Question How to remove SSL renewal attempts for good?

[Bitpalast]

Server operating system version

Alma 8

Plesk version and microupdate number

18.0.65 #2

Domain <domainname> has no active SSL certificates:



SSL is disabled in Hosting Settings:



The SSL directory was removed:

rm -R -f /usr/local/psa/var/modules/sslit/etc/live/<domainname>

It is no present on the system any longer:

ls -l /usr/local/psa/var/modules/sslit/etc/live/ | grep <domainname>
(yields no result)

Nevertheless, reminders on renewal attemps are added to the notification queue daily:

sqlite3 /usr/local/psa/var/modules/sslit/sslit.sqlite3

sqlite> select * from Notification where params like '%<domainname>%';

70827|1738406359|1738406359|sent|230|certificateAutoRenewalFailed|{"failedKeepDomainsSecured":" ** '<domainname>' **\n   No domains have passed validation","keepDomainsSecuredWithErrors":"<none>","notRenewedCertificates":"<none>","partiallyRenewedCertificates":"<none>","vendor":"Let`s Encrypt"}

Removing the dataset(s) works, but the next day, a new one is added and a new reminder is mailed.

What could be the problem?
Where else is something stored that triggers a renewal attempt?
How can the certificate be removed for good so that no renewal attempt reminders are sent?

 

[scsa20]

Did you went to the SSL section and uncheck "Keep websites secured"?

 

[Bitpalast]

With no active certificate and disabled SSL there is no such section where I could set this. Do you happen to know in which Plesk db table the checkbox setting is stored?

 

[Kaspar]

I think this might be configured at Service Plan level? At example.com > customize > Additional Services?

Or via CLI sudo plesk bin subscription --show-custom-plan-items example.com, which returns urn:ext:sslit:plan-item-sdk:keep-secured if the keep-secured option is enabled. Disabling it will lock the subscription. Value/setting is stored on the SubscriptionProperties table in the PSA database (with the subscription_id ID being the object_id from the Subscriptions table.

 

[Bitpalast]

The first command returns only "Allowed items:" with no further content.

SubscriptionProperties shows some properties of the subscription, but nothing related to SSL.

The plan itself does not have a setting for "keep secured" (or similar).

I suspect that all SSL related data is in the SQLite database, because it's an extension. What I don't get is how a renewal attempt can even be started when the corresponding certificate directory was removed.

 

[Kaspar]

I am by no means an expert on the intricacies of SSL issuing. My understanding however, is that the automatic securing of domains with an LE SSL certificate is configured at service plan level the subscription, with the SSL it! option enabled on the Additional Services tab. When enabled, domains within the subscription will be issued an LE SSL certificate automatically. If this option is not set, there should be no automatic attempt to issue and secure a domain with an certificate.



Yet, just as a hypothesis, If certificate issuing attempts are being made for a domain without the SSL it! option being configured to keep the website secured, as seems to be the case for you, then maybe the certificate issuing process is (falsely) started because it tries to renew an (no longer present) expired certificate? The cron job for certificate renewals runs nightly, I believe. Did the domain previouslty used an LE certificate?

I suspect that all SSL related data is in the SQLite database, because it's an extension.

Looking a the tables and schemas of the SQLite database it seems that only data directly related the issuing process (certificate ordering) is kept in the database. I believe that any configuration about which domain to secure/issue an certificate for, is stored in the PSA database. Some related configration is stored in the dom_param table and some in the SubscriptionProperties table.

 

[Bitpalast]

I saw the SSLIt setting, but we're using "none" in all service plans anyway.

Nevertheless: Since yesterday with no new changes done to the server configuration, no further renewal attempts were logged. I have no idea why it stopped all the sudden. No setting was manually changed since Monday, nevertheless it now seems to have stopped.

 

[zip404]

Why not use Cloudflare for SSL?
https://www.cloudflare.com/application-services/products/ssl/

 

[Bitpalast]

Why use a third-party product if we already have built-in solution? Every new service comes with new trouble.