Facebook
Twitter-
Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
-
The BIND DNS server has already been deprecated and removed from Plesk for Windows.
If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release. -
The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.
Resolved Let's Encrypt Wildcard, is set for the wrong domain
- Thread starter xgenesis
- Start date
This issue needs some more details. Take into consider to share with the community which system, os, plesk & extension version you use.
Troubleshooting failed certificate installation in Plesk Let's Encrypt extension
Troubleshooting failed certificate installation in Plesk Let's Encrypt extension
Last edited:
Yeah it's a really weird issue to explain. Essentially I enabled Let's Encrypt wildcard certificates using this: How to install wildcard certificates with Let's Encrypt?
After enabling it, I want to add wildcard certificates for my domain abc.tld , but instead it issues the certificate to xyz.tld. So when I visit abc.tld I get an error by Firefox saying:
"subdomain.abc.tld uses an invalid security certificate. The certificate is only valid for xyz.tld. Error code: SSL_ERROR_BAD_CERT_DOMAIN"
I tried changing the nameservers using Namecheap to see if that fixes the issue, but it doesn't.
How can I issue Let's Encrypt manually on Plesk? Maybe that resolves the problem.
One thing that I also notice is that when I ping abc.tld, it shows as
PING abc.tld (xxx.xx.xxx.xxx) 56(84) bytes of data.
64 bytes from xyz.tld (xxx.xx.xxx.xxx): icmp_seq=1 ttl=49 time=30.9 ms
64 bytes from xyz.tld (xxx.xx.xxx.xxx): icmp_seq=2 ttl=49 time=24.8 ms
64 bytes from xyz.tld (xxx.xx.xxx.xxx): icmp_seq=3 ttl=49 time=20.8 ms
So is it possibly making this mistake due to the reverse dns?
PING abc.tld (xxx.xx.xxx.xxx) 56(84) bytes of data.
64 bytes from xyz.tld (xxx.xx.xxx.xxx): icmp_seq=1 ttl=49 time=30.9 ms
64 bytes from xyz.tld (xxx.xx.xxx.xxx): icmp_seq=2 ttl=49 time=24.8 ms
64 bytes from xyz.tld (xxx.xx.xxx.xxx): icmp_seq=3 ttl=49 time=20.8 ms
So is it possibly making this mistake due to the reverse dns?
- OS: Ubuntu 16.04.5 LTS
- Product: Plesk Onyx 17.8.11 Update #36 , last updated at Jan 17, 2019 07:36 AM
learning_curve
Golden Pleskian
Only speed reading this thread, but from what you've posted @xgenesis it's appears that Your-Domain.net is NOT a sub-domain of Your-Domain.com, which makes perfect sense and thus means, that the wildcard certificate that you have already issued on Your-Domain.net is not being seen yet / used at this point in time, regardless... That's effectively the same message that you're seeing on Firefox aka "The certificate is only valid for Your-Domain.com" as shown in your image above ^^
Which domain name (FQDN) have you used here: https://yourpleskdomain:8443/plesk/server/preferences/
and
Which certificate (domain) have you used for plesk and mail here: https://yourpleskdomain:8443/admin/ssl-certificate/list
and
Are you using just one IP address for both of these domains (Your-Domain.net & Your-Domain.com)
You could post screen grabs with domain name's blurred like above if it's easier (note that you've left a domain name visible in the last image above)
That data ^^ should be the start of quickly working this out...
Which domain name (FQDN) have you used here: https://yourpleskdomain:8443/plesk/server/preferences/
and
Which certificate (domain) have you used for plesk and mail here: https://yourpleskdomain:8443/admin/ssl-certificate/list
and
Are you using just one IP address for both of these domains (Your-Domain.net & Your-Domain.com)
You could post screen grabs with domain name's blurred like above if it's easier (note that you've left a domain name visible in the last image above)
That data ^^ should be the start of quickly working this out...
learning_curve
Golden Pleskian
@xgenesis You've only posted details relating to the 2nd of the three questions, so we can't go any further - yet.
