Let's Encrypt extension

[Ruslan Kosolapov]

Hi @learning_curve

Yes, anyone is able to issue wildcard certificate other (not Let's Encrypt Extension) way and assign it to a domain with Plesk UI.
But that certificate will not be autorenewed by our extension, so, don't forget to reissue it after three months (I believe you'll be able to do that with Let's Encrypt Extension )

 

[learning_curve]

Hi @Ruslan Kosolapov Thank you and yes you're totally right on both counts We've already tested and are now using, one of various "manual" methods of utilising wildcard certificates as part of our Plesk setup (covered in this other thread, which we posted prior to your reply above) However... Nirvana aka the Let's Encrypt Plesk Extension (and it's excellent auto-renewal process) is what we really need. Self-admin for renewals works fine, but it is time consuming and requires diligence... so please hurry with the upgrade / release of the extension!

 

[Brownsugar]

Is it possible to secure only webmail without binding the main domain?
For example, abc.com uses paid certificate, webmail use Let's encrypt certificate with auto renewing.

 

[Ruslan Kosolapov]

Is it possible to secure only webmail without binding the main domain?
For example, abc.com uses paid certificate, webmail use Let's encrypt certificate with auto renewing.

Unfortunately, for now, no
We have such a feature in our plans, and definitely, someday it will be available.

You can assign a certificate to webmail manually.

 

[jeffreytanuwidjaja]

how to secure wildcard using let's encrypt? i'm using wordpress multisite

thanks

 

[MarkM]

how to secure wildcard using let's encrypt? i'm using wordpress multisite

thanks

Is it possible to use Let's Encrypt for wildcard certificates?

 

[TomBoB]

Unfortunately, for now, no
We have such a feature in our plans, and definitely, someday it will be available.

You can assign a certificate to webmail manually.

Would also like to have it implemented. Usage case:

Client had web and email hosting with us. For the website he has it now hosted elsewhere, for emails he is still with us.

Would be nice if - when the webhosting is disabled - the extension still lets you do the webmail subdomain.

Cheers,
Tom

 

[StéphanS]

Is it possible to include preview links in the certificate Subject Alt Name list?

         port 7081 namevhost domain.tld (/etc/httpd/conf/plesk.conf.d/vhosts/domain.tld.conf:10)
                 alias www.domain.tld
                 alias ipv4.domain.tld
                 alias domain.tld.1-2-3-4.plesk47.customer.tld

Customers site redirects to https


Come to think of it, a LE Wildcard cert would be nice for preview domains.
But then preview domains need to be renamed to something like:

domain_tld.1-2-3-4.plesk47.customer.tld

So that *.1-2-3-4.plesk47.customer.tld can be requested.

 

[DevDavido]

I'm having an issue with the extension.
This issue occurs since one of the updates in 2018.
Let's Encrypt renews the certificates automatically, it restores default index.html, css and img folder from .skel into the existing project root of an existing project.


Ubuntu 14.04 LTS
Let's Encrypt extension version: 2.5.3-354
Plesk Onyx version: 17.8.11 Update #8

 

[rutgergrasgroen]

Hi,

Im running the letscenrypt extension on 1 of our servers. Ik have 2 subscriptions with each 230 domains. Last week 350 domains got renewed by the cron, but the last 150 have the "pending authorization" error.

When i look in /var/log/plesk/panel.log i see this error:

