• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Let's Encrypt extension

guys.. All domains on my plesk server now have the same date for the letsencrypt cert. 17 Mar 2016 - 17 Mar 2021. One example is https://brightside.bike , when you look at cert it runs from today until Jan 2018.
OS ‪CentOS 6.9 (Final)‬
Product Plesk Onyx
Version 17.5.3 Update #25
 
Here is a screen shot of the first 4 according to plesk they run 17 Mar 201617 Mar 2021

Security Advisor - Plesk Onyx 17.5.3

it shows:
blog.print-print.co.uk
bostongilmore.com
brightside.bike
cakesofgoodtaste.co.uk

All certs are actually (you can view site and check) 16th Oct 2017 to 14 Jan 2018

They all now start 16th Jan as I renewed the lot hoping it would change the dates :)

Andy
 
Hi teckna,

this is a ( temporary ) display - bug, which should be fixed within one of the nearest updates. Thank you for notifying.
 
Thanks for the new version.

BUT we are still missing the feature to request ONE single certificate within a subscription where one can select domains, subdomains, aliases as possible alternative names. Currently it is only possible to add aliases, which does not really make sense. We run into certificate request limits quiet often, since we have many customers who have a lot subdomains, that could go all into the same certificate.

To add several domains and subdomains also into one certificate was requested a while ago already. Is this at least on the roadmap already?

Thanks!
 
Hello, I didn't see anyone asking for this (hopefully this hasn't been covered yet) but is there a way to turn off the email sent to the Plesk account owner?

We set the email address in the admin panel under Let's Encrypt for each domain to our admin email address but we found our clients are receiving notification emails and we'd like this turned off or just set so that the only emails going out are only to the email address set in the admin panel in Let's Encrypt. Maybe this is a bug, I'm not sure.

Thanks in advance!
-Tony
 
Hello @Tony Herman ,

Our (Plesk) notifications can be disabled by the following:
1. Tools & Settings > Notifications
2. remove "Customer" checkbox from "Let's Encrypt certificates auto-renewal failure (customer's digest)" and "Let's Encrypt certificates auto-renewal success (customer's digest)" items.

If you mean notifications from Let's Encrypt servers - we'll check your case. Could you check the version of the extension, is it 2.4?
 
Hi guys,

We use the Let's Encrypt extension for our domain hosting for our customers. We are using SNI and have around 300 sites hosted on one IP. When I initially set up the Let's Encrypt SSL certificate for each domain, I put my email address in so customers didn't receive notifications about LE. When the renewal time came (within 30 days of expiry), I noticed that it automatically changed the email address back to the subscribers email address and as such customers were contacting me asking what the email was in regards to. I turned off the notifications for LE in the notifications section for now, but not sure if this is a bug that needs to be fixed?

Also too, because we have around 300 domains for the IP, LE has blocked our IP with error 429 "Detail: Error creating new registration :: too many registrations for this IP". Is there any way around this for multiple sites on a single IP? Maybe it might be worthwhile in the cron script that checks renewals each day, to set a limit to say 10 renewals every 3 hours instead of looping through every domain that has a certificate?

It appears we're hitting this limit "You can create a maximum of 10 Accounts per IP Address per 3 hours."

Cheers, Mike
 
Last edited:
@weathermon

You stated

Also too, because we have around 300 domains for the IP, LE has blocked our IP with error 429 "Detail: Error creating new registration :: too many registrations for this IP". Is there any way around this for multiple sites on a single IP? Maybe it might be worthwhile in the cron script that checks renewals each day, to set a limit to say 10 renewals every 3 hours instead of looping through every domain that has a certificate?

and it is very likely that you are hitting some limits, as used by default by LE servers.

You can take the easy path and just spread renewals across various dates (hence reducing the probability that you will hit the LE limits).

This solution simply requires that you select some random domains and renew them manually: LE will start counting from the date you renewed them (and all other domains will be renewed at the default date, which should be very similar for those domains).

In essence, this solution attempts to play around with LE limits (and this might require some trial-and-error).

You can also use one of the development servers of LE, which servers are not limited (read: they are limited, but not as strict as the regular LE servers).

The default rate limit for LE is: a maximum of 10 Accounts per IP Address per 3 hours.

The staging rate limit for LE is: a maximum of 50 Accounts per IP Address per 3 hours.

In theory, you should be able to run the command

plesk bin extension --exec letsencrypt cli.php [regular LE command] --staging

and note that

- the --staging flag will result in using the development servers of LE
- the regular LE command should be based on "certbot" (otherwise, the --staging will most likely not work)


I personally recommend that you use the method of spreading the renewals across various dates.

That way, you will not have any issues with automatic renewals of LE certificates.


Hope the above helps a bit.

Regards.........
 
@weathermon

This solution simply requires that you select some random domains and renew them manually: LE will start counting from the date you renewed them (and all other domains will be renewed at the default date, which should be very similar for those domains).

Ok cool I might start manually renewing a few domains per day so we don't hit the limit again. Thanks for your help!

Cheers, Mike
 
Hello.


