Forwarded to devs Let's Encrypt wildcard certificates are not issued for domain aliases

[Sergio Manzi]

TITLE:

Let's Encrypt wildcard certificates are not issued for domain aliases​

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE:

Plesk Onyx Version 17.8.11 Update #63
Let's Encrypt Version: 2.8.2-529
CentOS Linux 7.6.1810​

PROBLEM DESCRIPTION:

When requesting a wildcard certificate for a subscription having domain aliases, the wildcard certificate is issued only for the primary domain (subject). All the domain aliases are issued just a "naked domain" certificate as "Certificate Subject Alt Names" of the primary subject.​

STEPS TO REPRODUCE:

• Create a subscription having at least one domain alias
• Request a Let's Encrypt wildcard certificate for that domain and its domain alias
• Examine the issued certificate

ACTUAL RESULT:

The wildcard certificate is issued only for the primary domain while only the naked domain is listed in the "Certificate Subject Alt Names" for domain aliases​

EXPECTED RESULT:

Wildcard certificate being issued for the domain aliases too.​

ANY ADDITIONAL INFORMATION:

No problem when requesting www and non-www certificates: all subjects are correctly listed in the certificate's Alt Names.​

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM:

Confirm bug​

 

[IgorG]

The bug was confirmed: EXTLETSENC-722
Thank you!

 

[Sergio Manzi]

Hello!
Any news about this?
TIA,
Sergio

 

[IgorG]

Any news about this?

All news about fixed bugs you can find in Changes here Let's Encrypt - Plesk Extensions!

 

[Sergio Manzi]

OK, thanks.

Sorry if I asked, but more than a month passed and this bug, which seems to be of trivial solution, severely hampers the usefulness of wildcards certificates (it renders it totally useless to me, actually).

Cheers,

Sergio

 

[Sergio Manzi]

Hello,

as you suggested I kept an eye on the Let's Encrypt extension changelog and I noticed that a new version was released few days ago and that it contained modifications regarding wildcard certificates.

This particular issue was not cited in the changelog, but I hoped it would had eventually silently fixed, so I proceed with the update, but, helas, that's wasn't the case: the problem still persist.

As you surely understand that's a *BIG* problem: whenever someone is trying to access something like https://www.example.it (example.it being an alias of example.com) they are greeted by an "invalid security certificate" error.

This is making the Let's Encrypt extension useless for aliased domains. I'm wondering what's making this issue so difficult to solve...

 

[Sergio Manzi]

I've recently updated from Onyx to Obsidian (nice!).

I had a slight hope that this bug would be resolved in Obsidian, but unhappily it is not.

The issue is open since August of the past year and I'm really starting wondering if there is any will from the Plesk part to have this fixed.

I really don't understand... do you realize that this is breaking HTTPS for www.* for every domain alias and that there is no way (that I can see or that you provided advice for) for adding www.* as an alternate subject of domain aliases?

Am I the only one using HTTPS with wildcard certificates and domain aliases? Am I missing something?

 

[Sergio Manzi]

Almost ten months passed, yet another update for the extension has been released, and yet no sign of this issue having been addressed: is it too much asking at least for an answer to why (apparently) this is not being taken into consideration?

Edit: ... and BTW this is not even listed in the extension's "Known limitations"