[2018-05-30 07:29:49.693] INFO [extension/letsencrypt] Renew certificate of domain 'doetinchemslotenmaker.nl': the certificate will expire in less than 30 days at 2018-06-25...
[2018-05-30 07:29:49.696] INFO [extension/letsencrypt] Register to ACME server 'https://acme-v01.api.letsencrypt.org/directory' using e-mail 'www.doetinchemslotenmaker.nl, webmail.doetinchemslotenmaker.nl...
[2018-05-30 07:29:50.117] ERR [extension/letsencrypt] Domain validation failed for doetinchemslotenmaker.nl: Invalid response from https://acme-v01.api.letsencrypt.org/acme/new-authz.
Details:
Type: urn:acme:error:rateLimited
Status: 429
Detail: Error creating new authz :: too many currently pending authorizations: see https://letsencrypt.org/docs/rate-limits/
[2018-05-30 07:29:50.117] DEBUG [extension/letsencrypt] PleskExt\Letsencrypt\Acme\Exception\BadResponseException: Invalid response from https://acme-v01.api.letsencrypt.org/acme/new-authz.
Details:
Type: urn:acme:error:rateLimited
Status: 429
Detail: Error creating new authz :: too many currently pending authorizations: see https://letsencrypt.org/docs/rate-limits/
file: /opt/psa/admin/plib/modules/letsencrypt/library/Acme/Exception/BadResponseException.php
line: 38
code: 0
trace: #0 /opt/psa/admin/plib/modules/letsencrypt/library/Acme/Challenge.php(140): PleskExt\Letsencrypt\Acme\Exception\BadResponseException::create(object of type GuzzleHttp\Psr7\Response)
#1 /opt/psa/admin/plib/modules/letsencrypt/library/Acme/Challenge.php(35): PleskExt\Letsencrypt\Acme\Challenge->requestChallenges(string 'doetinchemslotenmaker.nl')
#2 /opt/psa/admin/plib/modules/letsencrypt/library/DomainValidation/AcmeDomainValidator.php(65): PleskExt\Letsencrypt\Acme\Challenge->solve(object of type PleskExt\Letsencrypt\ChallengeSolver\DomainDocRootHttpSolver, boolean false)
#3 /opt/psa/admin/plib/modules/letsencrypt/library/DomainValidation/AcmeDomainValidationTask.php(96): PleskExt\Letsencrypt\DomainValidation\AcmeDomainValidator->validateDomain(string 'doetinchemslotenmaker.nl')
#4 /opt/psa/admin/plib/modules/letsencrypt/library/Acme.php(226): PleskExt\Letsencrypt\DomainValidation\AcmeDomainValidationTask->run()
#5 /opt/psa/admin/plib/modules/letsencrypt/library/Acme.php(386): PleskExt\Letsencrypt\Acme->provideCertificate(array, object of type PleskExt\Letsencrypt\AcmeCertOrderContext, object of type PleskExt\Letsencrypt\ChallengeFailed\SkipChallengeFailedStrategy, object of type PleskExt\Letsencrypt\CertificateIssuance\CertSubjectsValidatorRequireNothing, array)
#6 /opt/psa/admin/plib/modules/letsencrypt/library/KeepSecured/KeepSecuredService.php(396): PleskExt\Letsencrypt\Acme->secureDomainAutomatically(string '#7 /opt/psa/admin/plib/modules/letsencrypt/library/KeepSecured/KeepSecuredService.php(255): PleskExt\Letsencrypt\KeepSecured\KeepSecuredService->renewDomainCertificate(object of type PleskExt\Letsencrypt\KeepSecured\KeepSecuredNotifier, string 'doetinchemslotenmaker.nl', object of type PleskExt\Letsencrypt\Bridge\Certificate, object of type DateTime, integer '30', boolean true, boolean false, boolean false)
#8 /opt/psa/admin/plib/modules/letsencrypt/library/KeepSecured/KeepSecuredService.php(134): PleskExt\Letsencrypt\KeepSecured\KeepSecuredService->renewDomainsCertificates(object of type PleskExt\Letsencrypt\KeepSecured\KeepSecuredNotifier)
#9 /opt/psa/admin/plib/modules/letsencrypt/library/KeepSecured/KeepSecuredService.php(90): PleskExt\Letsencrypt\KeepSecured\KeepSecuredService->renewCertificates(object of type PleskExt\Letsencrypt\KeepSecured\KeepSecuredNotifier)
#10 /opt/psa/admin/plib/modules/letsencrypt/scripts/keep-secured.php(19): PleskExt\Letsencrypt\KeepSecured\KeepSecuredService->keepAllSecured()

The strange thing is that i see this error block with this domain a serveral times. So i think it tries to renew more then once? Can someone explain how i can fix this? I also read about "Clearing pending authorizations", but when you do that, you probably first should fix bad behaviour of a buggy client. And i save you need the authz urls for this? I cant find there anywhere.

