Resolved Let's Encrypt certificate with SSL It -> using wrong certificates

[Amaranfinity]

Hey all,

we are running Plesk Obsidian 18.0.42 Update Nr. 1 on Linux with SSL It! 1.10.1-1472 and I've come across a strange problem today.
When I add a new Domain, and try to secure it with a Let's Encrypt Certificate using SSL It!, it says everything was successful, but the
Domain is using a wrong Certificate. I've tried adding several new Domains today, yet it always produces the same Problem (Domainnames are changed in example) :

The new certificate files are created in /usr/local/psa/var/certificates : scfJKWJum and scfrzMGS5

but in the configuration file for the new domain: /etc/nginx/plesk.conf.d/vhosts/newwebsite.conf
it is using
ssl_certificate /usr/local/psa/var/certificates/scf7oJYDe;
ssl_certificate_key /usr/local/psa/var/certificates/scf7oJYDe;
ssl_client_certificate /usr/local/psa/var/certificates/scfmcsyos;

these seem to be the certificates of the Server domain, which are identical in /etc/nginx/plesk.conf.d/vhosts/serverdomain.conf
ssl_certificate /usr/local/psa/var/certificates/scf7oJYDe;
ssl_certificate_key /usr/local/psa/var/certificates/scf7oJYDe;
ssl_client_certificate /usr/local/psa/var/certificates/scfmcsyos;

the file /etc/nginx/plesk.conf.d/server.conf also points to these certificates
ssl_certificate "/usr/local/psa/var/certificates/scf7oJYDe";
ssl_certificate_key "/usr/local/psa/var/certificates/scf7oJYDe";

So the new certificates are created but the wrong certificates get written into the config files for the newly added domains.

Does anyone have any idea what could cause this? Last week everything was still working fine.

Best Regards,
Dennis S.

 

[Kaspar]

If you navigate to Domains > example.com > Hosting Settings, what is selected on the Certificate pull-down option?

If the Certificate pull-down does not have the Let's Encrypt certificate selected, can you manually selected it?

 

[Amaranfinity]

It has the correct Let's Encrypt Certificate selected for the new domain. I've also tried unselecting -> saving -> reselecting -> saving but the
file in /etc/nginx/plesk.conf.d/vhosts/newwebsite.conf always keeps the wrong onnes, the serverdomain files.

 

[Bitpalast]

... the serverdomain files.

Is your server domain the same like the subscription domain?

 

[lightingman2003]

Was there ever a resolution to this issue? We’re experiencing the same issue now, Plesk Obsidian 18.0.49 Update #2 and SSL It! 1.12.3-1586.

Tried manually installing a LetsEncrypt by SSL It, and also using the CLI. When we check SSLShopper for the respective domain, the Domain is using the Certificate for the host server instead.

 

[Peter Debik]

Which certificate is selected from the "Web Hosting Settings" SSL drop down?

 

[lightingman2003]

Thanks for getting back to me. The certificate generated for the Domain in question.

 

[Peter Debik]

The "test2." shows that this is a subdomain. Have you made sure that this subdomain is not also included in another certificate (the one of the main domain), e.g. that is has not been an alias before?

Is this the correct certificate? If so, then I suggest to toggle it to another one, store the configuration, then change it back to the correct one, store the configuration. If this does not help, run
# plesk repair web <your domainname>
afterwards.

 

[lightingman2003]

The main server Domain happens to be a sub-domain itself, and doesn’t appear to be using the wild card certificate.

We recently had to restore the server from backups, and it’s since this that we’ve experienced this issue. All sites created before the issue are currently working correctly using their correct certificates.

We’ve already run the repair on an affected Domain, and it returned ’OK’ with no issues identified.

 

[Peter Debik]

Yes, but your picture is from a subdomain, not from the host configuration. This means that the subdomain exists twice: For the host and as a subscriber domain. Maybe in this case it would be good to rename the host?

 

[lightingman2003]

Yes, but your picture is from a subdomain, not from the host configuration. This means that the subdomain exists twice: For the host and as a subscriber domain. Maybe in this case it would be good to rename the host?

The host server uses the sub-domain ‘hosting.’ It’s this certificate the new Domains are picking up rather than the correctly generated certificate.

If I was to create a certificate with a sub-domain of ‘foo.’, the certificate would be from ‘hosting.’ despite the correct certificate being selected in the Hosting Settings of ‘foo.’.

I can guarantee that there are not 2 domains using the same name.

 

[Peter Debik]

I understand this case now as follows:

The hostname is "hosting.something.tld" and has a certificate.
You create a new subdomain in a subscription that is named "test2.something.tld".
You create a new SSL certificate for that subdomain "test.2something.tld" and that SSL certificate is selected from the drop in "Hosting Settings" of that subdomain.
Nevertheless, that new subdomain does not use the SSL cert from test2.something.tld, but hosting.something.tld.

Is that an appropriate description of the case?

 

[lightingman2003]

Yes @Peter Debik - That is a suitable explanation of the case we are experiencing.
Do you have any suggestions as to how to proceed?

 

[Peter Debik]

Have you tried to run
# plesk repair web <your subdomain>
for example
# plesk repair web test2.something.tld
?

 

[lightingman2003]

Yes, this was tried, and it returned 'OK'.

However, we've just updated Plesk to 18.0.50, and this seems to have corrected the issue. The affected site (test2.domain.tld) is now showing with the correct certificate via SSLShopper. Odd.

Thanks for your help!