• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx

  • We are developing a new feature in Plesk that will help you promote your websites or business on social media. We want to conduct a one-hour online UX test to present the prototype and collect feedback. If you are interested in the feature, please book a meeting via this link.
    Thank you in advance!
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question Let's Encrypt Enhanced mode with aliases support

AmaZili Communication

Basic Pleskian
Hi,
I want to say first thank you for the good work already done by the plesk team on providing an easy way to get online with free certificates through Let's Encrypt.

If you read this thread :
https://github.com/plesk/letsencrypt-plesk/issues/28

or this thread :
https://github.com/plesk/letsencrypt-plesk/issues/64

or this one :
https://github.com/plesk/letsencrypt-plesk/issues/19


You will notice a great interest for an enhanced/reworked Let's Encrypt certificate support.

All those people, at least, we are quite sure there are plenty of silent others, are looking for enhanced functionalities : domain aliases or multiple sub-domain (not only www) and mail servers (pop smtp IMAP) support.

My question is is there any one working somewhere on these ?

Thanks again for all the good work.
 
Hi.

We'll consider this functionality in upcoming releases.
As I can see it is really wanted feature.

BTW, everyone who consider the feature important may vote for it on User Voice, e.g.: https://plesk.uservoice.com/forums/...d-subdomains-in-one-let-s-encrypt-certificate or https://plesk.uservoice.com/forums/...ons/15013254-let-s-encrypt-add-domain-aliases

Ain't nobody got time for that. :) This is the most required feature recently! No question. No votes required.
 
Any update on this?

I foolishly started implementing SSL on some sites without realising it would break all the aliases!

Is there a workaround in the meantime?
 
Any update on this?

I foolishly started implementing SSL on some sites without realising it would break all the aliases!

Is there a workaround in the meantime?

@fuf , could you please describe how do you use (for what scenarios) domain aliases? Maybe your scenarios allows you to use Add-On Domains instead of Domain Aliases?
Another option is to request multi-domain certificate via CLI, but in this case autorenewal will not work.
 
Hi Ruslan Kosolapov,

are you sure with that? I'm not at the current renewal date yet, but if you followed for example my suggestion at => #25 to EXPAND the current certificate and replace the current certificate for YOUR-DOMAIN.COM with the manual expanded certificate ( => "/opt/psa/var/certificates/" and "/opt/psa/var/modules/letsencrypt/etc/live/YOUR-DOMAIN..COM" ), I still hope/expect the automatic renewal - process for the specific certificate ( including the manual added, expanded domain - names ). This might be still only a "hope", because the renewal - process might again try to authenticate with the option "http-01" ( which will fail in case of "webmail.*" for example ), but I will sure report back, when the renewal - date has been reached for my tested certificate with the expaned domain - names.
 
Hi @UFHH01 , thanks for your post, it's interesting idea.

I didn't test it by myself, but as far as I know, automatic renewal process receives domain names from Plesk database, not from the certificate.
 
@fuf , could you please describe how do you use (for what scenarios) domain aliases? Maybe your scenarios allows you to use Add-On Domains instead of Domain Aliases?
Another option is to request multi-domain certificate via CLI, but in this case autorenewal will not work.

Hi Ruslan,

They are all straightforward 301 Redirects:

user goes to alias.com/my-page and gets redirected to domain.com/my-page.

No emails or anything.

I just searched docs.plesk.com and google for "Plesk Add-On Domains" but couldn't find any documentation.
 
Hi Ruslan Kosolapov,

automatic renewal process receives domain names from Plesk database, not from the certificate.
It would help a lot, if you could tell us, what the script daily script "/opt/psa/admin/plib/modules/letsencrypt/scripts/renew-certificates.php" ( encrypted Plesk-PHP-script ) does and which commands it calls, once you installed a Let's Encrypt certificate over Plesk. :)
I'm pretty sure, that when you ( or the Plesk-customer ) would modify this script, it is as well possible to use different options with the "renew" or "auto-renew" commands, which make it possible to renew the certificate with all current issued domain - names, instead of calling the specific "renew" - command with "webroot" - authentification. ;)
 
Hi Ruslan,

They are all straightforward 301 Redirects:

user goes to alias.com/my-page and gets redirected to domain.com/my-page.

