Issue Let's Encrypt cert using wrong domain name

[davorg]

I have a Plesk server called willow.mag-sol.com. Its IP address is 82.165.135.123. This server hosts several domains.

One of those domains is dave.org.uk. I've been using a Let's Encrypt cert on this domain successfully for a few years.

There are several sub-domains on dave.org.uk. Many of them are hosted on the same server and the DNS is therefore set up as a CNAME to dave.org.uk. One example sub-domain is blog.dave.org.uk. This also has its own (separate) Let's Encrypt cert and that's been working successfully for a few years.

Recently, I created a new sub-domain called feeds.dave.org.uk. I also set up a Let's Encrypt cert for this new sub-domain. However, if I go to https://feeds.dave.org.uk/ I get a certificate error because the certificate has been issued for willow.mag-sol.com, not feeds.dave.org.uk.

I've double-checked the hosting settings and the certificate being used is described as "Let's Encrypt feeds.dave.org.uk (feeds.dave.org)" in the selector control.

I'm not sure what else I can check. Any advice would be much appreciated.

Thanks,

Dave...

 

[mow]

Have a look at /etc/nginx/plesk.conf.d/vhosts/feeds.dave.org.uk.conf and compare the certificate against that in /etc/nginx/plesk.conf.d/server.conf (which should be the certificate for willow.mag-sol.com)

 

[davorg]

Have a look at /etc/nginx/plesk.conf.d/vhosts/feeds.dave.org.uk.conf and compare the certificate against that in /etc/nginx/plesk.conf.d/server.conf (which should be the certificate for willow.mag-sol.com)

Yes, you're right.

% grep ssl_cert /etc/nginx/plesk.conf.d/vhosts/feeds.dave.org.uk.conf
        ssl_certificate             /usr/local/psa/var/certificates/scf2ZxDEE;
        ssl_certificate_key         /usr/local/psa/var/certificates/scf2ZxDEE;

And

% grep ssl_cert /etc/nginx/plesk.conf.d/server.conf
        ssl_certificate             /usr/local/psa/var/certificates/scf2ZxDEE;
        ssl_certificate_key         /usr/local/psa/var/certificates/scf2ZxDEE;
        ssl_certificate             /usr/local/psa/var/certificates/scf2ZxDEE;
        ssl_certificate_key         /usr/local/psa/var/certificates/scf2ZxDEE;
        ssl_certificate             /usr/local/psa/var/certificates/scf2ZxDEE;
        ssl_certificate_key         /usr/local/psa/var/certificates/scf2ZxDEE;
        ssl_certificate             /usr/local/psa/var/certificates/scf2ZxDEE;
        ssl_certificate_key         /usr/local/psa/var/certificates/scf2ZxDEE;

But for blog.dave.org.uk (which is the sub-domain that works):

% grep ssl_cert /etc/nginx/plesk.conf.d/vhosts/blog.dave.org.uk.conf
        ssl_certificate             /usr/local/psa/var/certificates/scfxsqrQ8;
        ssl_certificate_key         /usr/local/psa/var/certificates/scfxsqrQ8;

So, as I understand it, Plesk is putting the wrong cert in the feeds.dave.org.uk config file. How do I a) work out which is the right one and b) stop Plesk giving me the wrong one?

 

[davorg]

Ok, I answered my first question:

openssl x509 -in <certfile> -text

gives me info about the cert (including the subject domain). So I can edit /etc/nginx/plesk.conf.d/vhosts/feeds.dave.org.uk.conf and fix the cert there (I've tried that and it works). But I'm still worried that when that file is regenerated, it will be overwritten with the wrong cert again.

 

[mow]

So plesk did generate a cert for the domain & put it in /usr/local/psa/var/certificates/?

Is this reproducible when you create another subdomain?

 

[davorg]

So plesk did generate a cert for the domain & put it in /usr/local/psa/var/certificates/?

It did.

Is this reproducible when you create another subdomain?

Apparently not. I've just created another new subdomain, and the cert for it looks correct.
So that's weird.