And how does "Clearing pending authorizations" work?

I hope someone recognises my issues and knows the solution. Because i really need my pendings domains to renew within 27 days.

Thanks for your help!

 

[IgorG]

I hope someone recognises my issues and knows the solution. Because i really need my pendings domains to renew within 27 days.

I suppose this discussion will shed a light on this issue Error creating new authz :: Too many currently pending authorizations
Note: This limit is set by Let's Encrypt directly, Plesk cannot manage it.

 

[rutgergrasgroen]

I suppose this discussion will shed a light on this issue Error creating new authz :: Too many currently pending authorizations
Note: This limit is set by Let's Encrypt directly, Plesk cannot manage it.

I’ve read this thread before. But i’ve also read a ton of threads that my client shouldnt be hitting this rate limit.. its bad behavior. Do you know if something is wrong in the plugin? And i run my cron hourly now. Should i disable it for a week?

 

[AndrewN]

On our roadmap: SAN support · Issue #19 · plesk/letsencrypt-plesk

Thank you..,

 

[Ruslan Kosolapov]

Finally, we’ve released Let’s Encrypt 2.6.0 with wildcard certificates support ☺
Note that the feature needs activation - by default the extension uses ACME v1 protocol, but for wildcard certificates ACME v2 should be used.
To change the protocol (and enable wildcard certificates checkbox in the UI) put the following into your panel.ini:

[ext-letsencrypt]
acme-directory-url = "https://acme-v02.api.letsencrypt.org/directory"
acme-protocol-version = "acme-v02"



Another noticeable feature is significantly improved robustness of http challenges.
Let's Encrypt - Plesk Extensions

Changelog: Change Log for Plesk

2.6.0 (05 July 2018)

• [+] Users can now issue wildcard SSL/TLS certificates and secure the main domain, subdomains, domain aliases, and webmail with them. By default, Let’s Encrypt uses ACMEv1. For issuing a wildcard SSL/TLS certificate, users need to configure the Let’s Encrypt extension to use ACMEv2. Here you can read how to do so. Currently, wildcard SSL/TLS certificates are not renewed automatically. This feature is planned to be added later.
• Improved chances of successful Let's Encrypt DNS challenge validation by using general locations for .well-known/acme-challenge. This helps issue an SSL/TLS certificate if a domain has some specially configured rewrite rules (certain web applications configure them by default) or access restrictions. You can revert this improvement by adding the following lines to the panel.ini file:
  
  [ext-letsencrypt]
  use-common-challenge-dir = false

• Starting with Let’s Encrypt 2.6.0, the server setting is replaced with acme-directory-url. Now the server setting is still supported but it will be deprecated in the future Let's Encrypt updates. We recommend that users replace the server setting with acme-directory-url in the panel.ini file.
• Improved messages for most frequent Let's Encrypt errors.
• [-] Now, to renew a Let's Encrypt SSL/TLS certificate created via the CLI, the email specified in the CLI command is used. (EXTLETSENC-498)

 

[Walter]

This new wildcard feature is not working for me.

I have the latest version of Plesk and the latest Let's Encrypt Extension:
Plesk Onyx Version 17.8.11 Update #14, last updated on July 9, 2018 12:29 PM
Let's Encrypt Version: 2.6.1-398
Ubuntu 16.04.4 LTS

I did not have an existing panel.ini so I copied the panel.ini.sample
/usr/local/psa/admin/conf# cp panel.ini.sample panel.ini
I then pasted the Let's Encrypt entries:

[ext-letsencrypt]
acme-directory-url = "https://acme-v02.api.letsencrypt.org/directory"
acme-protocol-version = "acme-v02"

