Let's Encrypt extension

[nMLxTMJTZ]

i can see wildcard option but when i generate the certificate in domain name i have "domainName" and not "*.domainName" and i cannot use in *.domainName, i use also CAA record:

xxx.pro.    CAA (iodef)    mailto:[email protected]
    xxx.pro.    CAA (issue)    letsencrypt.org

 

[Michael Neikes]

Hello,

it works so far:
- i do get ssl certificates activated
- also for subdomains
- i can choose them for the mail part as well -> within plesk

If i open Mailenable looking at "ocalhost" properties at SSL Tab, i do not see the letsencrypt certificates.
Where is the error (probably in my mind?)

Thanks for help

 

[Ruslan Kosolapov]

Hi @Michael Neikes.

i can choose them for the mail part as well -> within plesk

Sorry, don't sure I've understood your case correctly.

Do you mean setting server mail certificate?


If you mean server mail certificate - in MailEnable in that tab you see certificates as a list of Subject Names, in Plesk you see "user friendly" name of a certificate.
Example: there is domain.com and a certificate for it. In Plesk UI you see the certificate as "Let's Encrypt domain.com". In MailEnable you see this certificate as "domain.com", without "Let's Encrypt", but it is the same certificate. It's how ME works.

or including webmail into a domain certificate?


or setting webmail certificate directly?


If you mean webmail certificate, it isn't related to mail (and MailEnable), it's for Webmail (web, http) only.

 

[Ruslan Kosolapov]

Hi @camaran

You're using Plesk UI, right? Did you see any errors when you issued the wildcard certificate?
How do you check that there are no *.domainName in the certificate?

 

[ReneMuetti]

Hello

I am using Plesk Onyx Version 17.8.11 Update #19 with the current version of the plugin. Now there seems to be some problems:
The wrong certificates are delivered on the domains.
Delivered: crt.sh | 517515962
Current: crt.sh | 657921383
This concerns all domains on 2 different servers.

How can I get the problem under control? Obviously a fresh certificate has been requested and created -- but it will not be delivered.

Thank you very much for your help.

 

[Michael Neikes]

Do you mean setting server mail certificate?


If you mean server mail certificate - in MailEnable in that tab you see certificates as a list of Subject Names, in Plesk you see "user friendly" name of a certificate.
Example: there is domain.com and a certificate for it. In Plesk UI you see the certificate as "Let's Encrypt domain.com". In MailEnable you see this certificate as "domain.com", without "Let's Encrypt", but it is the same certificate. It's how ME works.

The other settings just affecting Mailenable was clear so far.

Within Plesk (your screenshot) I do see all Lets Encrypt certificate and choosed as "default": Lets encrypt certification from Serverpool.

Within Mailenable -> Servers -> "properties" of Localhost -> Tab "General" -> properties of one Postoffice binding -> at the bottom "SSL Certificate"
All Lets Encrypt certificates are not included in the lis, i just see default, the plesk ones, the one I use to protect plesk onetime with www. prefix, one without.

This has as an effect, that people connecting their own IP Adress do get the certificate which is set as default (= the one from plesk)



Regards
Michael

 

[Mark Wittens]

I have the Let's Encrypt plugin running on 2 servers but there are some problems: The cron task to renew the certificates doesn't (always) use the settings "Include a "www" subdomain for the domain and each selected alias" and "Secure webmail on this domain" so I get this kind of errors:

Could not secure domains of Server with Let's Encrypt certificates. Please log in to Plesk and secure the domains listed below manually.
Securing of the following domains has failed:

* 'domain.com'
Missed domain names failed to pass validation: webmail.domain.com

Both checkboxes at this domain are disabled so that means the www and webmail subdomain should not be used at all.

Can someone help me in the right direction where to look for a solution to this?

