Question Let's Encrypt on admin panel

[Fabio_Hansen]

Hi
In the plesk onyx installation, Security Advisor installed a certificate on my panel admin host.domain.com:8443. So far so good and working.
But now the three months have passed and the certificate has expired.
My question is: should not the certificate renew itself?
How do I renew for another three months?

 

[UFHH01]

Hi Fabio_Hansen,

pls. inspect your "panel.log" ( since version 2.0.3 of Plesk Let's Encrypt Extension ), to investigate possible issues, regarding the renew failure. Plesk creates a cronjob, which automatically renews your Let's Encrypt certificates, but you investigate, why this didn't happen on your server, you have to provide corresponding informations, so that people willing to help you have something to start for possible investigations.

Pls. check as well your server-wide ( Plesk configured ) crontabs at => HOME > Tools & Settings > Scheduled Tasks ... and make sure, that the cron "/opt/psa/admin/bin/php -dauto_prepend_file=sdk.php '/opt/psa/admin/plib/modules/letsencrypt/scripts/renew.php" exists.



If you desire to create a new certificate, which can be used to secure your Plesk Control Panel, pls. simply consider to create a separat subscription for "YOUR-SERVER-NAME.YOUR-DOMAIN.COM" ( matching the entry at "/etc/hostname" on your server! ) and create a new Let's Encrypt certifcate like you do this for every other (sub)domain.

 

[Fabio_Hansen]

Hi.
The log error is:
ERROR: pm_Exception_ResultException: Execution letsencrypt-hostname.sh has failed with exit code 1, stdout: , stderr: [2017-06-21 08:34:52] ERR [extension/letsencrypt] Execution of /usr/local/psa/admin/plib/modules/letsencrypt/scripts/cli.php failed with exit code 1 and the output:
Challenge marked as invalid. Details: Invalid response from http://host.domain.com/.well-known/acme-challenge/k0RosM6w80s7rbtS7m3-qrDMqwi9GCZevo0zD-tJVI4: "<HTML>
<HEAD>
<TITLE>404 Not Found</TITLE>
<BASE href="/error_docs/"><!--[if lte IE 6]></BASE><![endif]-->
</HEAD>
<BODY>
<H1>No"
Execution of /usr/local/psa/admin/plib/modules/letsencrypt/scripts/cli.php failed with exit code 1

 

[UFHH01]

Hi Fabio_Hansen,

as you can see in your error log, the "Challenge marked as invalid"... which means mostly, that the folders "/.well-known/acme-challenge/" and the necessary challenge couldn't be reached by the Let's Encrypt validation process. Consider to place as well a test - TXT - file into that folder and try to open it with your browser.

 

[Fabio_Hansen]

Hi
In which folder?
My problem is not in the domains I have been hosting.
My problem is in the renewal of ssl for the admin panel (panel.host.com:8443).
So where is the folder that gets the files from the admin panel and where exactly do I need to put this "/.well-known/acme-challenge/"?

 

[Wiz]

Hi
In which folder?
My problem is not in the domains I have been hosting.
My problem is in the renewal of ssl for the admin panel (panel.host.com:8443).
So where is the folder that gets the files from the admin panel and where exactly do I need to put this "/.well-known/acme-challenge/"?

I'm not sure how the initial Let's Encrypt cert for Plesk was installed by the security adviser as Let's Encrypt verifies domains via port 80, port 443 and TXT DNS record for non-standard ports ie. 8443

As UFHH01 suggested, if your plesk domain is panel.host.com then create a domain subscription for panel.host.com under plesk and then create a Let's encrypt cert which can then be used to secure panel.host.com:8443 - this is the automated renewal method for using Let's Encrypt to secure Plesk CP

If you do not wish to create an additional subscription just to use Let's Encrypt with Plesk then another workaround would be via a bash script:

#!/bin/bash -e
### Copyright 1999-2015. Parallels IP Holdings GmbH. All Rights Reserved.
### Secure plesk clean installation with hostname certificate by Let's Encrypt

export PYTHONWARNINGS="ignore:Non-standard path"
LE_HOME=${LE_HOME:-"/usr/local/psa/var/modules/letsencrypt"}
HOSTNAME=$(hostname)

# Use staging server for testing
# --server https://acme-staging.api.letsencrypt.org/directory
# --server http://letsencrypt.pp.plesk.ru/directory

"${LE_HOME}/venv/bin/letsencrypt" \
    --renew-by-default \
    --no-redirect \
    --agree-tos \
    --text \
    --config-dir "${LE_HOME}/root/etc" \
    --work-dir "${LE_HOME}/root/lib" \
    --logs-dir "${LE_HOME}/root/logs" \
    --webroot \
    --webroot-path "/var/www/vhosts/default/htdocs/" \
    -d "${HOSTNAME}" \
    --register-unsafely-without-email \
    certonly

CERT_PATH="${LE_HOME}/root/etc/live/${HOSTNAME}"
TMP_PATH=$(mktemp "${CERT_PATH}/plesk.XXXXX")
cat "${CERT_PATH}/privkey.pem" <(echo) \
    "${CERT_PATH}/cert.pem" <(echo) \
    "${CERT_PATH}/chain.pem" > "${TMP_PATH}"
echo "Let's Encrypt certificate for Plesk was created: ${TMP_PATH}"
/usr/local/psa/admin/bin/certmng --setup-cp-certificate --certificate="${TMP_PATH}"
echo "Certificate installation was finished successfully"

You can automate the renewal by creating a cron job that executes the above script every 2.5 months.

Hope this helps.

Edit: The above script assumes that you are using your server's hostname as plesk's domain. If the panel's domain is different then edit HOSTNAME=panel.host.com

 

[Fabio_Hansen]

Hi
Since the security adviser does its part of installing let's encrypt on my panel, should not renewal be automatic?
I have installed this panel since January 2017.
In March it was automatically renewed, but now it was not.
I find it strange to have to do these processes manually since it worked automatically.

 

[Fabio_Hansen]

Can anyone help me solve this in the right way? I can create a new certificate with let's encrypt but as I said in previous posts, the renewal happened automatically.