Question Install LetsEncrypt certificate on domain alias for which live domain is on a different server?

[Paul Larson]

This may be a duplicate, but I haven't found the exact issue on different threads.

As web developers, we may take on a new website such as 'McDonalds.com' (we wish!).

Our first step is to install/clone that website to our Plesk staging server.

I'll create a domain called McDonalds.com, but then add an alias such as 'McDonalds.Staging.MyCompany.com.'

During development, we'll send that 'staging' domain to the client and coworkers for testing and review.

However, I haven't been able to figure out how to install a LetsEncrypt SSL certificate for the Staging alias. To restate the issue:

* The live domain (McDonalds.com) is NOT on our server, so LetsEncrypt will never successfully verify
* We have a wildcard domain in place, such that AnyWord.staging.mycompany.com resolves to the proper IP of our staging Plesk server.
* Is it possible, then, to install lets encrypt for McDonalds.Staging.MyCompany.com if I don't host the actual production domain, McDonalds.com ?

Paul

 

[Bitpalast]

If the route of *.staging.mycompany.com is directed to the subdomain, there should not be any issue with creating and using a Let's Encrypt certificate. Do you get any specific error message when you try to create a certificate?

 

[Paul Larson]

If the route of *.staging.mycompany.com is directed to the subdomain, there should not be any issue with creating and using a Let's Encrypt certificate. Do you get any specific error message when you try to create a certificate?

We don't actually use a subdomain.

McDonalds.com is the live production URL
McDonalds.Staging.MyCompany.com is a domain alias, not a subdomain.

But the error message is:

Error: Could not issue a Let's Encrypt SSL/TLS certificate for McDonalds.com.

Your domain in Plesk is hosted on the IP address(es): **.**.**.93, but the DNS challenge used another IP address: **.**.**.195.
Please check the actual DNS zone of your domain and make sure that the IP addresses in the DNS zone and for the hosting are the same.

Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz/4tpAnSyZzF0dO8qrf83vJEvpT3Wkcp1IkIVvJGkZ89U.
Details:
Type: urn:ietf:params:acme:error:unauthorized
Status: 403
Detail: Invalid response from 404 Page: Not Found | McDonald's [72.10.52.195]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>"

Screenshot 1: Dropbox - 2019-03-07_08-05-02.png
Screenshot 2: Dropbox - 2019-03-07_08-06-45.png
Screenshot 3: Dropbox - 2019-03-07_08-07-43.png

====

It seems clear LetsEncrypt is trying to validate McDonalds.com instead of my alias.

 

[Bitpalast]

O.k., got it what you are saying.

Yes, that is right, that Let's Encrypt tries to create a certificate for the main domain and adds the alias to that. What you want to achieve cannot be done this way. Instead, create a new, separate domain and name it like your alias (the alias must of course be removed before). You must later copy the website to the real domain. It is not possible to do all in the same package at once. Your staging domain must be separate in this case. Then you can easily create a certificate for the staging domain.

 

[Paul Larson]

I do have a wildcard LetsEncrypt for Staging.MyCompany.com, but that doesn't seem to work either.

 

[Bitpalast]

You need to separate the staging domain from your other domain and then create its own certificate for that staging domain. You might have a wildcard certificate, but if this is not linked into the webserver configuration of the staging domain it will remain ineffective. The correct solution is to create a separate staging domain and create a certificate especially for that domain.

 

[Paul Larson]

Would another option be: Buy an authentic (non-LetsEncrypt) wildcard cert to handle *.Staging.MyDomain.com, and just point each desired domain to that Wildcard in the Plesk settings? It's not free, of course, but maybe a tolerable annual expense.