Resolved Let's Encrypt auto renewal issues

[AdamB]

Hi All,

I'm running Plesk Onyx 17.0.17 on Windows Server 2012 R2 with the Let's Encrypt Extension installed but am having an issue when renewing certificates using both the Scheduled Task and The Let's Encrypt Renew button within each domain.

When running the scheduled task I'm receiving the error message "Task "C:\Program Files (x86)\Parallels\Plesk\admin\bin\php.exe" completed with error in %%seconds%% seconds." but get a successful message when using the renew button.

I can see that the certificates are being added to the "C:\Program Files (x86)\Parallels\Plesk\var\modules\letsencrypt\etc\archive\" folder and can see that it also appears to be changing the files in "C:\Program Files (x86)\Parallels\Plesk\var\modules\letsencrypt\etc\live\" to point to the new certificates.

However when looking at each domain they are still using the old certificates even after restarting all services, the only way I can change the domains use new certificates is to manually go into each domain > Hosting Settings and change the Certificate to "Not selected" and then change it back to the Let's Encrypt certificate previously selected.

I have several hundred websites on 2 servers, both with the same specs and having the same issue and changing each domain manually is getting very time consuming, can anyone suggest any solution so that the certificates are updated automatically.

 

[DennisAm]

I'm having the exact same issue, also on Server 2012 R2. However, the only slight difference is that both the scheduled task and the Let's Encrypt renew button indicate "Task ... completed", but in fact nothing happened.

The only solution for me is, just like @AdamB, to go to the domain > Hosting Settings and change the Certificate into "Not selected" and then back to the Let's Encrypt certificate.

What is going wrong here?

 

[AdamB]

Hi @DennisAm,

I meant to do a write up but completely forgot about it after this was resolved.

This was actually 2 seperate issues, the error when running the scheduled task only appears when I changed Plesk to be secured with a Let's Encrypt generated certificate rather than the default, so it's entirely possible its the same issue.

For the main issue the only fix I have was created by Alexander Nikolaenko at Plesk Support for me, after speaking to at least a dozen other people in Plesk support and spending almost 3 weeks trying to investigate and solve it myself, but you currently need to do it via command prompt and Powershell, however I have managed to add it to the Scheduled Tasks to run after the Let's Encrypt renewal task. The following worked for me:

You need a PowerShell file (mine's just called SSLFix.ps1) containing to following code:

$Plesk_admin_password = "password"
$file = 'C:\temp.txt'
$app = '"$env:plesk_cli\repair.exe"'
$option = '--reconfigure-web-site -web-site-name'
$mysql = '"$env:plesk_dir\MySQL\bin\mysql.exe"'
$mysql_options = '-uadmin -p"$Plesk_admin_password" -P8306 -e'
$mysql_query = 'select name from domains where status = 0 and cert_rep_id != 0'
$mysql_end = 'psa | Out-File $file'
Invoke-Expression "& $mysql  $mysql_options '$mysql_query' $mysql_end"
(Get-Content $file | Select-Object -Skip 1) | Set-Content $file
$a = Get-Content $file

ForEach ($dom in $a)
{
   Invoke-Expression "& $app $option $dom"
}
Remove-Item $file

Then you need to follow the following guidance:

1. Run a cmd prompt with Administrator privileges;
2. Execute the following to reapply SSL certificates;

"%plesk_cli%\\repair" --reconfigure-ssl-certificates

3. Open a script file in text editor and enter Plesk admin password to "$Plesk_admin_password" variable in the first string;
4. Run a PowerShell prompt and execute the script
5. If a message like "running scripts is disabled on this system" appeared, temporary apply appropriate execution policy:

Set-ExecutionPolicy RemoteSigned

After completion it could be reverted back via:

Set-ExecutionPolicy Restricted

For now this fix works for me and hope this works for you too

At first I thought that the issue was caused by a change I had made on my servers, but we got 2 brand new servers from Dell which experience the same issue with only doing windows updates and running IIS Crypo after coming straight from the dell warehouse, so I don't know if the issue is being cause by an issue with Windows Server 2012 R2 the Plesk extension itself, It only happens when the SSL certificates created by the Let's Encrypt extension itself as it will update and override certificates added manually. I even tried removing a Let's encrypt certificate and adding it back in manually with an identical name and which get's replaced, but after it's been replace by the extension it has an issue renewing again, hopefully Plesk can get to the bottom of it.

 

[DennisAm]

@AdamB That PowerShell script did the trick. Thanks a lot.
For now, I'll just run the PowerShell script manually once a month, so that I stay aware of this quick & dirty workaround.

Let's hope Plesk can create a permanent fix for this soon. Thanks again for sharing this!