• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Let's Encrypt extension

Hi bulent,
the Plesk Let's Encrypt Extension should have installed the monthly crontab with the included command:...

Here it has installed a DAILY crontab opposed to the previous version that was set to monthly, and it was only discovered now. It has also silently altered the execution time setting to "midnight". That is very bad, because we had to set a specific execution time as the extension had been causing issues on the auto-attended run every night.

We have now changed execution back to monthly and to a time where we have definitely a person on sight to make sure that in case the extension messes certificate names up as it did before someone can fix it right away. Hopefully not running this daily does not have new, unknown caveats.

EDIT: I assume that it was changed to "daily" to reduce the number of certificates that will actually be renewed on each run. This will probably improve stability, because previously, if one renewal failed or was mis-named, it caused other processes trouble.
 
Last edited:
Hi Peter Debik,

yes, this option recently changed... it is indeed now a DAILY crontab by default, but you may certainly modify the crontab to your own needs and desires. ;)
 
O.k., my previous thought was not complete. It is probably better to run it daily (during daytime however), because then it will only renew 1/30 of all cert certs on average compared to the previous model. The previous model took up to 45 minutes on our systems for one renewal cycle, and it gave many headaches. So probably the new model with daily renewals is the better choice. Interesting though, that despite I am on the forum daily and dealing with this stuff daily I have only now discovered that the latest update to 2.0.3 also brought the enhancement to the alias domain selection ... The only thing that is still missing is the webmail Let's Encrypt option. That's something many customers are asking for.
 
The only thing that is still missing is the webmail Let's Encrypt option. That's something many customers are asking for.
As I heard and read, they are still "working on it"... the current version is still not perfect, but I doubt that it will take long for a ( let's call it ) final version, with all requested features for this Extension ( apart the not-possible ones, of course! ^^ ).

Some things take a bit longer, to make you smile when they are finished! :p:D:p
 
Recently all my Lets Encrypt domain certs expired and when I went to renew them (for some reason they did not auto-renew) so I tried renewing them manually, especially the main domain for the domain our plesk control panel so it would be secured, but I get this weird error message: Let's Encrypt SSL certificate installation failed: Challenge marked as invalid. Details: Fetching http://galaxyserver.net/.well-known/acme-challenge/[Redacted]: Timeout

atePHNa4SDGiwQtQx49RKA.png


Well, there is no such directory, there never was, so I don't know what that is all about, but I get similar error messages on all the other domains/subdomains I am trying to renew my LE certs on my server.
 
Hi Ryan,

Pls. CHECK your DNS - settings, which are currently for example:

[email protected] (Default):
galaxymail.net. 28799 IN A 216.239.34.21

galaxymail.net. 28799 IN A 216.239.36.21
galaxymail.net. 28799 IN A 216.239.38.21
galaxymail.net. 28799 IN A 216.239.32.21

[email protected] (AT&T (US)):
galaxymail.net. 28800 IN A 74.208.47.168

[email protected] (Google):
galaxymail.net. 28799 IN A 74.208.47.168

[email protected] (HiNet (TW)):
galaxymail.net. 28800 IN A 216.239.38.21
galaxymail.net. 28800 IN A 216.239.34.21
galaxymail.net. 28800 IN A 216.239.32.21
galaxymail.net. 28800 IN A 216.239.36.21

[email protected] (OpenDNS):
galaxymail.net. 28800 IN A 216.239.36.21
galaxymail.net. 28800 IN A 216.239.34.21
galaxymail.net. 28800 IN A 216.239.32.21
galaxymail.net. 28800 IN A 216.239.38.21

[email protected] (UUNET (CH)):
galaxymail.net. 28800 IN A 216.239.34.21
galaxymail.net. 28800 IN A 216.239.38.21
galaxymail.net. 28800 IN A 216.239.32.21
galaxymail.net. 28800 IN A 216.239.36.21

[email protected] (UUNET (DE)):
galaxymail.net. 28800 IN A 216.239.34.21
galaxymail.net. 28800 IN A 216.239.38.21
galaxymail.net. 28800 IN A 216.239.36.21
galaxymail.net. 28800 IN A 216.239.32.21

