• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue Google thinks LetsEncrypt SSL certificate is "Self signed" - SNI - server default IP

Jan Jaap

Jan Jaap

New Pleskian
Dear Plesk Support,

Since a few days ago I started using the Let's Encrypt extension for Plesk Onyx to provide a free SSL certificate for several domains.

One of the servers is a VPS with 1 IP (no ability to add IP's) and SSL is used via SNI.

Directly after installing an SSL certificate for one of the domains Google sent an alert email with the title: "Self-Signed SSL/TLS-certificate for https://www.domain.com"

https://support.google.com/webmasters/answer/180386?hl=en

The warning is also displayed in Google Webmaster Tools.

I've searched Google for a solution and there are several topics that are all are related to Plesk. The information all leads to the finding that Plesk has a bug that causes domains that are on the main IP of the server to return the default Plesk certificate for non-SNI requests, causing Google to see the Plesk certificate instead of the correctly configured Let's Encrypt certificate.

I hereby want to report the problem to Plesk Support as I did not find a topic about it in the forums.

One of the main topics about the issue is the following:

https://productforums.google.com/forum/#!topic/webmasters/WsazBXdKMNU

The suggested solution (quick fix) is to move the domain to a secondary IP. For our VPS however, that is not an option.

I hope that you are able to help!

Best Regards,
Jan Jaap
 
Should I go somewhere else for support / to report a critical bug? I am suspecting that many users may be at risk of SEO damage because of this Plesk bug.
 
Our clients have hundreds of Let's Encrypt certs via Plesk and none of the accounts ever ran into this issue. I don't see Google behaving different from normal browsers. If you can open your domain in a browser and if that domain displays a properly configured Let's Encrypt SSL certificate, that is also what the host delivers to Google.
 
Hi Peter,

Thank you for your response!

On several websites we used Plesk to install a Let's Encrypt certificate. The SSL score on SSLLabs.com is A (good) and no issues are shown. However, Google does warn for a self-signed certificate.

I've read all topics to find a solution. Advanced server engineers have dived into the issue and discovered that Plesk is returning the default self-signed Plesk certificate for non-SNI requests when the domain is on the main IP of the server.

This appears to be a Plesk bug. It is also a critical bug as it causes severe SEO damage.

Many users are complaining about the problem. See for example the link I provided:

https://productforums.google.com/forum/#!topic/webmasters/WsazBXdKMNU

For our VPS, we are not able to add a new IP to provide a quick fix. The website is currently flagged by Google as having an invalid certificate.

Best Regards,
Jan Jaap
 
If you send a "non SNI request" to a server, the server always returns the certificate that is associated with the default domain of the web server. It cannot do anything else, because the virtual domain is not indicated before secure handshaking takes place, so the only available certificate the web server knows about is the default certificate. This is the default behavior that has been standard through decades. If you have only one IP address, a non-SNI-aware client will always get the default certificate from the server.

As people where using virtual hosts more and more while also needing individual certificates for virtual hosts, SNI was invented. In SNI the client (e.g. the browser, Google system) sends the the hostname that it is trying to connect to at the beginning of the handshaking process. The host identifies the desired virtual host and uses the certificate of that virtual host for its answer. If the host cannot identify the virtual host, if that virtual host is not configured on the system or if the virtual host name is missing before the SSL handshake, the host will use the default server certificate.

What kind of fix do you expect? If the request is not transmitting the virtual host name at the beginning of the handshake, the host cannot know which virtual host's certificate to use. The only bug I see in your case could be that a non-SNI request comes in, but I do not believe that Google systems are sending outdated requests.
 
Hi Peter,

Thank you for the technical insight!

As for a fix: the problem is Google / SEO. Google is not sending a warning for an invalid certificate if it does not use that information in it's system to list a website in the search results. It may lead to a drop in traffic, damage to the quality reputation of a website or a (temporary) removal from the Google index.

Users choose Plesk to have all issues handled automatically. Perhaps the problem does lay with Google. In that case it may be an option to escalate the issue to Google.

Are you part of the Plesk support team?

Best Regards,
Jan Jaap
 
I think the explanation for the issue you are experiencing lies in a wrong IPv6 configuration of your server. It probably delivers a different website when an IPv6 request comes in than when an IPv4 request comes in. When it responds on IPv6 but does not choose the correct virtual host (e.g. because that has not been configured to have an IPv6 address, too), the web server will answer with the host's default certificate and the host's default website. Maybe you should consider this alternative explanation or other alternatives.
 
Hi Peter,

Thanks again for your help!

2 VPS servers (2 different providers) are a default Plesk server, recently upgraded to Plesk Onyx. How could IPv6 be incorrectly configured?

One of the VPSes is especially default, CentOS 7 + Plesk. It simply had domains added to it with a WordPress installation.

Thanks again for your time and suggestions! Hopefully it will lead to a solution!

Best Regards,
Jan Jaap
 
Hi Philipp,

No, the issue was not officially resolved. However, Google did not continue to send warnings.

The SNI configuration and Let's Encrypt SSL certificate (both managed by Plesk) appears to be correct. The problem is originating in the Google client that sends a non-SNI request for which Plesk returns the default server certificate (on all VPS'es that are limited to 1 IP).

As this topic (and a topic on a Google forum) was inconclusive and hinted that the fault lays with Google (because regular users will not experience the problem), we decided to wait and see if the Google error / warning was sent again. Until now there has been no new warning / error in Google Webmaster Tools while no settings have been modified on the Plesk server. There has been no drop in traffic / penalty so we simply hope that Google has resolved the issue and does not see it as a problem.

https://www.google.com/webmasters/

Of course, in regards to SEO, it would be best if Plesk resolves the issue. Although there may be no technical problem, the eye of Google is what matters for find ability of a website. If Google believes (and officially warns) that there is a technical problem, I think that it would be best for Plesk to resolve the issue or seek contact with Google to have their system modified so that users of Plesk can be sure that their websites will have an optimal chance to get indexed well.

Best Regards,
Jan Jaap
 
Hi Jan,

ok thats what thought. Was thinking that eventually removing https from the Default Page would have helped but anyway. Was also more concerned about Traffic drop.

Cheers
Philipp
 
You must log in or register to reply here.

Similar threads

R
Issue SSL/TLS cert for mail server not updating (Lets Encrypt)
Replies
2
Views
910
tessa67
T
L
Issue ( authorization token is unavailable ) Could not issue/renew Let`s Encrypt certificates
Replies
7
Views
372
Leta
L
M
Issue SSL certificate to secure Plesk IP address issue (Not Lets Encrypt)
Replies
5
Views
759
Kaspar@Plesk
Kaspar@Plesk
M
Resolved Domain name issue -- certificate for a domain uses server domain. But can't see how or why
Replies
9
Views
2K
MHC_1
M
Rendor9
Resolved I can't renew my plesk onyx interface SSL certificate.
Replies
4
Views
2K
Rendor9
Rendor9
Back
Top