This is a small issue, for consideration before the next Plesk Extention upgrade (maybe)
@Ruslan Kosolapov
We use the Plesk Extension, not for all, but for the majority of the domains that we host. Where we see differences or potential issues, we use
ACME.SH instead. The latest Plesk Extension release is great and has many improvements. We've experienced some of them already
This small issue is to do with a domains that have conditional re-directs applied (i.e. re-direct apart from certain IPv4 and/or IPv6 addresses).
A) If this conditional re-direct is applied by .htacess (and/or other method probably) and Nginx is running as proxy for Apache, there are no issues. The certificates are sucessfully auto-renewed by the Plesk Extention.
B) If this conditional re-direct is applied directly by Nginx and Apache is NOT running at all (by choice), there are issues. The certificates are NOT sucessfully auto-renewed by the Plesk Extention.
A no sub-domains example domain, is shown below. First, the extract from the e-mail notification:
Could not renew Let's Encrypt certificates for *** *** (login admin). Please log in to Plesk and renew the certificates listed below manually. Renewal of the following Let's Encrypt certificates has failed:
* 'Lets Encrypt
***.com' [days to expire: 29]
[-]
***.com
[-]
webmail.***.com
[-]
www.***.com
Invalid response from
https://acme-v02.api.letsencrypt.org/acme/authz/8***long sequential number***
Details:
Type: urn:ietf: params:acme:error:unauthorized
Status: 403
Detail: Invalid response from
https://###.com/[**IPv6** address]: "<!DOCTYPE html>\n<html lang=\"en\" prefix=\"og:
Open Graph protocol fb:
http://ogp.me/ns/fb#\">\n \n<head>\n \n<base href=\"
https://###.com"
The ***.com is the domain with the conditional re-direct applied and the ###.com is the re-direct target.
Extract from .htaccess file:
Code:
<IfModule mod_rewrite.c>
Options +FollowSymlinks
RewriteEngine On
RewriteBase /
RewriteCond %{REMOTE_ADDR} !=**.***.***.**
RewriteCond %{REMOTE_ADDR} !=****:****:****:****:****:****:****:****
RewriteRule ^(.*)$ https://###.com [R=301,L]
</IfModule>
Nginx re-direct data:
Code:
if ($remote_addr !~ "^**\.***1\.***\.**$"){
set $rule_0 1$rule_0;
}
if ($remote_addr !~ "^****\:****\:****\:****\:****\:****\:****\:****\$"){
set $rule_0 2$rule_0;
}
if ($rule_0 = "21"){
rewrite /.? https://###.com/ last;
}
To solve this particular example (as the .htaccess file remains in place regardless) we switched the domain from Nginx only back to Apache c/w Nginx proxy and at the next auto-attempt, the certificate was sucessfully auto-renewed by the Plesk Extention. We then, reverted the domain back to Nginx only and have noted this specific 'requirement' will be needed just BEFORE the next Let's Encrypt Certificate auto-renewal date.
This is not a big issue (for us) as it affects a very small number of our domains, but we've posted it as it
might also affect other Plesk users' Nginx only domains, where a Nginx direct, conditional re-direct is in place.