/usr/local/psa/admin/conf# ls -ltr
total 84
drwxr-xr-x 2 root root  4096 Mar 17  2017 generated
drwxr-xr-x 4 root root  4096 May 16  2017 templates
-rw-r--r-- 1 root root   885 May 16  2017 site_isolation_settings.ini
-rw-r--r-- 1 root root   862 Mar  1 07:38 site_isolation_settings.ini.default
-rw-r--r-- 1 root root   936 Mar  1 07:38 php.ini
-rw-r--r-- 1 root root  1705 Mar  1 07:38 panel.ini.sample
-rw-r--r-- 1 root root   502 Mar  1 07:38 openssl.cnf
-r-------- 1 root root  1647 Apr  6 20:06 rootchain.pem.sav
-r-------- 1 root root  9157 Apr  6 20:06 httpsd.pem.sav
-r-------- 1 root root  1647 Apr 14 11:04 rootchain.pem
-r-------- 1 root root  7463 Apr 14 11:04 httpsd.pem
drwxr-xr-x 2 root root  4096 Apr 21 14:54 aps
-rw-r--r-- 1 root root 10863 Apr 23 06:25 health-config.xml
-rw-r--r-- 1 root root  2347 Apr 30 15:59 file_sharing.conf
-rw-r--r-- 1 root root  1827 Jul  6 20:20 panel.ini
-rw-r--r-- 1 root root    35 Jul  9 06:31 customizations.conf

I checked multiple domains and also restarted my Plesk Server even though documentation shows that the panel.ini changes are implemented without restart needed.

 

[IgorG]

@Walter could you please show the output of

# cat /usr/local/psa/admin/conf/panel.ini

I see on my own Plesk server:

# cat /usr/local/psa/admin/conf/panel.ini
[sitebuilder]
forceHttp=false

[aps]
catalogUrl=http://apscatalog.com
serverAppsPromoEnabled=off

[promos]
enabled=off

[facebook]
showLikeLink=false

[feedback]
userVoice=false

[rating]
enabled=false

[ext-letsencrypt]
acme-directory-url = "https://acme-v02.api.letsencrypt.org/directory"
acme-protocol-version = "acme-v02"

and all works fine for issuing wildcard certificates.

 

[learning_curve]

This new wildcard feature is not working for me > < I did not have an existing panel.ini

FWIW We didn't have a panel.ini file but thats because we haven't made any specific panel changes to date, so we didn't expect one. Using the Plesk Panel.ini Editor extension example.com:8443/modules/panel-ini-editor/ to add the required changes is easy and creates the panel.ini file for you.

@Walter could you please show the output of # cat /usr/local/psa/admin/conf/panel.ini > < and all works fine for issuing wildcard certificates

If we run that @IgorG we see, exactly what we expect to see:

# cat /usr/local/psa/admin/conf/panel.ini
[ext-letsencrypt]
acme-directory-url = "https://acme-v02.api.letsencrypt.org/directory"
acme-protocol-version = "acme-v02"

We too can sucessfully issue wildcard certificates without any problems using the latest version of the Let's Encrypt extension. However, it's not 100% finished yet; automatic renewals are set for a future release. If you do have DNS outside of Plesk (as we do) there's still some manual work to do, which is easy, but this does depend on your hosting / server setup. The accompanying Plesk Docs are quite informative for using the Let's Encrypt extension sucessfully.

 

[Walter]

@Walter could you please show the output of

# cat /usr/local/psa/admin/conf/panel.ini

 cat /usr/local/psa/admin/conf/panel.ini
; Plesk initialization file
;
; Notes:
; * Be careful and understand what do you do while modifying of panel behavior.
; * If option is missed default value will be used.
; * Use ";" for comments.
; * Enabled debug mode or high log level can be the reason of panel slowdown.

