Let’s Encrypt Secured Plesk Not Renewing

[stvnthomas]

TITLE:

Let’s Encrypt Secured Plesk Not Renewing​

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE:

CentOS 7.4 / Plesk 17.5.3 Update 24​

PROBLEM DESCRIPTION:

One of our servers certificates recently renewed automatically but Plesk continued to show/use the previous expired certificate, resulting in the invalid certificate browser page.

Confirmed with a second Plesk server. Manually renewed the certificate. The website, Example Domain, updated and showed usage of the new certificate but Plesk, https://example.com:8443, still showed usage of the old certificate. Using alternate browsers/computers result in the same problem.​

STEPS TO REPRODUCE:

Manually renew Let’s Encrypt certificate for domain/certificate used to secure Plesk. Visit domain and Plesk and compare certificates.​

ACTUAL RESULT:

Domain will use renewed certificate. Plesk will continue to use old certificate.​

EXPECTED RESULT:

Domain and Plesk should be using the renewed certificate.​

ANY ADDITIONAL INFORMATION:

After renewing manually renewing the certificate, you can force Plesk to use it by going to Tools & Settings > SSL/TLS Certificates and resaving the option for 'Certificate for securing Plesk'.

I didn't test but could this also affect the 'Certificate for securing mail'?​

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM:

Confirm bug​

 

[IgorG]

Manually renewed the certificate.

All LE certificates should be renewed automatically with corresponding cron task:

# crontab -l | grep letsen
3 16 * * * /usr/local/psa/admin/bin/php -dauto_prepend_file=sdk.php '/usr/local/psa/admin/plib/modules/letsencrypt/scripts/renew.php'

Please check that this task exists and cron service is up and running.

 

[stvnthomas]

Yes, the task is present and the cron service is running:

# sudo crontab -l | grep letsen
3 6 * * * /usr/local/psa/admin/bin/php -dauto_prepend_file=sdk.php '/usr/local/psa/admin/plib/modules/letsencrypt/scripts/renew.php'

# sudo systemctl status crond.service
Active: active (running) since Fri 2017-09-29 18:04:38 PDT; 5 days ago

The certificate renewed so I don't think it's a problem with the cron or renewal itself. It seems to just be with the renewed certificate registering and securing the Plesk control panel.

 

[MariusAZ]

I'm having the exact same problem. Same version of Plesk on 2 different servers running Ubuntu 16.04 LTS.

 

[Azurel]

I have this issue too with plesk panel and mail with CentOS Linux 7.4.1708 (Core)‬ and Plesk Onyx Version 17.5.3 Update #25 since maybe 09.Okt.2017 (was few weeks in holiday, a friend reported a error in mail certificate)

# sudo crontab -l | grep letsen
19 9 * * * /usr/local/psa/admin/bin/php -dauto_prepend_file=sdk.php '/usr/local/psa/admin/plib/modules/letsencrypt/scripts/renew.php'

# sudo systemctl status crond.service
Active: active (running) since Thu 2017-09-14 11:14:32 CEST; 1 months 5 days

I didn't test but could this also affect the 'Certificate for securing mail'?

Yes, here is the problem too.

I could not say why, but the domain for mail.example.com was not renewed. I found no hint under /usr/local/psa/var/modules/letsencrypt/logs/letsencrypt.log
This file was last changed 13.Mar.2017

After manual renew in subscription domain was now secure but still mail was not secured. I must under "Tools & Settings" go to "SSL/TLS Certificates" and click "Change" for "Certificate for securing mail" and set the same domain like before. After click on "OK" its working now and refresh to new certificate.Like stvnthomas wrote it before for plesk panel.

 

[stvnthomas]

I can confirm it's still a problem – a third server of ours now – and both Plesk and mail are affected (secured via Tools & Settings > SSL/TLS Certificates > Certificates currently in use for securing Plesk server). The certificate had been updated but Plesk and mail were still using the expired one. All email clients were reporting 'encryption method not supported' errors. This seems like a pretty big bug.

CentOS 7.4 is up to date and running Plesk 17.5.3, update #28. Latest Let's Encrypt extension, 2.4.0-231.

 

[Azurel]

I will add a information for developers. I created a subdomain and delete it after add letsencrypt certificate. Now I get for this removed subdomain a e-mail with subject:

Let's Encrypt certificate expiration notice for domain "test.example.com"

I see that sbdodomain-folder in subscription exists too, but not in plesk domains anymore.

 

[Greg Voronov]

I will add a information for developers. I created a subdomain and delete it after add letsencrypt certificate. Now I get for this removed subdomain a e-mail with subject:



I see that sbdodomain-folder in subscription exists too, but not in plesk domains anymore.

Most likely the subdomain was not entirely removed from Plesk. Please try to create it again and see what happens.

 

[Greg Voronov]

I can confirm it's still a problem – a third server of ours now – and both Plesk and mail are affected (secured via Tools & Settings > SSL/TLS Certificates > Certificates currently in use for securing Plesk server). The certificate had been updated but Plesk and mail were still using the expired one. All email clients were reporting 'encryption method not supported' errors. This seems like a pretty big bug.

CentOS 7.4 is up to date and running Plesk 17.5.3, update #28. Latest Let's Encrypt extension, 2.4.0-231.

Based on your report I can see, that you use the same certificate for securing domain and Plesk (and mail). Currently Let's Encrypt extension does not allow to auto-renew such certificates due to limitation in Plesk 17.5 platform. This behavior will be fixed in upcoming Plesk 17.8, that is expected to be release at March 2018.
As for now I would advise you use separate certificates from Plesk (UI and mail) and domain itself. In this case you will have 2 different certificates for the same DN of your domain, which may be a bit weird and excessive. But these certificates will be updated automatically by Let's Encrypt, so you don't have to worry about it. And they are free =)

 

[Azurel]

Here another thing to the letsencrypt extension. I got today a mail with subject
"<test.example.com> Let's Encrypt certificates for ******** have been issued/renewed"
and content:

The following Let's Encrypt certificates for ******* (login admin) have been renewed:

* 'Lets Encrypt test.example.com'
- test.example.com

* 'Lets Encrypt test.example.com'
- test.example.com

Like you see, its report the same domain twice. Should/Can this happen?

 

[Greg Voronov]

Here another thing to the letsencrypt extension. I got today a mail with subject
"<test.example.com> Let's Encrypt certificates for ******** have been issued/renewed"
and content:


Like you see, its report the same domain twice. Should/Can this happen?

When sending these reports, Let's Encrypt uses the domain name, which is decoded from the certificate itself, not the name of Plesk domain. So if you had certificates for the same domain name assigned to different Plesk domains, you would receive such notification.