 

[Brujo]

Ubuntu 16.04.5 LTS‬
Product Plesk Onyx Version 17.8.11 Update #20
Let's Encrypt Version: 2.6.1-398

Since some days I see in the panel.log and receive also via Mail the following Error Message
so automaticaly renew of the letsencryt cert for this domain does not work and generates this messages.

Invalid response from https://acme-v02.api.letsencrypt.org/acme/new-order.
Details:
Type: urn:ietfarams:acme:error:malformed
Status: 400
Detail: Unable to unmarshal NewOrder request body

As workaround manually renew of the letsencrypt just work like a charm without issue and warnings

 

[TomBoB]

Webmail only, without domain hosting enabled.

Would also like to have it implemented. Usage case:

Client had web and email hosting with us. For the website he has it now hosted elsewhere, for emails he is still with us.

Would be nice if - when the webhosting is disabled - the extension still lets you do the webmail subdomain.

Cheers,
Tom

Hi,
just checking if there is progress on this...
Cheers,
Tom

 

[errotu]

Thanks a lot for implementing the new wildcard feature!

Is it possible to secure the mailman-page (lists.domain.com) with the wildcard certificate? If yes, how is it done?

 

[TomBoB]

Bug when subscription is suspended ?

Scenario:
Domain uses https, secured by lets encrypt. Client doesn't pay, subscription gets suspended - resulting in an error page (503) we created being displayed.
Eventually the lets encrypt certificate expires. Lets encrypt is NOT being renewed, although (in my opinion) it should as there is still the error page being displayed.

In a suspended subscription, after lets encrypt expired, no error page is being displayed, but rather the security warning that page isn't secure.

Any thoughts on that?

Cheers,
Tom

EDIT: reported as possible bug

 

[Ruslan Kosolapov]

We’ve just released the new version of Let’s Encrypt Extension: Let's Encrypt - Plesk Extensions
The main feature of the release is wildcard certificates autorenewal.

Changelog:
2.7.0 (31 October 2018)

• Expired wildcard certificates can now be renewed automatically.
• Resolved a number of compatibility issues with Plesk Onyx 17.9.
• [-] Email addresses used for issuing certificates are now included in Plesk backups.(EXTLETSENC-570)

 

[Ruslan Kosolapov]

Webmail only, without domain hosting enabled.
just checking if there is progress on this...

Hi. This feature is in the backlog. We thought it's easy, and we've started the implementation, but we've faced with a lot of small technical nuances that ruined the feature
In other words, not in the nearest releases, sorry. Deep technical research is required here.

 

[Ruslan Kosolapov]

Thanks a lot for implementing the new wildcard feature!

Is it possible to secure the mailman-page (lists.domain.com) with the wildcard certificate? If yes, how is it done?

Hi. Plesk doesn't provide such functionality. And, unfortunately, I don't think it's possible to get it done manually. The config for mailman is:
<VirtualHost 10.52.52.133:7080 127.0.0.1:7080>
DocumentRoot "/var/www/vhosts/default/htdocs"
ServerName lists
ServerAlias lists.*
UseCanonicalName Off

ScriptAlias "/mailman/" "/usr/lib/mailman/cgi-bin/"

Alias "/icons/" "/usr/lib/mailman/icons/"
Alias "/pipermail/" "/var/lib/mailman/archives/public/"

<IfModule mod_ssl.c>
SSLEngine off
</IfModule>

<Directory /var/lib/mailman/archives/>
Options FollowSymLinks
Order allow,deny
Allow from all
</Directory>

As you can see, there is the single virtual host for all lists.* domains. It means you can specify (manually) the certificate for the single domain, and this single domain will work, but other lists.* domains won't.

 

[learning_curve]

We’ve just released the new version of Let’s Encrypt Extension: Let's Encrypt - Plesk Extensions
The main feature of the release is wildcard certificates autorenewal...

Sounds great!

