• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved Let's Encrypt SSL to secure Plesk and mail not renewing

themew

Regular Pleskian
New install of Onyx in Oct. Create main domain and upload purchased SSL to secure. Choose that SSL in Hosting Settings. Works perfect.

Created a subdomain mail.domain.com to log into Plesk and for email. Installed Let's Encrypt extension to create an SSL. Let's Encrypt creates the SSL and the cron for 28 day renewal.

Go to TOOLS > SETTINGS > SSL/TLS certificates and choose the Let's Encrypt SSLs to secure Plesk and Email. Works perfectly. Plesk and email secure using the Let's Encrypt SSL.

Fast forward 28 days. The Let's Encrypt SSL doesn't renew but the cron runs without errors. I choose to wait another 28 days in case there's a reported issue.

Let's Encrypt SSL still doesn't renew and expires in less than 30 days. Manually run the cron - shows successful. SSL still not renewed. Reboot server. No change.

Both the purchased and Let's Encrypt SSL appear in the SSL/TLS certs list for the domain. No SSLs appear int he SSL/TLS section of the subdomain.

In TOOLS > SETTINGS > SSL/TSL the Let's Encrypt certificate shows for Plesk and email secured using Let's Encrypt from the main domain, however only the Plesk default SSL appears as a Default Certificate on the page.

The domain SSL shows it's being used (1) and the default SSL (installed self-signed by Plesk) shows it's being used (1) but the Let's Encrypt SSL listed with the domain's SSL shows not being used (0).

However, logging into mail.domain.com:8443 the correct (but won't renew) Let's Encrypt SSL is being used.

Again, everything operates flawlessly, I can't renew the Let's Encrypt SSL.

Decide to create a new SSL in the subdomain Let's Encrypt section (maybe it will fix the issue or let me choose it).

Error: Let's Encrypt SSL certificate installation failed: Failed letsencrypt execution: Saving debug log to /usr/local/psa/var/modules/letsencrypt/logs/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mail.domain.com
Starting new HTTPS connection (1): 127.0.0.1
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /usr/local/psa/var/modules/letsencrypt/etc/keys/0000_key-certbot.pem
Creating CSR: /usr/local/psa/var/modules/letsencrypt/etc/csr/0000_csr-certbot.pem
Non-standard path(s), might not work with crontab installed by your operating system package manager
Starting new HTTPS connection (1): 127.0.0.1
Starting new HTTPS connection (1): 127.0.0.1
Starting new HTTPS connection (1): 127.0.0.1
Install certificate failure: Unable to set certificate name :
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/usr/local/psa/var/modules/letsencrypt/etc/live/mail.domain.com/fullchain.pem.
Your cert will expire on 2017-03-27. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- If you lose your account credentials, you can recover through
e-mails sent to [email protected].
- Your account credentials have been saved in your Certbot
configuration directory at
/usr/local/psa/var/modules/letsencrypt/etc. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.

There is no renewal button or option in either Let's Encrypt domain or subdomain area.

Cron command Plesk installed: /usr/local/psa/admin/bin/php -dauto_prepend_file=sdk.php '/usr/local/psa/admin/plib/modules/letsencrypt/scripts/renew-certificates.php'

Any ideas how to fix or modify this issue?

Is there a way to move the Let's Encrypt SSL out of the main domain list and move it to the subdomain SSL - or - can I delete the current Let's Encrypt SSL, create a new one in the subdomain and fix the path in TOOLS / SETTINGS > SSL CERTIFICATES?

We had the exactly same config on a Plesk 12.5 server (did not migrate, this was a fresh install) and the Let's Encrypt SSL for the subdomain (also the hostname) cert did renew.

Everything still working perfectly, until the Let's Encrypt SSL expires in 22 days.
 
Last edited:
RESOLVED.

Here's what I did in case others have the same issue:

- Under your main domain, remove the Let's Encrypt SSL from the main domain list so only the main domains SSL appears in the SSL list
- Back in TOOLS/SSL Settings switch Secure Plesk and Secure Email back to the default server SSL (you will immediately be thrown out of Plesk)
- Log back into Plesk using your host's original hostname for your server :8443
- Go to the subdomain you created and create a Let's Encrypt SSL for the subdomain
- Back in TOOLS/SSL Settings switch Secure Plesk and Secure Email to use the new Let's Encrypt SSL you created
- Open a new browser window and log back into Plesk using your subdomain:8443 and your new Let's Encrypt SSL will appear

Now that the new Let's Encrypt SSL appears in the Let's Encrypt list under the subdomain, the SSL will renew correctly.

You will also see a (1) beside the Let's Encrypt SSL and a (1) beside your main domain SSL, but the default server SSL will now read as (0)

Although the installation of Onyx was new, the server was migrated from a 12.5 install to Onyx which prevented the Let's Encrypt SSL from appearing in the correct subdomain and preventing the renewal -- at least that appears to be the issue due to the missing information in the Let's Encrypt section of the subdomain and the information here > https://docs.plesk.com/en-US/onyx/a...g-plesk/securing-plesk-and-mail-server.76576/
Seems that a migration causes the same issue described in the admin guide as an upgrade.

Thanks for reading my ramblings and have a Happy New Year.
 
@themew sorry, but I don't get the first step in your description
Under your main domain, remove the Let's Encrypt SSL from the main domain list so only the main domains SSL appears in the SSL list​

Could you please be more specific?
I don't see a way to "remove the Let's Encrypt SSL from the main domain list" and I don't know what is meant by "only the main domains SSL appears in the SSL list".
I guess main domain is my first domain, the one the mail server is also configured for.
Where do I have to click? Maybe I'm overseeing something, because I can't remove anything under the "Let's Encrypt" extension in my main domain and if I open the "SSL/TLS certificates" entry, I see a list of Let's encrypt certificates for this main domain, nothing else. If I try to remove the LE cert it complaints that it's being used by webservers. And if I could potentially remove it there's nothing left that could fit the "only the main domains SSL appears in the SSL list".

Sorry if it sound noobish. Hope you can help.
Thanks
Karsten
 
Back
Top