• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:
    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question Let's Encrypt Enhanced mode with aliases support

AmaZili Communication

AmaZili Communication

Basic Pleskian
Hi,
I want to say first thank you for the good work already done by the plesk team on providing an easy way to get online with free certificates through Let's Encrypt.

If you read this thread :
https://github.com/plesk/letsencrypt-plesk/issues/28

or this thread :
https://github.com/plesk/letsencrypt-plesk/issues/64

or this one :
https://github.com/plesk/letsencrypt-plesk/issues/19


You will notice a great interest for an enhanced/reworked Let's Encrypt certificate support.

All those people, at least, we are quite sure there are plenty of silent others, are looking for enhanced functionalities : domain aliases or multiple sub-domain (not only www) and mail servers (pop smtp IMAP) support.

My question is is there any one working somewhere on these ?

Thanks again for all the good work.
 
Ruslan Kosolapov said:
Hi.

We'll consider this functionality in upcoming releases.
As I can see it is really wanted feature.

BTW, everyone who consider the feature important may vote for it on User Voice, e.g.: https://plesk.uservoice.com/forums/...d-subdomains-in-one-let-s-encrypt-certificate or https://plesk.uservoice.com/forums/...ons/15013254-let-s-encrypt-add-domain-aliases
Click to expand...

Ain't nobody got time for that. :) This is the most required feature recently! No question. No votes required.
 
Any update on this?

I foolishly started implementing SSL on some sites without realising it would break all the aliases!

Is there a workaround in the meantime?
 
fuf said:
Any update on this?

I foolishly started implementing SSL on some sites without realising it would break all the aliases!

Is there a workaround in the meantime?
Click to expand...

@fuf , could you please describe how do you use (for what scenarios) domain aliases? Maybe your scenarios allows you to use Add-On Domains instead of Domain Aliases?
Another option is to request multi-domain certificate via CLI, but in this case autorenewal will not work.
 
Hi Ruslan Kosolapov,

are you sure with that? I'm not at the current renewal date yet, but if you followed for example my suggestion at => #25 to EXPAND the current certificate and replace the current certificate for YOUR-DOMAIN.COM with the manual expanded certificate ( => "/opt/psa/var/certificates/" and "/opt/psa/var/modules/letsencrypt/etc/live/YOUR-DOMAIN..COM" ), I still hope/expect the automatic renewal - process for the specific certificate ( including the manual added, expanded domain - names ). This might be still only a "hope", because the renewal - process might again try to authenticate with the option "http-01" ( which will fail in case of "webmail.*" for example ), but I will sure report back, when the renewal - date has been reached for my tested certificate with the expaned domain - names.
 
Hi @UFHH01 , thanks for your post, it's interesting idea.

I didn't test it by myself, but as far as I know, automatic renewal process receives domain names from Plesk database, not from the certificate.
 
Ruslan Kosolapov said:
@fuf , could you please describe how do you use (for what scenarios) domain aliases? Maybe your scenarios allows you to use Add-On Domains instead of Domain Aliases?
Another option is to request multi-domain certificate via CLI, but in this case autorenewal will not work.
Click to expand...

Hi Ruslan,

They are all straightforward 301 Redirects:

user goes to alias.com/my-page and gets redirected to domain.com/my-page.

No emails or anything.

I just searched docs.plesk.com and google for "Plesk Add-On Domains" but couldn't find any documentation.
 
Hi Ruslan Kosolapov,

Ruslan Kosolapov said:
automatic renewal process receives domain names from Plesk database, not from the certificate.
Click to expand...
It would help a lot, if you could tell us, what the script daily script "/opt/psa/admin/plib/modules/letsencrypt/scripts/renew-certificates.php" ( encrypted Plesk-PHP-script ) does and which commands it calls, once you installed a Let's Encrypt certificate over Plesk. :)
I'm pretty sure, that when you ( or the Plesk-customer ) would modify this script, it is as well possible to use different options with the "renew" or "auto-renew" commands, which make it possible to renew the certificate with all current issued domain - names, instead of calling the specific "renew" - command with "webroot" - authentification. ;)
 
fuf said:
Hi Ruslan,

They are all straightforward 301 Redirects:

user goes to alias.com/my-page and gets redirected to domain.com/my-page.

No emails or anything.

I just searched docs.plesk.com and google for "Plesk Add-On Domains" but couldn't find any documentation.
Click to expand...

Sorry for term mess, now they're named just "Domains" :)
What the idea - create another domain (inside the same subscription), setup LE certificate for it, then setup redirect to your main domain with .htaccess (example: http://stackoverflow.com/questions/33874212/htaccess-redirect-https-to-another-https). I.e. emulate alias with regular domain. It is not general workaround (there are a lot of nuances that may fail the idea), but in some cases it may works.
 