One of the Let's Encrypt *wildcard certificates that we currently use, we actually generate without using the Plesk Extension (it comes from a provider ouside of Plesk). It's multi-domain (with many instances of domain/sub-domain) which is why it requires a multi-domain *wildcard certificate. As you know, *wildcard certificates normally have to be verified manually via DNS, so in this case, both the original certificate and all subsequent renewals need patience, as it takes some time to do this correctly. We've always understood from the provider, that this kind of certificate will never work with the wildcard certificates autorenewal that they have. With the latest Extension release, will this work within Plesk now then? i.e. Multi-domain *wildcard Let's Encrypt certifcates complete with autorenewal? Fantastic news if that's the case... Or, is this limited to one domain per generated *wildcard Let's Encrypt certificate complete with autorenewal? (which is probably a more common occurance)

 

[Ruslan Kosolapov]

Sounds great!

One of the Let's Encrypt *wildcard certificates that we currently use, we actually generate without using the Plesk Extension (it comes from a provider ouside of Plesk). It's multi-domain (with many instances of domain/sub-domain) which is why it requires a multi-domain *wildcard certificate. As you know, *wildcard certificates normally have to be verified manually via DNS, so in this case, both the original certificate and all subsequent renewals need patience, as it takes some time to do this correctly. We've always understood from the provider, that this kind of certificate will never work with the wildcard certificates autorenewal that they have. With the latest Extension release, will this work within Plesk now then? i.e. Multi-domain *wildcard Let's Encrypt certifcates complete with autorenewal? Fantastic news if that's the case... Or, is this limited to one domain per generated *wildcard Let's Encrypt certificate complete with autorenewal? (which is probably a more common occurance)

1. if you've got the certificate without using the Let's Encrypt Extension, the autorenewal feature won't work for those certificates, because we don't touch "foreign" certificates. But there is a trick - rename the certificate to "Lets Encrypt <old_name>" and the extension will treat the certificate as "native". You can rename the certificate on the "<domain> > SSL/TLS Certificates > <certificate>" screen.

2. regarding the DNS challenge. Let's Encrypt Extension automatically creates required DNS records in the domain DNS zone inside Plesk. So, if Plesk is responsible for DNS (e.g., the DNS zone is delegated to Plesk), or if external DNS server is synced with Plesk (it can be achieved with Slave DNS Manager Extension) - the DNS challenge should work without manual actions.

If there is no sync from Plesk DNS to the external DNS server - sorry, autorenewal won't work.

See also this article: Getting Free Wildcard SSL/TLS Certificates from Let's Encrypt

 

[learning_curve]

1. if you've got the certificate without using the Let's Encrypt Extension, the autorenewal feature won't work for those certificates, because we don't touch "foreign" certificates. But there is a trick - rename the certificate to "Lets Encrypt <old_name>" and the extension will treat the certificate as "native". You can rename the certificate on the "<domain> > SSL/TLS Certificates > <certificate>" screen

"Foreign" even though they are provided at "home" i.e. via Let's Encrypt... but yes, fully understand the point.
The "trick" looks good, thank you. In this particular case (so far anyway...) we've never, ever had a Let's Encrypt <old_name> certificate because this certificate, has always be generated externally. Maybe, we'll create one now from scratch (if we can) subject to the answer to our question below...

2. regarding the DNS challenge. Let's Encrypt Extension automatically creates required DNS records in the domain DNS zone inside Plesk. So, if Plesk is responsible for DNS (e.g., the DNS zone is delegated to Plesk), or if external DNS server is synced with Plesk (it can be achieved with Slave DNS Manager Extension) - the DNS challenge should work without manual actions. If there is no sync from Plesk DNS to the external DNS server - sorry, autorenewal won't work. See also this article: Getting Free Wildcard SSL/TLS Certificates from Let's Encrypt

Fully understand the DNS info and it's great to see that the Plesk Extension now includes auto-renewals for *Wildcard Certificates too. However.... one point, in our post previous to this one, has possibly, been missed?