[debug]

; Enable debug mode (do not use in production environment)
;enabled = on

[log]

; Log messages verbosity level (from 0 to 7)
; 0 - only critical errors, 7 - all including debug messages, default - 3
;filter.priority = 7

; Enable logging of SQL queries
;show.sql_query = on

; Enable logging of external utilities calls
;show.util_exec = on

; Enable logging of stdin and stdout for external utilities calls (do not use in production environment)
;show.util_exec_io = on

; Enable logging of APSC activities
;apsc.enabled = on

[aps]

; Disable APS apps at all
;enabled = off

[locale]

; Show locale keys instead of localized string (values: off, on, long)
;showKeys = long

[help]

; Documentation URL
;url = http://example.com

[promos]

; Disable other products promotions
;enabled = off

[facebook]

; Hide Like link
showLikeLink = off

[rating]

; Hide feedback dialog with question to rate product
enabled = off

[cli]

; Ignore nonexistent options in command line interface
;ignoreNonexistentOptions = off

[pmm]

; Allow to upload modified, corrupted, created on another server or in an older Panel version
; that does not support signing of backups. Set this option only if you trust to backup creator because upload of modified
; backup may compromise you server. If value is on then users just informed about changes in backup and restore isn`t blocked
; Values: on, off
;allowRestoreModifiedDumps = off

[ext-letsencrypt]
acme-directory-url = "https://acme-v02.api.letsencrypt.org/directory"
acme-protocol-version = "acme-v02"

For good measure I just installed the panel.ini extension. I am using Ubuntu and know that I modified the right location but wanted to see if Plesk user interface is reading the same.

The panel.ini extension editor tab shows the following location:
/opt/psa/admin/conf/panel.ini

BUT Does have the entry in there for Let's Encrypt

; Plesk initialization file
;
; Notes:
; * Be careful and understand what do you do while modifying of panel behavior.
; * If option is missed default value will be used.
; * Use ";" for comments.
; * Enabled debug mode or high log level can be the reason of panel slowdown.

[debug]

; Enable debug mode (do not use in production environment)
;enabled = on

[log]

; Log messages verbosity level (from 0 to 7)
; 0 - only critical errors, 7 - all including debug messages, default - 3
;filter.priority = 7

; Enable logging of SQL queries
;show.sql_query = on

; Enable logging of external utilities calls
;show.util_exec = on

; Enable logging of stdin and stdout for external utilities calls (do not use in production environment)
;show.util_exec_io = on

; Enable logging of APSC activities
;apsc.enabled = on

[aps]

; Disable APS apps at all
;enabled = off

[locale]

; Show locale keys instead of localized string (values: off, on, long)
;showKeys = long

[help]

; Documentation URL
;url = http://example.com

[promos]

; Disable other products promotions
;enabled = off

[facebook]

; Hide Like link
showLikeLink = off

[rating]

; Hide feedback dialog with question to rate product
enabled = off

[cli]

; Ignore nonexistent options in command line interface
;ignoreNonexistentOptions = off

[pmm]

; Allow to upload modified, corrupted, created on another server or in an older Panel version
; that does not support signing of backups. Set this option only if you trust to backup creator because upload of modified
; backup may compromise you server. If value is on then users just informed about changes in backup and restore isn`t blocked
; Values: on, off
;allowRestoreModifiedDumps = off

[ext-letsencrypt]
acme-directory-url = "https://acme-v02.api.letsencrypt.org/directory"
acme-protocol-version = "acme-v02"

I also cleared my browser cache and logged into my Plesk instance with a different browser and different computer to remove the possibility of caching.

 

[Walter]

My issue is resolved! I now see wildcard option. A while ago, I appended cli.ini found in /usr/local/psa/var/modules/letsencrypt/cli.ini
I had a single entry of:

rsa-key-size = 4096

This was to increase the key size of LE certificates to improve my SSLLabs score.

I deleted the cli.ini file and then appended the panel.ini file with the following:

[ext-letsencrypt]

acme-directory-url = "https://acme-v02.api.letsencrypt.org/directory"
acme-protocol-version = "acme-v02"
rsa-key-size = 4096

 

[StéphanS]

Great and valuable info there Walter!

Thank you for sharing.