• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Resolved How to remove the default certificate?

DieterWerner

DieterWerner

Regular Pleskian
Plesk and postfix are secured by a LetsEncrypt certificate and for some reasons I want to remove it or make it not to be 'default'.

Plesk 17.8.11 # 49
CentOS 7.6.18.10
 
Tools & Settings => SSL/TLS certificates => Check the default certificate and click remove
 
Monty said:
Tools & Settings => SSL/TLS certificates => Check the default certificate and click remove
Click to expand...
It would be nice if that would work - but it doesn't ...
'Unable to remove SSL/TLS certificates.
One of the certificates you are going to delete is used as the default certificate.'
 
@DieterWerner It does work exactly as @Monty has said, but... only if the default certificate is not already in use ;) which yours still appears to be...

The following extract is from a previous Plesk service item, but it still explains this quite clearly:
  • In order to change IPv4 and IPv6 addresses certificates, it requires adding more certificates into the server pool.
  • For the default self-signed certificate to be removed completely, it is required to assign new certificate as default, instead of the existing one. Default certificate is used upon a domain creation to secure them before the valid one, as well as for securing FTP connection.
  • They are obtained from the server pool only (Tools & Settings > SSL/TLS Certificates).

    In order to remove this default certificate you may want to re-assign an existing certificate that you own or, secure Plesk with a separate Let's Encrypt certificate (not a wildcard one) and use this as the default one.

    To do that, please do the following:
  • 1. Go to Tools & Settings > SSL/TLS Certificates > upload certificate, that you are using for securing Plesk. You may want to take it from the Domains > <domain where certificate is issued> > SSL Certificates. Copy all fields required. However, this way, certificate will not auto-renew.
  • If you would like for it to renew automatically, issue new certificate for the hostname, however, it will not be a wildcard one in Tools & Settings > SSL/TLS Certificates > Let's Encrypt.
  • 2. Once certificate is uploaded or created in the server pool, tick the checkbox near it and press Make Default butto
  • 3. Go to Tools & Settings > IP addresses > Your.IP.Addresses.** and make sure, that the certificate has been changed for the one that was uploaded / created. If it was not - change it manually.
  • 3. Remove default certificate in Tools & Settings > SSL/TLS Certificates.
This does work every time, if, you follow the instructions as described by Plesk above.

The vital bit, is ensuirng that you have the correct issued certificate. Meaning, the one that secures the Plesk hostname here >> https://Your*Host*Domain*:8443/plesk/server/preferences/ > Full hostname * If you have that / or create that, the rest is simple.
 
On the "Tools & Settings" -> "SSL/TLS certificates" page select the new "Let's Encrypt certificate" and click the button "Make Default". The old "default certificate" should now be free to delete.

Edit: learning_curve posted at the same time as I was...
 
DieterWerner said:
...But now the LetsEncrypt certificate which is assigned to a certain domain, has been overwritten by the default certificate and I wonder how that could happen.
Click to expand...
If we've understood your post correctly @DieterWerner surely it could only have happened, if you've made and/or not made, certain setup choices as part of following the Plesk notes above.

Here's an example setup. This one assumes that auto-renew was not important to you (...let's say that you wanted a LE Wildcard Certificate against Domain A) which needs manually renewing each time etc). The Plesk notes give you options...

You have a valid, LE Certificate A) raised against Domain A) which is used for both securing Plesk & Mail and is clearly assigned to both here: https://*Your*Host*Domian*:8443/admin/ssl-certificate/list

At the bottom of that very same page, your replacement 'default' certificate is also shown. When viewing data on this page, your replacement 'default' certificate is correctly shown as in not in use i.e. not assigned to anything. The original 'default' certificate provided by Plesk is no longer shown here, because you have previoulsy deleted it (which is actually what your original post was asking about)

Your replacement 'default' certificate is actually a copy of your valid LE Certificate A) which you made, exactly as described in point .1 of the Plesk notes above and which you then correctly assigned here: Tools & Settings > IP addresses > Your.IP.Addresses.**

In this ^^ example, there's seperate, dual-use, of all the certificate data that's contained in LE Certificate A) but that's fine!

Note: You can chose a different name for your replacement 'default' certificate, because it is not mandatory for it to be entitled 'default'. E.G. For your own convenience, you may want a more useful reference name other than 'default'.

If you look at all your Let's Encrypt certificates ( ~/opt/psa/var/certificates ) with a bit of patience, you can trace each certificate back to an individual domian and/or its use as a default certificate. You can also see the date and time they were issued. With all that information to hand and by then reviewing all of your configuration setups via the Plesk Panel, you will be able to check what you did, when and hopefully remember why ;)

If you don't solve this after reviewing your setup, then please post exactly what you do have in your setup, as that will help everyone to understand it. Any edited screen grabs (English text!) would be pretty handy too
 
learning_curve said:
If we've understood your post correctly @DieterWerner surely it could only have happened, if you've made and/or not made, certain setup choices as part of following the Plesk notes above.
Click to expand...