Might be useful to post exactly what you have / want i.e. One domain (host domain) with x amount of subdomains or, maybe Many domains, one of which is also the host domain, but all of which, also have subdomains or, maybe another different setup, say Many domains, one of which is also the host domain, but only one of which, has subdomains etc
Let's Encrypt Wildcard certifcates definitely do work if... all the associated setup details (IP address / Domain Name / DNS / Let's Encrypt Plesk Extention etc) are used correctly. We have lots of them and they all work perfectly. Noted your post about changing the hostname, but how / what you did next is still a little vague at this point.
Might be useful to post exactly what you have / want i.e. One domain (host domain) with x amount of subdomains or, maybe Many domains, one of which is also the host domain, but all of which, also have subdomains or, maybe another different setup, say Many domains, one of which is also the host domain, but only one of which, has subdomains etc
Let's Encrypt Wildcard certifcates definitely do work if... all the associated setup details (IP address / Domain Name / DNS / Let's Encrypt Plesk Extention etc) are used correctly. We have lots of them and they all work perfectly. Noted your post about changing the hostname, but how / what you did next is still a little vague at this point.
Sorry, for the third question, I am using the same IP Addresses for all of my domains. Basically what I want is to be able to use wildcard certificates for my .net domain.
I just tried adding a wildcard certificate to the .com domain to see if it'll work, but that's not working either. I get a "this certificate is only valid for" error. (Not by Plesk, but on the webpage I visit)
My current setup, I have 8 domains. Several of them have subdomains for specific use-cases. For my .net domain however I need a wildcard certificate where I can have an infinite number of subdomains for that particular domain.
So basically after I changed the hostname, I requested a new certificate by going to the Let's Encrypt option for that particular .net domain, then I clicked renew.
For the first question, the domain name that I'm using is my .com domain. But even if I change it to my .net domain, wildcard certificates do not work. I've tested wildcard certificates on my .com and .net domain.
Changing the hostname does seem to fix the error. The only change though is that the error goes from, "The owner of subdomain.domain.com has configured their website improperly" to "The owner of subdomain.domain.net has configured their website improperly"
learning_curve
Golden Pleskian
If we've understood this correctly then:
1) You have 8 separate domains.
2) One of these 8 domains, is the FQDN that is used as the entry here: Plesk / Tools & Settings / General Setting - Server Settings / Full hostname *
3) All 8 domains use one shared IPv4 Address which is used as the entry here: Plesk / Tools & Settings / Tools & Resources / IP Addresses /
4) On this same IP Addresses section, you have NO IPv6 address and the IPv4 address shows all of the 8 domains against it under the 'Sites' column
5) The DNS for all 8 of these domains and all of their subdomains (where utilised) is setup correctly.
6) You have already checked all the DNS records against all the domains (and sub-domains) and verified this (outside of Plesk) in advance of issuing any new certificates
If all that is correct ^^ There's nothing to stop what you want to achieve within Plesk actually happening, apart from, how you choose to issue the certificates
There's plenty of Plesk data / information that exists already, initially HERE and HERE and in more useful detail HERE as you read forward in that thread plus elsewhere in this forum
For a simple summary, this might help:
a) Confirm all of the above ^^ is in place, before commencing, especially your decision as to which domain is and will remain the Full hostname the FQDN in 1) above
b) Issue the Let's Encrypt certificates against each domain using the Plesk Let's Encrypt Extension (having made any required mods via panel.ini BEFORE you do so...) NOTE these panel.ini mods are required especially for certain default choices e.g. Wildcard Certificates or ECDSA not RSA Certificates etc (see previous reading)
c) Ensure that the correct new certificate for each domain is selected under the Hosting Settings / Security section for each of the 8 domains AND their sub-domains
d) Ensure that the correct new certificate for each domain is selected under the Mail / Mail Settings section for each of the 8 domains AND their sub-domains
e) Ensure that the new certificate for the domain you chose as Full hostname the FQDN in 1) above is chosen to secure Plesk and Mail under Tools & Settings / Security / SSL/TLS Certificates
f) Verify all the setups via tests e.g. Qualys and HT Bridge and many other SSL check processes like the Digicert checker
FWIW We have a similar setup to you. i.e. Lots of domains, all on one IPv4 (but also, all on one IPv6 address) and lots of these domains have sub-domains. The Let's Encrypt Certificates work on all domains and sub-domains (including the Full hostname the FQDN in 1) Obviously, some of the certificates are Wildcard, some are not. We don't have any 'wrong certificate' errors anywhere, like you're currently having problems with. By chance, our setup is very similar to what you want to do anyway we think?
