• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved How to assign Let's Encrypt certificate to two servers?

WhiteTiger

WhiteTiger

Basic Pleskian
Server operating system version
Ubuntu 22.04.1 LTS
Plesk version and microupdate number
18.0.50
In the DNS of the DOMAIN.TLD domain, two A records have been created with the name SERVER1 and SERVER2, associated with two different IP addresses.

In "Tools & Settings - General Settings" the servers have the full hostname SERVER1.DOMAIN.TLD and SERVER2.DOMAIN.TLD"

On SERVER1 there is also the DOMAIN.TLD to which a Lets'Encript domain has been associated (also for wildcard *) and now the URL of its web pages are identified with a padlock.

I expected to see the padlock also in the Plesk login URL of SERVER1/2.DOMAIN.TLD, but instead the URLs are reported as "Not secure".

If on SERVER1 I go to create a Let's Encrypt certificate in "Tools & Settings - SSL/TLS Certificates" I am asked to create a TXT record with the key _acme-challenge.
But for the domain I had already created the TXT record with a _acme-challenge key.
If I then do the same on SERVER2, a further key with a different value will appear.

What should I do? Create two more TXT records?
 
The _acme-challenge is only used for confirming ownership of the domain and changing the value has no baring on the certificate itself.

I am not sure if domain.tld and server1.domain.tld are on the same server running plesk while server2.domain.tld is on a server not runny plesk or not but if server2.domain.tld is on a server not running plesk, you could, in theory, run some sort of script that gets triggered by the SSL/TLS certificate on domain assigned/unassigned event to copy the certificate to server2 and update the configurations for it.

The alternative is, if they're all running plesk, is instead of using a while card for those 2 sub domains is to just have their own specific certificate which would required a HTTP challenge instead of DNS (although you could still get a wild card which would do a DNS challenge but at the subdomain level (so it'll look like _acme-challenge.server2 in your DNS record when creating the TXT record).
 
scsa20 said:
The _acme-challenge is only used for confirming ownership of the domain and changing the value has no baring on the certificate itself.

I am not sure if domain.tld and server1.domain.tld are on the same server running plesk while server2.domain.tld is on a server not runny plesk or not but if server2.domain.tld is on a server not running plesk, you could, in theory, run some sort of script that gets triggered by the SSL/TLS certificate on domain assigned/unassigned event to copy the certificate to server2 and update the configurations for it.

The alternative is, if they're all running plesk, is instead of using a while card for those 2 sub domains is to just have their own specific certificate which would required a HTTP challenge instead of DNS (although you could still get a wild card which would do a DNS challenge but at the subdomain level (so it'll look like _acme-challenge.server2 in your DNS record when creating the TXT record).
Click to expand...
One domain, two server, two IP address, two plesk.
 
For single domains, the round robin configuration is not possible in the current Plesk implementation of Let's Encrypt, because it does not support DNS-01 challenge, but only HTTP-01 challenge. If you would like to see an improvement there, please for vor Issue Let's Encrypt Wildcard certificate without main domain in SAN (use DNS-01 challenge only) .

A Let's Enrypt wildcard certificate can be created using the DNS-01 method, so this will be your best bet. However, I do not know from experience, whether two DNS entries with the same name will be read and interpreted by Let's Encrypt correctly so that you an use wildcard certs on both of your servers. What speaks agains trying it? It cannot damage anything.
 
Peter Debik said:
For single domains, the round robin configuration is not possible in the current Plesk implementation of Let's Encrypt, because it does not support DNS-01 challenge, but only HTTP-01 challenge. If you would like to see an improvement there, please for vor Issue Let's Encrypt Wildcard certificate without main domain in SAN (use DNS-01 challenge only) .

A Let's Enrypt wildcard certificate can be created using the DNS-01 method, so this will be your best bet. However, I do not know from experience, whether two DNS entries with the same name will be read and interpreted by Let's Encrypt correctly so that you an use wildcard certs on both of your servers. What speaks agains trying it? It cannot damage anything.
Click to expand...

I didn't understand what I should do.
I also don't understand a second thing, if I enter a TXT recort aren't we already doing a DNS-01 Challenge?

