Forwarded to devs Let's Encrypt certificate renewal domain aliases get lost

[Hangover2]

TITLE:

Let's Encrypt certificate renewal domain aliases get lost​

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE:

‪Debian 9.8‬ amd64, ‬Plesk Onyx, Version 17.8.11 Update #44​

PROBLEM DESCRIPTION:

If a Let's Encrypt certificate - containing domain aliases - is renewed automatically, the selected domain aliases get lost as part of the certificate.​

STEPS TO REPRODUCE:

Create a Let's Encrypt certificate containing domain aliases.E.g.:

example.com
Selected domain aliases: alias.example.com

The generated cert.pem will contain both domains:
[...]
DNS:example.com, DNS:alias.example.com
[...]

30 days before the expiration date the certificate gets renewed automatically.​

ACTUAL RESULT:

The newly generated cert.pem will not contain the server aliases anymore:
[...]
DNS:example.com
[...]​

EXPECTED RESULT:

The newly generated cert.pem should contain the same domains like before:
[...]
DNS:example.com, DNS:alias.example.com
[...]​

ANY ADDITIONAL INFORMATION:

​

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM:

Confirm bug​

 

[IgorG]

From developers:

Seems to be caused by EXTLETSENC-626, which is triggered by subdomain-like aliases.
As a workaround, use a wildcard Let's Encrypt certificate:
How to install wildcard certificates with Let's Encrypt?

 

[Hangover2]

With the latest extension update of Let’s Encrypt to version 2.8.0 the problem is fixed:

If a certificate secures a domain plus a subdomain that is an alias for the domain (alias.example.com), the certificate is now correctly automatically renewed without excluding the alias SAN. (EXTLETSENC-626)