my browser apparently insists on using the Thawte certificate, telling me it is insecure.

I have tried reloading nginx / Apache, thinking it would reload settings, but to no avail. What can I do to force the new (valid) certificate?
 
@Ruben It looks like your post reads as though you have set the Let's Encrypt Certificate against the Plesk Hosting Domain / SSL/TLS Certificates / but what's actually visible on here: https://**Your-Hosting_Domain:8443/admin/ssl-certificate/list especially, what's shown as 'Default' at the bottom?
 
The default is the 'plesk' certificate which I believe is self-signed. Isn't this only used for newly created domains? It says it is in use for 1 domain. There is also an incomplete 'default certificate' in use for 9 domains. However the Thawte certificate is nowhere to be found, I deleted it before trying to change to Let's Encrypt.
 
@Ruben You're closer to solving your issue now then. That self-signed certificate is of no real use now. You need either; a Let's Encrypt (free) or other supplier (paid) SSL certificate to be in use, here. One that actually covers Plesk itself, not the domian. The domain SSL certificate that you already have is not used by Plesk as it's own SSL certificate, unless... the names are identical** and previousy, you have copied the domain certificate over to here (e.g. certificate files or text) and then created a new certificate for Plesk's use based on that copied data, plus then made it the default certificate too, which, when all is done correctly, as well as appearing on the screen you've just visited / created the Plesk certificate on (screen grab FYI) you'll see it here too: (against your IPV4 / IPV6 addresses) - https://**Your-Hosting_Domain:8443/admin/ip-address/list/ If you go and have a look what's there at present, you'll see your issue even clearer.

Much easier than the copying / pasting / creating new etc as described above, is to just follow this Plesk Documented Guide The end results are the same but it's much less work ;)

** e.g. The Plesk hosting url is not a sub-domain of the domain itself, because if that were the case, you would then need a *wildcard certificate for the domain itself, not a normal certificate, before... you copied the certificate files or text.

one.png
 
I had a Let's Encrypt wildcard certificate for domain.com so I guessed my Plesk under server.domain.com would also be covered?

Anyway I have now registered a new Let's Encrypt certificate directly from the SSL/TLS Certificates page. It is visible in the server pool and set to secure the Plesk environment. It is also selected as the certificate under IP address.

Yet, I still get the invalid Thawte certificate when accessing the server via 8443.
Could this be a browser issue because I can't find a mention of this Thawte certificate anywhere in Plesk...


pleskscr.jpg
 
Ruben said:
I had a Let's Encrypt wildcard certificate for domain.com so I guessed my Plesk under server.domain.com would also be covered?
Click to expand...
Yes, shoud be fine.
Ruben said:
Anyway I have now registered a new Let's Encrypt certificate directly from the SSL/TLS Certificates page. It is visible in the server pool and set to secure the Plesk environment. It is also selected as the certificate under IP address. Yet, I still get the invalid Thawte certificate when accessing the server via 8443. Could this be a browser issue because I can't find a mention of this Thawte certificate anywhere in Plesk...
Click to expand...
Did you make it the default certificate too (select box / click Make Default box) on that page? If / when you've done that and re-checked it against your IP address etc (and maybe on a different browser?) then you can delete the other certifcates in that server pool, as unlike this new one that you'be just added, they are of no further use now really.
 
@Ruben One thing for your future use: Assumimg that the one that you've just created for Plesk was also a *wildcard SSl Certificate, then you should (famous last words...) be able to see that as a server pool located certificate - option - when you're allocating an SSL certificate against the domain itself (not Plesk). So you could then select and use that for the domain itself (three different allocation areas against the domain; domain / mail / webmail) as well as Plesk if you want too, then remove the domain only SSL certifcate that you created earlier. Just a suggestion.
 
Made it the default certificate. Still no change, Chrome keeps warning me about the expired Thawte.

I may have found another clue: when I go to domain.com, I get a certified HTTPS connection. However when I go to domain.com:8443 there is this warning. How is that even possible?
 
Ruben said:
Made it the default certificate. Still no change, Chrome keeps warning me about the expired Thawte. I may have found another clue: when I go to domain.com, I get a certified HTTPS connection. However when I go to domain.com:8443 there is this warning. How is that even possible?
Click to expand...
There's a miskeyed item and/or a misconfiguration in your Plesk set up somewhere. That's all it is. Take a new screengrab of the area shown in your last screengrab and post it on here again. That will add more detail etc plus have you actually tried accessing Plesk via a different browser and/or on a different device yet?

Trying to understand this part: Domain.com = Certified HTTPS connection but... Domain.com:8443 = Warning. Is that in separate urls, in different browser tabs / windows OR when moving from the first to the second url in the same browser tab / window? The two are quite different processes.
 