Even considering only one server, assigning a certificate in the domain, shouldn't it already be valid for the server too, since that domain is used in the hostname?
So why should I also configure "Tools & Settings - SSL/TLS Certificates"?

DNS is managed by the ISP.
Obviously there is a subdomain associated with the server name.
I'm wondering if I shouldn't create a TXT record here for Let's Encrypt.
Or if it may not be useful to configure Plesk DNS as Slave.
Or even create a subdomain in Plesk with the name of the server

I also tried a second way, removing the Let's Encrypt certificates and requesting a DigiCert certificate from the ISP. I was provided with a .key file and a .cer file.
But Plesk wants a .crt file.
And so I'm stuck anyway.
 
WhiteTiger said:
I also don't understand a second thing, if I enter a TXT recort aren't we already doing a DNS-01 Challenge?
Click to expand...
Yes, that is the DNS way of doing it. But in Plesk, that is only available for wildcard certificates.

WhiteTiger said:
Even considering only one server, assigning a certificate in the domain, shouldn't it already be valid for the server too, since that domain is used in the hostname?
So why should I also configure "Tools & Settings - SSL/TLS Certificates"?
Click to expand...
The same name can be used as hostname and as a domain in a subscription. Each has and needs their own certificate, because different web servers are involved. The panel has its own web server.

WhiteTiger said:
DNS is managed by the ISP.
Obviously there is a subdomain associated with the server name.
I'm wondering if I shouldn't create a TXT record here for Let's Encrypt.
Click to expand...
Yes.

WhiteTiger said:
Or if it may not be useful to configure Plesk DNS as Slave.
Click to expand...
No.

WhiteTiger said:
Or even create a subdomain in Plesk with the name of the server
Click to expand...
No.

WhiteTiger said:
I also tried a second way, removing the Let's Encrypt certificates and requesting a DigiCert certificate from the ISP. I was provided with a .key file and a .cer file.
But Plesk wants a .crt file.
Click to expand...
The name of the file is arbitrary. Probable your certificate is in your .cer file while many systems and manuals name that a .crt file. It's the same. You need at least two components: a private key (probably in your .key file) and the certificate (the .cer file). For private keys, there is an encrypted and a decrypted version. You need the decrypted version. If your key file starts with
Code: 
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
it is encrypted. If it starts with something like
Code: 
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCDaEA3qKD15PAc6PMb1yCckTd/Fl5fA1OpURLR5Z+T4xY1JQt3eTM
it is not encrypted. To decrypt: openssl rsa -in <your keyfile> -out <your decrypted keyfile>
 
@Peter Debik
I tried this:
  1. Removed all Let's Encrypt certificates
  2. Removed TXT records
In Domains - MYDOMAIN.TLD - Dashboard - SSL/TLS Certificate - Advanced Settings - Add SSL/TLS Certificate
  1. I uploaded the .key and .cer files
In Domains - MyDomain - Hosting Settings
  1. I assigned the created certificate.
Now the domain and wildcard are still marked secure with the padlock, but the Plesk server is still not.

In Tools & Settings - SSL/TLS Certificate - Certificate for securing Plesk
  1. I selected the certificate created earlier
but the padlock for SERVER.MYDOMAIN.TLD still doesn't appear.
 
@Peter Debik
The second server still belongs to the same domain, but on this one there are other domains used for other websites.
So I only went in Tools & Settings - SSL/TLS Certificate - Certificate for securing Plesk
but even in this server the padlock does not appear.
 
You must log in or register to reply here.

Similar threads

K
Question Renewing Let's Encrypt with external DNS servers
Replies
5
Views
1K
klowet
K
D
Question Renewing Let's encrypt automatically
Replies
3
Views
494
Kaspar
K
M
Resolved Lets Encrypt not issuing certs for subdomains
Replies
2
Views
273
mendip_discovery
M
R
Issue SSL/TLS cert for mail server not updating (Lets Encrypt)
Replies
2
Views
890
tessa67
T
I
Question Plesk, Domainconnect and ionos
Replies
0
Views
633
isi700
I
Back
Top