Yes - I did and the 'default' certificate has been created correctly.
You have a valid, LE Certificate for the domain of the server which is used for both securing Plesk & Mail.
The original 'default' certificate provided by Plesk is no longer shown here, because I have previoulsy deleted it.
So far so good ...
but the dual use is not desired.

learning_curve said:
If you look at all your Let's Encrypt certificates ( ~/opt/psa/var/certificates ) with a bit of patience, you can trace each certificate back to an individual domian and/or its use as a default certificate. You can also see the date and time they were issued. With all that information to hand and by then reviewing all of your configuration setups via the Plesk Panel, you will be able to check what you did, when and hopefully remember why
Click to expand...

I compared the names of the certificates ( ~/opt/psa/var/certificates ) with the content of psa.certificates and so I know which certificate should be assingned to a certain domain - the problem is: it should be but it isn't.
I think I'm running in a dead end street :(
 
Last edited:
DieterWerner said:
.....The original 'default' certificate provided by Plesk is no longer shown here, because I have previoulsy deleted it. So far so good ...but the dual use is not desired
Click to expand...
Okay, that's fine so you've therefore chosen a different option, but where's the scren grab posts? o_O
DieterWerner said:
I compared the names of the certificates ( ~/opt/psa/var/certificates ) with the contend of psa.certificates and so I know which certificate should be assingned to a certain domain - the problem is: it should be but it isn't.
I think I'm running in a dead end street :(
Click to expand...
They cannot initially assign or later re-assign themsleves! :D
Pretty sure that it's just a setup error (somewhere) by you, possibly during the process in those ^^ Plesk notes.
As mentioned already, Screen grabs? Or data checks & extracts? Don't forget the IP Address section too
 
learning_curve said:
As mentioned already, Screen grabs? Or data checks & extracts? Don't forget the IP Address section too
Click to expand...
Plesk doesn't deliver any error messages - the only thing I see is the security warning of the browser (because of the wrong certificate)
What kind of Screen grabs, data checks & extracts do you need?
 
DieterWerner said:
....What kind of Screen grabs, data checks & extracts do you need?
Click to expand...
:D We don't need them, you do! Once you have them, we'd like you to share them on here to help solve the issue.

As mentioned, we're pretty sure the last item you posted about, is just a simple setup error, but nobody can know for sure, unless you provide all the details of your current setup. If you want to retain anonymity of your domains etc, then very carefully edit the screengrabs before you post them on here or, raise a Plesk direct suport ticket and give them access to your server etc and they'll find the misconfiguration and fix it for you, no problem.

To explain, it's not screen grabs of error message, it's screen grabs of all the complete Plesk panel pages that are related to the certificate(s) that you are using e.g. https://*Your*Hosting*Domain*:8443/admin/ssl-certificate/list plus https://*Your*Hosting*Domain*:8443/admin/ip-address/edit/id/1 (IPv4) plus https://*Your*Hosting*Domain*:8443/admin/ip-address/edit/id/2 (IPv6) plus https://*Your*Hosting*Domain*:8443/plesk/server/preferences/ plus https://*Your*Hosting*Domain*:8443/smb/ssl-certificate/list/id/**** where **** is the number of the domain that you are using to host Plesk. These will qive a good, clear initial insight, into that last issue that you posted about.
 
DieterWerner said:
Edit: where can I find the ID of the domain that I use to host Plesk?
Click to expand...
Initially, within here: https://*Your*Hosting*Domain*:8443/admin/domain/list?context=domains by selecting the correct domain (the id number is visible in the URL) which, then refers you back to the list that's already been posted above i.e. on this page: https://*Your*Hosting*Domain*:8443/plesk/server/preferences/ >> Full hostname * << The FQDN that you have entered there... Then, everything else that's posted above, until, you arrive at the setup error that's almost sure to be causing your issue ;)
 
You must log in or register to reply here.

Similar threads

futureweb
Question Issues with SSL Certificate Renewal for Mail Services in Plesk: Seeking Automated Solution via CLI or API
Replies
8
Views
293
futureweb
futureweb
E
Question Keep websites secured by Command Line ( Lets Encrypt )
Replies
0
Views
497
esfahanhost
E
S
Issue DANE change Option 3 0 1 to 3 1 1 - DANE EE certificate does not match SHA2-256
Replies
5
Views
632
AYamshanov
AYamshanov
W
Issue Problems with changing Domain IP address.
Replies
0
Views
147
wyga
W
H
Question Obsidian 18.0.52 wrong certificates selected after renew
Replies
3
Views
571
Maarten.
M
Back
Top