No emails or anything.

I just searched docs.plesk.com and google for "Plesk Add-On Domains" but couldn't find any documentation.

Sorry for term mess, now they're named just "Domains" :)
What the idea - create another domain (inside the same subscription), setup LE certificate for it, then setup redirect to your main domain with .htaccess (example: http://stackoverflow.com/questions/33874212/htaccess-redirect-https-to-another-https). I.e. emulate alias with regular domain. It is not general workaround (there are a lot of nuances that may fail the idea), but in some cases it may works.
 
It would help a lot, if you could tell us, what the script daily script "/opt/psa/admin/plib/modules/letsencrypt/scripts/renew-certificates.php" ( encrypted Plesk-PHP-script ) does and which commands it calls, once you installed a Let's Encrypt certificate over Plesk. :)

AFAIK the script executes the same command that executed when you press Renew button on Let's Encrypt screen in Plesk :)

/usr/local/psa/admin/conf/panel.ini.sample:
[log]
filter.priority = 7
show.util_exec = on

Then I press Renew button on LE screen in Plesk (I already have domain secured via LE).

# grep 'extension/letsencrypt' /var/log/plesk/panel.log
[2016-12-09 02:43:03] DEBUG [extension/letsencrypt] Execution "/usr/local/psa/var/modules/letsencrypt/venv/bin/certbot" --non-interactive --renew-by-default --no-redirect --agree-tos --text --config-dir '/usr/local/psa/var/modules/letsencrypt/etc' --work-dir '/usr/local/psa/var/modules/letsencrypt/lib' --logs-dir '/usr/local/psa/var/modules/letsencrypt/logs' --authenticator letsencrypt-plesk:plesk --installer letsencrypt-plesk:plesk --email 'MYEMAIL' -d 'MYDOMAIN' run 2>&1 finished with code 1 output: Saving debug log to /usr/local/psa/var/modules/letsencrypt/logs/letsencrypt.log

Actually there is a chance that your trick will work - I don't know how exactly LE process certificate renew, but LE (certbot actually) quite knows about issued certificates. But -d option makes me to be very sceptic. Even I've added "domain = ANOTHERDOMAIN" into /usr/local/psa/var/modules/letsencrypt/cli.ini, -d option take over that setting, and ANOTHERDOMAIN was not included into challenge.

Also you're right about http-01.

I'm pretty sure, that when you ( or the Plesk-customer ) would modify this script, it is as well possible to use different options with the "renew" or "auto-renew" commands, which make it possible to renew the certificate with all current issued domain - names, instead of calling the specific "renew" - command with "webroot" - authentification. ;)

Support of domain aliases and subdomain already planned on the one of upcoming releases of Plesk Let's Encrypt Extension :)
 
I updated the extension to Let's Encrypt 2.0.0-21 and Plesk Onyx Version 17.0.17 Update #21 and do not see any options to add aliases. I tried renewing existing domain and also deleting Let's Encrypt SSL and replacing with self-signed and then re-installing Let's Encrypt SSL and still no alias options. I even uninstalled Let's Encrypt extension and re-installed. No joy. How do I get this option?
 
I updated the extension to Let's Encrypt 2.0.0-21 and Plesk Onyx Version 17.0.17 Update #21 and do not see any options to add aliases. I tried renewing existing domain and also deleting Let's Encrypt SSL and replacing with self-signed and then re-installing Let's Encrypt SSL and still no alias options. I even uninstalled Let's Encrypt extension and re-installed. No joy. How do I get this option?

You need to go to the Websites & Domains tab of the Hosting Panel and click on Let's Encrypt button in a section of a domain, which you want to secure. Let's Encrypt SSL Certificate page for this domain will be shown. If domain has aliaces, they will be listed below at this page.
 

Attachments

  • le-button.png
    le-button.png
    162.8 KB · Views: 16
  • le-details.png
    le-details.png
    97.9 KB · Views: 18
@Nosxxx,
could you provide details? If you mean stable file name for a private key, it is already here: check out /opt/psa/var/modules/letsencrypt/etc/live/ directory
 
Back
Top