Forwarded to devs Let's Encrypt - bad domain alias prevents main certificate renewal

[c0m]

TITLE:

Let's Encrypt - bad domain alias prevents main certificate renewal​

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE:

CloudLinux 7.5, Plesk Onyx 17.8.11 Update #19​

PROBLEM DESCRIPTION:

If a subscription has a domain alias that's inaccessible due to various reasons - i.e the domain is expired and no longer active, or the DNS incorrectly doesn't point to the current server, then Let's Encrypt will fail to generate or renew an SSL certificate for the subscription's main domain.​

STEPS TO REPRODUCE:

If the bad alias is removed from the subscription, then the certificate for the main domain will be generated successfully when attempted.​

ACTUAL RESULT:

An invalid alias shouldn't prevent certificate generation or automatic renewal for the main domain or other valid aliases.​

EXPECTED RESULT:

This issue can also break the auto-regeneration of the main domain's certificate that happens approximately every 3 months - for example if the alias domain expires before the next automated renewal of the main domain's certificate, the main domain's certificate may fail to renew.​

ANY ADDITIONAL INFORMATION:

​

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM:

Confirm bug​

 

[IgorG]

Checked the issue on a test environment
Everything depends on the existence of an alias in Plesk
Thus, if the alias was removed or disabled then certificate autorenew will issue a new certificate for the main domain without this alias
However, if the alias has broken DNS records then certificate will not be issue due to the corresponding error (e.g. NS or A record is not found) then it is expected and is not a bug. In this case, Plesk admin should go to Let`s Encrypt and remove the broken alias from the list of the selected aliases

 

[c0m]

Checked the issue on a test environment
Everything depends on the existence of an alias in Plesk
Thus, if the alias was removed or disabled then certificate autorenew will issue a new certificate for the main domain without this alias
However, if the alias has broken DNS records then certificate will not be issue due to the corresponding error (e.g. NS or A record is not found) then it is expected and is not a bug. In this case, Plesk admin should go to Let`s Encrypt and remove the broken alias from the list of the selected aliases

Hi IgorG. Thank you for looking into this bug report.

I'm sorry, but I don't agree with your conclusion that this isn't a bug and with your proposed solution for manually removing broken aliases.

Why would a broken alias, which is a completely different and separate domain than the subscription's main domain, have any effect to the main domain's certificate generation and renewal?

It doesn't make sense that when example.com is the main domain and example.org is the domain alias, when example.org expires, why should example.com's SSL certificate stop working and renewing?

On one of our servers, we have over 500 subscriptions that are owned by 500 different individual clients. Most subscriptions have domain aliases and for a lot of domains we only manage the hosting, but the domain renewal and DNS is out of our control and is managed by a 3rd party or the client themselves.

Whenever a client forgets to renew an alias domain, or decides that they no longer want to pay for some of their alias domains and knowingly lets it expire, then the next scheduled Let's Encrypt certificate renewal for their MAIN DOMAIN will fail - and the website will be inaccessible and show a disturbing warning about the expired certificate and the connection being not secure, until we are notified by the client of that behaviour so that we can manually go to the subscription, delete the bad alias and renew the certificate - which sometimes takes at least a day or more if the issue happens outside of business hours, which means complete website downtime as the HTTPS version of the site is the only available version of the website. This happens frequently and our clients are losing a lot of money and reputation when their main domain's certificate isn't auto-renewed and their website is inaccessible for many hours or even days until the issue is noticed so that we can manually delete the bad alias.

 

[Ruslan Kosolapov]

Hi @c0m.

1. I'd suggest using "Keep secured" option in your case. It works as you wish - if domain alias can't be secured, "Keep secured" option removes this problem alias from the CSR and issue the SSL certificate without this problem alias. This option can be set via Service Plan.


Note that, in your case, "Keep secured" feature will issue the new certificate when the current certificate considered "bad". By default, "keep secured" feature checks all certificates once an hour, so, in the worst case the domain will be unsecured for an hour. You can reconfigure the period here:


2. Let's Encrypt start sending email notifications about problems with renewal on 30 days before the expiration. During this period even the renewal fails, the current certificate still works, so, there is 30 days to fix the problem. If this amount of time isn't enough to fix (or remove) the problem alias, you can configure it: Managing Let's Encrypt Settings

3. you can configure the notifications here (LE sends it once a day):



In general:

The current behavior ("fail earlier" principle) is appreciated by users, so, we can't just "fix" it.
Maybe, there should be an option "how to deal with problem items during renewal".