What we previously asked was this: "...With the latest Extension release, will this work within Plesk now then? i.e. Multi-domain *wildcard Let's Encrypt certifcates complete with autorenewal?" The big difference being Multi-domain in this case, not *wildcard. In the specific case we're referring too, all of the domains also have subdomains too, meaning that the certificate is actually a Multi-domain/subdomain *wildcard Let's Encrypt certifcate. We asked that ^^ question, because, we can't see how a Multi-domain/subdomain *wildcard Let's Encrypt certifcate can be generated, when only using the Plesk Extension (currently anyway). If we just haven't looked properly then sorry, but if it really is 'not possible' to do this (yet), then by default, there can be no autorenewals in this specific case either, as there's never been an original certificate. If this is all correct, does the Plesk Extension future road-map include the multi-domain option? The Plesk Let's Encrypt Extension appears (understandably) to process just one domain at a time... albeit with autorenewal that now also covers *wildcard certificates (if they used)

 

[a1b2c3.kontakt]

Hello,
I have a problem with wildcard ssl (Let's Encrypt). I did everything as in the guide: Getting Free Wildcard SSL/TLS Certificates from Let's Encrypt
and not working.
In domains list i have:
1. "maindomain.com"
2. "*.maindomain.com"

You can secure them manually:

1. Go to Websites & Domains and find the subdomain you want to secure
2. Click Hosting Settings.
3. Select the "SSL/TLS support" checkbox.
4. From the "Certificate" menu, select the wildcard SSL/TLS certificate.
5. Click OK.

In "maindomain.com" its working, but in "*.maindomain.com" I don't have a "Lets Encrypt
certificate".... Only self-signed

 

[Ruslan Kosolapov]

"...With the latest Extension release, will this work within Plesk now then? i.e. Multi-domain *wildcard Let's Encrypt certifcates complete with autorenewal?" The big difference being Multi-domain in this case, not *wildcard. In the specific case we're referring too, all of the domains also have subdomains too, meaning that the certificate is actually a Multi-domain/subdomain *wildcard Let's Encrypt certifcate. We asked that ^^ question, because, we can't see how a Multi-domain/subdomain *wildcard Let's Encrypt certifcate can be generated, when only using the Plesk Extension (currently anyway). If we just haven't looked properly then sorry, but if it really is 'not possible' to do this (yet), then by default, there can be no autorenewals in this specific case either, as there's never been an original certificate. If this is all correct, does the Plesk Extension future road-map include the multi-domain option? The Plesk Let's Encrypt Extension appears (understandably) to process just one domain at a time... albeit with autorenewal that now also covers *wildcard certificates (if they used)

You mean you want the same certificate installed on a domain and on its subdomains, am I correct?
How it works now:

1. you have to issue the wildcard certificate for the domain via LE extension
2. the certificate will be assigned to the domain automatically
3. after that you can manually assign the certificate to the subdomains
4. you can also assign that certificate to another domain (if this action makes sense)
5. autorenewal feature will renew the certificate on all those websites, i.e. on the domains and on the subdomains

In other words, there is manual step at the initial point, after that all should work automatically.
We plan to automate that manual step (for subdomains) in our new extension for SSL/TLS management. It will be available soon. Stay tuned

 

[Ruslan Kosolapov]

Hello,
I have a problem with wildcard ssl (Let's Encrypt). I did everything as in the guide: Getting Free Wildcard SSL/TLS Certificates from Let's Encrypt
and not working.
In domains list i have:
1. "maindomain.com"
2. "*.maindomain.com"

In "maindomain.com" its working, but in "*.maindomain.com" I don't have a "Lets Encrypt
certificate".... Only self-signed

Probably you've faced with rare issue when the subdomain certificate pool doesn't point to the domain certificate pool (the internals of the certificate management system in Plesk are quite complicated). To check it, execute the following SQL query (psa database): 'select id, name, cert_rep_id, domains.parentDomainId from domains where name like "%maindomain.com%";' cert_rep_id for the subdomains should be the same as for the main domain. Don't forget to backup the database before fixing this