Resolved How to assign Let's Encrypt certificate to two servers?

[WhiteTiger]

Server operating system version

Ubuntu 22.04.1 LTS

Plesk version and microupdate number

18.0.50

In the DNS of the DOMAIN.TLD domain, two A records have been created with the name SERVER1 and SERVER2, associated with two different IP addresses.

In "Tools & Settings - General Settings" the servers have the full hostname SERVER1.DOMAIN.TLD and SERVER2.DOMAIN.TLD"

On SERVER1 there is also the DOMAIN.TLD to which a Lets'Encript domain has been associated (also for wildcard *) and now the URL of its web pages are identified with a padlock.

I expected to see the padlock also in the Plesk login URL of SERVER1/2.DOMAIN.TLD, but instead the URLs are reported as "Not secure".

If on SERVER1 I go to create a Let's Encrypt certificate in "Tools & Settings - SSL/TLS Certificates" I am asked to create a TXT record with the key _acme-challenge.
But for the domain I had already created the TXT record with a _acme-challenge key.
If I then do the same on SERVER2, a further key with a different value will appear.

What should I do? Create two more TXT records?

 

[scsa20]

The _acme-challenge is only used for confirming ownership of the domain and changing the value has no baring on the certificate itself.

I am not sure if domain.tld and server1.domain.tld are on the same server running plesk while server2.domain.tld is on a server not runny plesk or not but if server2.domain.tld is on a server not running plesk, you could, in theory, run some sort of script that gets triggered by the SSL/TLS certificate on domain assigned/unassigned event to copy the certificate to server2 and update the configurations for it.

The alternative is, if they're all running plesk, is instead of using a while card for those 2 sub domains is to just have their own specific certificate which would required a HTTP challenge instead of DNS (although you could still get a wild card which would do a DNS challenge but at the subdomain level (so it'll look like _acme-challenge.server2 in your DNS record when creating the TXT record).

 

[WhiteTiger]

The _acme-challenge is only used for confirming ownership of the domain and changing the value has no baring on the certificate itself.

I am not sure if domain.tld and server1.domain.tld are on the same server running plesk while server2.domain.tld is on a server not runny plesk or not but if server2.domain.tld is on a server not running plesk, you could, in theory, run some sort of script that gets triggered by the SSL/TLS certificate on domain assigned/unassigned event to copy the certificate to server2 and update the configurations for it.

The alternative is, if they're all running plesk, is instead of using a while card for those 2 sub domains is to just have their own specific certificate which would required a HTTP challenge instead of DNS (although you could still get a wild card which would do a DNS challenge but at the subdomain level (so it'll look like _acme-challenge.server2 in your DNS record when creating the TXT record).

One domain, two server, two IP address, two plesk.

 

[Peter Debik]

For single domains, the round robin configuration is not possible in the current Plesk implementation of Let's Encrypt, because it does not support DNS-01 challenge, but only HTTP-01 challenge. If you would like to see an improvement there, please for vor Issue Let's Encrypt Wildcard certificate without main domain in SAN (use DNS-01 challenge only) .

A Let's Enrypt wildcard certificate can be created using the DNS-01 method, so this will be your best bet. However, I do not know from experience, whether two DNS entries with the same name will be read and interpreted by Let's Encrypt correctly so that you an use wildcard certs on both of your servers. What speaks agains trying it? It cannot damage anything.

 

[WhiteTiger]

For single domains, the round robin configuration is not possible in the current Plesk implementation of Let's Encrypt, because it does not support DNS-01 challenge, but only HTTP-01 challenge. If you would like to see an improvement there, please for vor Issue Let's Encrypt Wildcard certificate without main domain in SAN (use DNS-01 challenge only) .

A Let's Enrypt wildcard certificate can be created using the DNS-01 method, so this will be your best bet. However, I do not know from experience, whether two DNS entries with the same name will be read and interpreted by Let's Encrypt correctly so that you an use wildcard certs on both of your servers. What speaks agains trying it? It cannot damage anything.

I didn't understand what I should do.
I also don't understand a second thing, if I enter a TXT recort aren't we already doing a DNS-01 Challenge?

Even considering only one server, assigning a certificate in the domain, shouldn't it already be valid for the server too, since that domain is used in the hostname?
So why should I also configure "Tools & Settings - SSL/TLS Certificates"?

DNS is managed by the ISP.
Obviously there is a subdomain associated with the server name.
I'm wondering if I shouldn't create a TXT record here for Let's Encrypt.
Or if it may not be useful to configure Plesk DNS as Slave.
Or even create a subdomain in Plesk with the name of the server

I also tried a second way, removing the Let's Encrypt certificates and requesting a DigiCert certificate from the ISP. I was provided with a .key file and a .cer file.
But Plesk wants a .crt file.
And so I'm stuck anyway.

 

[Peter Debik]

I also don't understand a second thing, if I enter a TXT recort aren't we already doing a DNS-01 Challenge?

Yes, that is the DNS way of doing it. But in Plesk, that is only available for wildcard certificates.

Even considering only one server, assigning a certificate in the domain, shouldn't it already be valid for the server too, since that domain is used in the hostname?
So why should I also configure "Tools & Settings - SSL/TLS Certificates"?

The same name can be used as hostname and as a domain in a subscription. Each has and needs their own certificate, because different web servers are involved. The panel has its own web server.

DNS is managed by the ISP.
Obviously there is a subdomain associated with the server name.
I'm wondering if I shouldn't create a TXT record here for Let's Encrypt.

Yes.

Or if it may not be useful to configure Plesk DNS as Slave.

No.

Or even create a subdomain in Plesk with the name of the server

No.

I also tried a second way, removing the Let's Encrypt certificates and requesting a DigiCert certificate from the ISP. I was provided with a .key file and a .cer file.
But Plesk wants a .crt file.

The name of the file is arbitrary. Probable your certificate is in your .cer file while many systems and manuals name that a .crt file. It's the same. You need at least two components: a private key (probably in your .key file) and the certificate (the .cer file). For private keys, there is an encrypted and a decrypted version. You need the decrypted version. If your key file starts with

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED

it is encrypted. If it starts with something like

-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCDaEA3qKD15PAc6PMb1yCckTd/Fl5fA1OpURLR5Z+T4xY1JQt3eTM

it is not encrypted. To decrypt: openssl rsa -in <your keyfile> -out <your decrypted keyfile>

 

[WhiteTiger]

@Peter Debik
I tried this:

1. Removed all Let's Encrypt certificates
2. Removed TXT records

In Domains - MYDOMAIN.TLD - Dashboard - SSL/TLS Certificate - Advanced Settings - Add SSL/TLS Certificate

1. I uploaded the .key and .cer files

In Domains - MyDomain - Hosting Settings

1. I assigned the created certificate.

Now the domain and wildcard are still marked secure with the padlock, but the Plesk server is still not.

In Tools & Settings - SSL/TLS Certificate - Certificate for securing Plesk

1. I selected the certificate created earlier

but the padlock for SERVER.MYDOMAIN.TLD still doesn't appear.

 

[WhiteTiger]

@Peter Debik
The second server still belongs to the same domain, but on this one there are other domains used for other websites.
So I only went in Tools & Settings - SSL/TLS Certificate - Certificate for securing Plesk
but even in this server the padlock does not appear.

 

[WhiteTiger]

@Peter Debik
Perhaps it was enough to restart the two servers because now both are marked safe.
Thanks for the support.