We’ve just released Let’s Encrypt Extension 2.5.1: Let's Encrypt - Plesk Extensions


The changes ( Change Log for Plesk ):


2.5.1 (27 February 2018)

[*] Improved the extension code to make delivering future improvements easier.

[-] Fixed the issue where, if the "Keep secured" option and at least one of the "secure webmail"/"secure www" options were enabled in Let's Encrypt settings for a domain whose name contained uppercase letters, Let's Encrypt tried retrieving certificates every hour, exceeding rate limits and sending misleading email notifications to the domain's owner. (EXTLETSENC-447)

[-] Fixed the issue where, if the "Keep secured" option was enabled in Let's Encrypt settings for a domain for which webmail was disabled, the domain's owner received daily email notifications about Let's Encrypt trying and failing to secure webmail. (EXTLETSENC-457)

[-] Fixed the issue where domain aliases with names in uppercase (e.g. ALIAS.domain.tld) were shown as unsecured in Let's Encrypt even if they were, in fact, secured with a Let's Encrypt certificate. (EXTLETSENC-250)

[-] Fixed the issue where renewing the Let's Encrypt certificate for a domain with a wildcard subdomain resulted in the subdomain becoming inaccessible. (EXTLETSENC-395)

[-] Fixed the issue where, in Plesk Web Admin Edition, customers received notifications about Let's Encrypt certificates' renewal even if these notifications were disabled in "Tools&Settings" > "Notifications". (EXTLETSENC-427)

[-] Fixed the issue where trying to secure webmail for a domain using Plesk Premium Email with a Let's Encrypt certificate resulted in an error. (EXTLETSENC-365)

[-] Fixed the issue where Let's Encrypt challenges failed for domains with a custom MIME type configured for "." (extensionless files). (EXTLETSENC-364)

[-] Fixed the issue where renewing the Let's Encrypt certificate securing Plesk stalled indefinitely if the number of IP addresses on the server was very large (40-50 or more). (EXTLETSENC-367)
 
Hi guys,
I ran into an issue when requesting LE certificates for domain aliases. Already left it as a reply to this extension Github repo Support for domain aliases · Issue #28 · plesk/letsencrypt-plesk · GitHub but also wanted to share the issue here.

In our WordPress multisite setup we have one main domain and all the subsites are aliases with their own domain name, so no subdomains. Thanks to the latest updates of the Plesk LE extension we could now start requesting SSL certs for all aliases (6500 domain names). However, each time we request a new certificate, all the domains that already have a certificate are also included to be renewed in the signing request. As I now have 100 aliases secured with LE it is now impossible to request any more certificates. If I try to request a new certificate, the LE extension throws an error "Detail: Error creating new cert :: CSR contains more than 100 DNS names".

Wouldn't it make more sense to only request certs for the domains that not yet have SSL? As the renewal of domains is handled by a daily Cron? Otherwise there is no way to secure more then 100 aliases per domain.

Regards,
Sander
 
Hi @SdeWijs
  1. Let's Encrypt has a limit - 100 DNS names in a single certificate
  2. Domain Aliases and Domain share the same certificate. In other words, it's impossible to issue one certificate for Domain and another certificate for Domain Alias(es). There is always the single certificate for all of them. It is how TLS and webservers work.
  3. So, you're right - there is no simple way to secure more than 100 Domain Aliases per domain.
What you can do with the case:
  1. select 99 domain aliases that should be secured and do not secure others. Uncheck www and webmail options (or reduce the amount of domain aliases to secure).
  2. buy some commercial certificate with ability to secure 6500 SANs. Frankly, I don't think it will be easy to find such CA, and I think the price will be high.
  3. create 65 domains with 100 domain aliases per each, utilising the same www-root. Looks like a kind of dirty hack with quite expensive maintenance.

BTW, for me it looks hmmm... crazy? :) to have so huge amount of domain aliases :) Why do you need so much?
 
Hi @SdeWijs
  1. Let's Encrypt has a limit - 100 DNS names in a single certificate
  2. Domain Aliases and Domain share the same certificate. In other words, it's impossible to issue one certificate for Domain and another certificate for Domain Alias(es). There is always the single certificate for all of them. It is how TLS and webservers work.
  3. So, you're right - there is no simple way to secure more than 100 Domain Aliases per domain.
What you can do with the case:
  1. select 99 domain aliases that should be secured and do not secure others. Uncheck www and webmail options (or reduce the amount of domain aliases to secure).
  2. buy some commercial certificate with ability to secure 6500 SANs. Frankly, I don't think it will be easy to find such CA, and I think the price will be high.
  3. create 65 domains with 100 domain aliases per each, utilising the same www-root. Looks like a kind of dirty hack with quite expensive maintenance.

BTW, for me it looks hmmm... crazy? :) to have so huge amount of domain aliases :) Why do you need so much?

Hi Ruslan,

Thanks for your extensive answer! The reason for the huge number of domain aliases is because we use a WordPress multisite environment for our application's frontend. Our customers have multiple subsites to promote individual products. Each subsite has it's own unique domain name, and we have a lot of customers.

I agree that solution three is a bit of a hack, but option 1 and 2 are also not that appealing. I will talk to our hosting provider and see if we can find an elegant solution. Thanks again!
 
Back
Top