Issue How to ensure Plesk panel has a valid ssl cert for all clients?

[fmaz008]

On Plesk, in Tools & Settings -> SSL/TLS Certificates, we can select which SSL certificate Plesk should use for securing the panel.

Right now I have it selected to Lets Encrypt from server pool.

This will allow me to have a valid certificate if I access the panel via https://hostname:8443

But if I access it from

https//mydomain1of45.com:8443

I will get a certificate error as it load the certificate for hostname on mydomain1of45.com

Knowing that each domain has a valid certificate, I could switch from LetsEncrypt from server pool to LetsEncrypt mydomain1of45.com but then only that one domain would work well.

There seems to be an option to add extra certificates to the server pool, one at the time, by manually filling out a few fields:

• Bits *
• Country *
• State or province *
• Location (city) *
• Organization name (company) *
• Organization department or division name
• Domain name *
• Email *

(... or uploading a cert file.)

... but I'm confused about creating a second certificate for each domain name. They already exist, can't I just link the one that already exist?

I would think Plesk would check what domain it is being access throught and load that certificate, but apparently it is not how it works.

What is the proper way to offer plesl access to clients without them seing that SSL certificate error?

 

[learning_curve]

@fmaz008 You definitely need to read the all of the Plesk Obsidian Documentation, in depth, to do this properly, but a very quick reference post is this:
Hostname.com:8443 is your hosting domain i.e. Plesk and has it's own unique SSL Certificate (usually located in the server pool)
YourDomain.com and all of the other 44 domains that you have, would usually also have their own own separate SSL Certificates - not located in the server pool
You'll nearly always get warnings / errors if you attempt to visit YourDomain.com:8443 unless you make specific Plesk configuration changes***
For example; All 45 of YourOtherDomains.com:8443 urls are automatically re-directed to Hostname.com:8443 - but, you may not want this specific option?
*** An example exception to this would be, that you could create a Let's Encrypt Multi-Domain, Wildcard SSL Certificate (effectively a SAN), which would cover Hostname.com:8443 AND all of the other 45 domains too but... that's a LOT of manual work every 3 months, as you'll need to manually re-confirm 2 DNS entries for each domain... at renewal time (unless you're very well organised and use something outside of Plesk for your SSL Certificates e.g. acme.sh or similar)
There are many previous forum threads on this very subject, plus lots of applicable Plesk Obsidian Documentation and many very relevant Plesk Articles too.
Perhaps? THE most important factor now, is to decide who can login into plesk, where, why and how and only then work out your SSL Certificate configuration.

 

[fmaz008]

Thank you for your reply,

Well I have researched the documentation quite a bit and only 2 "solutions" appeared to be suggested:
A) redirect. But, from what I read, the redirection occurs after the SSL certificate is checked so you still get the error. Because of this I have not tried to implement it.

B) block access for the domain. This is currently not supported and there is a feature request, for which I have already voted.

And yes I do have the setup you are mentionning: a LetsEncrypt cert in the server pool and, separately, one for each domain.

But I need clients to access their plesk installation as they need to manage, for example, their emails accounts and redirects. I don't have a set preference on doing this, but I don't want to keep doors open that will display errors.

I would much rather the plesk access (port 8443) would not be open on all domains and that every clients would have no other option but to access the panel through one single domain... wether my own or the hostname.

Basically the default configuration show every client a "Website not secured" error and that looks absolutely horrible.

To be clear: if the redirect would prevent seing the error: it would be an acceptable solution, yes!

 

[learning_curve]

@fmaz008 Yes and no. You're correct on the re-direct warning error, as explained by Plesk themslevs HERE i.e. "...Note: even after the redirect is set up and the website is secured by a certificate, in an attempt to open the https://example.com:8443 URL, the error regarding the untrusted certificate appears before the redirect is performed. It happens because the redirect is performed after the certificate check only on the https://example.com:8443 website..." That can be overcome via the the other option that we mentioned (SAN etc) but it's a lot of setup work plus continuous manual work when hosting 45 domains. However, post #3 onwards in this thread gives you another alternative (but also refer to the link in post #2 above it) Not perfect, but would almost achieve what you want