@Ruben Whilst you're working on that last post, we're assuming that you did read and follow the Plesk Documented Guide that was added in post #4 because, one thing that doesn't appear to be very clear on that page, is, that if you use the Let's Encrypt option that's shown on the https://**Your-Hosting_Domain:8443/admin/ip-address/list/ page as advised in the Plesk document, pretty sure that you can't request a *wildcard certificate in that specific area (like you can on a domain).

So in your case, you would have had to have used server.domain.com as the domain name for Plesk and not domain.com. If you have, then that means the info posted earlier in post #7 won't work in your case. Sorry! In our case we use this acme.sh tool to issue a multi-domain all *wildcard Let's Encrypt certificate that we use for securing Plesk, so post #7 does work for us. However, if you have used domain.com and not server.domain.com for the domain name that the Plesk SSL Certificate covers but you are hosting Plesk on server.domain.com, then that will definitely still be giving SSL certificate warnings, as the one you now have will be invalid (name)
 
I have specifically created a server.domain.com certificate, from the SSL/TLS Certificates page. It's not a wildcard certificate (tried this first but not any more).

pleskscr.jpg

I have no other certificates left in the server pool, only this Let's Encrypt certificate. When I access domain.com I get a secure connection with the correct certificate. When I access domain.com:8443 I am still seeing the expired Thawte certificate (of which I cannot find any trace on the server). Whatever I select under 'certificate to secure Plesk', only the Thawte is showing up.

I appreciate your help but I believe this may be a bug in Plesk. I followed all the steps but somehow it seems stuck on the old certificate. Do you have any info on how to look for references to the Thawte certificate via SSH or something?
 
@Ruben It's definitly not a bug. It's as mentioned: "...miskeyed item and/or a misconfiguration..." - somewhere - It's finding where that is the challenge ;)
Presumably you re-checked that the new certificate is allocated to your IP address(es), even to the point of re-allocating it again?
All certificates are here (on Ubuntu) /opt/psa/var/certificates You can trace them all via date and/or content easy enough
 
I did re-check the IP setting. With only one certificate available in my server pool there is no point in re-allocating.
On SSL Checker: same result. On port 443 for instance "We have not detected any issues." (correct certificate) and on port 8443 "expired 4 days ago" (Thawte).
 
@Ruben You can run a quick check using an SQL query & CLI e.g. Access Plesk DB via SSH then against the MariaDB [psa]> prompt, run
Code: 
select d.name as dom, c.name as cert, c.id as cert_id, r.rep_id from certificates c, domains d, Repository r where d.cert_rep_id = r.rep_id and r.component_id=c.id;
which gives the domain, the certificate, the certificate id & the repository id.
 
I ran the SQL query, only Let's Encrypt certificates showed up. I also went through the certificates directory but there are no references to the Thawte certificate there either.

I also did 'plesk repair web -sslcerts' for both the domain.com and server.domain.com as the article suggested. All OK but no solution.

I'm getting crazy here...
 
I solved it.

Most of the solutions suggested above have to do with certificates for specific domains. These certificates all worked fine on my server, and repairing, restarting apache, restarting nginx etc. didn't do anything to the one used by Plesk. For me it was only this certificate that caused trouble on port 8443.

Then I looked into restarting the sw_cp_server which takes care of 8443 specifically. When I tried restarting manually via SSH, it failed because I ran into this problem:

Restarting sw-cp-server never works

For a while now I've noticed that on Plesk 12 the sw-cp-server init scripts can never restart the sw-cp-server properly. I have to manually kill the master process then restart it: # /etc/init.d/sw-cp-server restart Stopping sw-cp-serverd: [FAILED] Starting sw-cp-serverd: nginx: [emerg]...
talk.plesk.com talk.plesk.com
So I killed the process manually, restarted fine... and now this one Plesk certificate is also the correct one!
I'm pretty sure restarting sw_cp_server should normally be done as part of a new SSL/TLS selection, but if it fails for some reason, you're not really notified so you have no clue.

Thanks for your help in any case! It's obviously our dialog that led me to this.
 
You must log in or register to reply here.

Similar threads

D
Issue can only create webmail certificates
Replies
1
Views
378
deepnpisgah
D
N
Resolved how to secure server ip address with SSL certificate
Replies
2
Views
793
nikketrikke
N
carlsson
Issue Mail on Plesk, web on other provider, how do I create a correct SSL?
Replies
2
Views
152
carlsson
carlsson
T
Issue Some sites don't send email when Let's Encrypt ssl certificate will expire
Replies
1
Views
275
tanasis
T
D
Issue certificate of VPS host still used after SSL configuration for newly added domain
Replies
4
Views
623
deepnpisgah
D
Back
Top