UFHH01 said:
It would help a lot, if you could tell us, what the script daily script "/opt/psa/admin/plib/modules/letsencrypt/scripts/renew-certificates.php" ( encrypted Plesk-PHP-script ) does and which commands it calls, once you installed a Let's Encrypt certificate over Plesk. :)
Click to expand...

AFAIK the script executes the same command that executed when you press Renew button on Let's Encrypt screen in Plesk :)

/usr/local/psa/admin/conf/panel.ini.sample:
[log]
filter.priority = 7
show.util_exec = on

Then I press Renew button on LE screen in Plesk (I already have domain secured via LE).

# grep 'extension/letsencrypt' /var/log/plesk/panel.log
[2016-12-09 02:43:03] DEBUG [extension/letsencrypt] Execution "/usr/local/psa/var/modules/letsencrypt/venv/bin/certbot" --non-interactive --renew-by-default --no-redirect --agree-tos --text --config-dir '/usr/local/psa/var/modules/letsencrypt/etc' --work-dir '/usr/local/psa/var/modules/letsencrypt/lib' --logs-dir '/usr/local/psa/var/modules/letsencrypt/logs' --authenticator letsencrypt-plesk:plesk --installer letsencrypt-plesk:plesk --email 'MYEMAIL' -d 'MYDOMAIN' run 2>&1 finished with code 1 output: Saving debug log to /usr/local/psa/var/modules/letsencrypt/logs/letsencrypt.log

Actually there is a chance that your trick will work - I don't know how exactly LE process certificate renew, but LE (certbot actually) quite knows about issued certificates. But -d option makes me to be very sceptic. Even I've added "domain = ANOTHERDOMAIN" into /usr/local/psa/var/modules/letsencrypt/cli.ini, -d option take over that setting, and ANOTHERDOMAIN was not included into challenge.

Also you're right about http-01.

UFHH01 said:
I'm pretty sure, that when you ( or the Plesk-customer ) would modify this script, it is as well possible to use different options with the "renew" or "auto-renew" commands, which make it possible to renew the certificate with all current issued domain - names, instead of calling the specific "renew" - command with "webroot" - authentification. ;)
Click to expand...

Support of domain aliases and subdomain already planned on the one of upcoming releases of Plesk Let's Encrypt Extension :)
 
I updated the extension to Let's Encrypt 2.0.0-21 and Plesk Onyx Version 17.0.17 Update #21 and do not see any options to add aliases. I tried renewing existing domain and also deleting Let's Encrypt SSL and replacing with self-signed and then re-installing Let's Encrypt SSL and still no alias options. I even uninstalled Let's Encrypt extension and re-installed. No joy. How do I get this option?
 
Walter said:
I updated the extension to Let's Encrypt 2.0.0-21 and Plesk Onyx Version 17.0.17 Update #21 and do not see any options to add aliases. I tried renewing existing domain and also deleting Let's Encrypt SSL and replacing with self-signed and then re-installing Let's Encrypt SSL and still no alias options. I even uninstalled Let's Encrypt extension and re-installed. No joy. How do I get this option?
Click to expand...

You need to go to the Websites & Domains tab of the Hosting Panel and click on Let's Encrypt button in a section of a domain, which you want to secure. Let's Encrypt SSL Certificate page for this domain will be shown. If domain has aliaces, they will be listed below at this page.
 

Attachments

  • le-button.png
    le-button.png
    162.8 KB · Views: 16
  • le-details.png
    le-details.png
    97.9 KB · Views: 18
@Nosxxx,
could you provide details? If you mean stable file name for a private key, it is already here: check out /opt/psa/var/modules/letsencrypt/etc/live/ directory
 
You must log in or register to reply here.

Similar threads

M
Resolved Lets Encrypt not issuing certs for subdomains
Replies
2
Views
362
mendip_discovery
M
M
Issue Wordpress MU alias domains with Let's Encrypt - hit the error: Order cannot contain more than 100 DNS names
Replies
1
Views
173
Kaspar
K
L
Issue ( authorization token is unavailable ) Could not issue/renew Let`s Encrypt certificates
Replies
7
Views
525
Leta
L
J
Question Let's Encrypt coming from cPanel to Plesk
Replies
3
Views
1K
Kaspar@Plesk
Kaspar@Plesk
R
Issue SSL/TLS cert for mail server not updating (Lets Encrypt)
Replies
2
Views
999
tessa67
T
Back
Top