So...in your case, we'd guess... that the error must be coming from the sub-domain set ups, the DNS and/or.... the actual process used, for issuing the certificates correctly (including the required panel.ini mods to the Plesk Extention) Those are the areas we'd look at next. FWIW You could delete all the existing Let's Encrypt certificates first of all, if you wanted a thorough clean up and re-start approach. As you're obviously already fully aware, the Let's Encrypt The certificates themselves are great and work perfectly, even with multi-domain and/or sub-domains (for free!) but they are totally dependent on the correct setup data used for their creation in every case, if, they are to be used successfully in each and every case. It's possibly just one incorrect detail entry / small setup choice that's stoping this working for you at present....
1) You have 8 separate domains.
2) One of these 8 domains, is the FQDN that is used as the entry here: Plesk / Tools & Settings / General Setting - Server Settings / Full hostname *
3) All 8 domains use one shared IPv4 Address which is used as the entry here: Plesk / Tools & Settings / Tools & Resources / IP Addresses /
4) On this same IP Addresses section, you have NO IPv6 address and the IPv4 address shows all of the 8 domains against it under the 'Sites' column
5) The DNS for all 8 of these domains and all of their subdomains (where utilised) is setup correctly.
6) You have already checked all the DNS records against all the domains (and sub-domains) and verified this (outside of Plesk) in advance of issuing any new certificates
If all that is correct ^^ There's nothing to stop what you want to achieve within Plesk actually happening, apart from, how you choose to issue the certificates
There's plenty of Plesk data / information that exists already, initially HERE and HERE and in more useful detail HERE as you read forward in that thread plus elsewhere in this forum
For a simple summary, this might help:
a) Confirm all of the above ^^ is in place, before commencing, especially your decision as to which domain is and will remain the Full hostname the FQDN in 1) above
b) Issue the Let's Encrypt certificates against each domain using the Plesk Let's Encrypt Extension (having made any required mods via panel.ini BEFORE you do so...) NOTE these panel.ini mods are required especially for certain default choices e.g. Wildcard Certificates or ECDSA not RSA Certificates etc (see previous reading)
c) Ensure that the correct new certificate for each domain is selected under the Hosting Settings / Security section for each of the 8 domains AND their sub-domains
d) Ensure that the correct new certificate for each domain is selected under the Mail / Mail Settings section for each of the 8 domains AND their sub-domains
e) Ensure that the new certificate for the domain you chose as Full hostname the FQDN in 1) above is chosen to secure Plesk and Mail under Tools & Settings / Security / SSL/TLS Certificates
f) Verify all the setups via tests e.g. Qualys and HT Bridge and many other SSL check processes like the Digicert checker
FWIW We have a similar setup to you. i.e. Lots of domains, all on one IPv4 (but also, all on one IPv6 address) and lots of these domains have sub-domains. The Let's Encrypt Certificates work on all domains and sub-domains (including the Full hostname the FQDN in 1) Obviously, some of the certificates are Wildcard, some are not. We don't have any 'wrong certificate' errors anywhere, like you're currently having problems with. By chance, our setup is very similar to what you want to do anyway we think?
So...in your case, we'd guess... that the error must be coming from the sub-domain set ups, the DNS and/or.... the actual process used, for issuing the certificates correctly (including the required panel.ini mods to the Plesk Extention) Those are the areas we'd look at next. FWIW You could delete all the existing Let's Encrypt certificates first of all, if you wanted a thorough clean up and re-start approach. As you're obviously already fully aware, the Let's Encrypt The certificates themselves are great and work perfectly, even with multi-domain and/or sub-domains (for free!) but they are totally dependent on the correct setup data used for their creation in every case, if, they are to be used successfully in each and every case. It's possibly just one incorrect detail entry / small setup choice that's stoping this working for you at present....
Thank you so much! This ended up fixing it. Basically no certificate was selected for *.domain.net
Thank you!
Similar threads