[email protected] (UUNET (UK)):
galaxymail.net. 28800 IN A 216.239.36.21
galaxymail.net. 28800 IN A 216.239.32.21
galaxymail.net. 28800 IN A 216.239.38.21
galaxymail.net. 28800 IN A 216.239.34.21

[email protected] (UUNET (US)):
galaxymail.net. 28800 IN A 216.239.32.21
galaxymail.net. 28800 IN A 216.239.34.21
galaxymail.net. 28800 IN A 216.239.38.21
galaxymail.net. 28800 IN A 216.239.36.21

[email protected] (Verisign (US)):
galaxymail.net. 28800 IN A 74.208.47.168

Well, there is no such directory, there never was, so I don't know what that is all about, but I get similar error messages on all the other domains/subdomains I am trying to renew my LE certs on my server.
The directory ".well-known" and the subdirectory "acme-challenge" will be ( temporarily ) created during the Let's Encrypt - validation process. Pls. see your "panel.log" for further informations to the creation and deletion process. ;)


Additional informations:


Sometimes, it is as well a good idea to change the log - level ( TEMPORARILY! ), to get more informations in Plesk - log - files:

 
I have the control panel and mail servers set to use "cp.domain.tld" and "mail.domain.tld" names and the base system IP address.
These do not have hosting settings.
How can I get certificates created for each of those automatically?
 
Hi galaxy,

sorry, but I don't really understand, what your goal is, as your questions and descriptions are not very precise.

These do not have hosting settings.
Which "hosting settings", pls. ?

How can I get certificates created for each of those automatically?
There is no "automatic" option over your Plesk Control Panel to secure a domain/subdomain with a certificate. If you desire a unique procedure to do that ( when you create a domain/subdomain ), pls. consider to create a new event with the "Event Manager" ( => HOME > Tools & Settings > Event Manager ).
 
What I meant is that I have a domain for the company: mydomain.tld and it has a dedicated IP address.
I've created DNS entries for mail.mydomain.tld and cp.mydomain.tld which are the servers main address, not the same as mydomain.tld.
So the mail server certificate for mail.mydomain.tld expired yesterday and I'm trying to find a way to automate a SSL certificate for the mail system.
It would be a bonus to have cp.mydomain.tld have a certificate too.

Since plesk subdomains must have the same IP address as the main domain, I can't make them sub-domains of mydomain.tld.

To bypass this, I've now created a new subscription called cp.mydomain.tld with the server's IP address. I've aliased mail.mydomain.tld to cp.mydomain.tld.
It doesn't appear to create a certificate for the alias, only cp.mydomain.tld.

So I'll try making it just another domain rather than an alias or subdomain.
 
Hi galaxy,

Since plesk subdomains must have the same IP address as the main domain, I can't make them sub-domains of mydomain.tld.
... and how about creating separate subscriptions with the corresponding IPs for "mail.mydomain.tld" and "cp.mydomain.tld" ?

The "autorenew" - crontab for Let's Encrypt should take care of the automatic renewal of your certificates, which you are able to inspect in your "panel.log", where the Plesk Let's Encrypt Extension logs it's actions. ;)
 
mail.mydomain.tld and cp.mydomain.tld have the same IP. Can two subscriptions have the same dedicated IP?
 
But would the shared IP be available in customer's or reseller's lists? If so, that would be out of the question...
 
Hi galaxy,

WHICH IPs are available to your resellers, can be defined by YOU at the reseller - service - plan(s)

=> HOME > Service Plans > (tab) Reseller Plans > YOUR-RESELLER-PLAN-NAME > ( tab) IP Addresses

Customers IP(s) are defined by YOU, when you create their subscription(s) and reseller(s) customer(s) are only able to use IP(s) defined in their reseller plan(s). ;)
 
I'm using OBAS, which uses pools of IP's. Not sure how to control it in there. I just let OBAS do the assigning.
 
This plugin has nothing to do with OBAS. Not sure where you're going with this. I don't want to put this administrative stuff into the billing system. It doesn't support the extension anyway.

I'm sure (when I get the chance), I'll get the second domain working after LE lets me. LE errors, too many attempts... Just need to wait it out.
 
Hi galaxy,

Not sure where you're going with this
Well, sorry, but it was YOU, who brought up "OBAS"... I just wanted to make sure, that we can't give you any support for "OBAS" here at the Plesk Community Forum, as this product is not from Plesk. :)
 
Back
Top