Resolved Letsencrypt fails to secure domain (and plesk panel)

[Sebastian Lange]

The letsencrypt module fails to secure the (only) domain and the plesk panel on a fresh installed plesk system with a restored domain from backup (by Odin). There are currently just the default preinstalled plesk-panel default certificate under Tools->SSL Certs and the not working letsencrypt cert unter domain -> exampledomain.de -> ssl certs. The cert is selected correctly at the domin hosting settings.

This server just holds one domain which runs the panel under default port and the given (changed) homepage.

We select to use letsencrypt for the domain, include the www. prefix and also the plesk panel. After some time there is just the message

This operation is taking too long. Check the results in a few minutes.

The log at /usr/local/psa/var/modules/letsencrypt/log

2016-09-09 14:01:39,343:DEBUG:certbot.storage:Writing new config /opt/psa/var/modules/letsencrypt/etc/renewal/exampledomain.de.conf.new.
2016-09-09 14:01:39,347:INFO:certbot.reporter:Reporting to user: Congratulations! Your certificate and chain have been saved at /opt/psa/var/modules/letsencrypt/etc/live/lob
o.de/fullchain.pem. Your cert will expire on 2016-12-08. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" o
ption. To non-interactively renew *all* of your certificates, run "certbot renew"
2016-09-09 14:01:39,348:DEBUG:letsencrypt_plesk.api_client:Plesk API-RPC request: <?xml version="1.0" ?><packet><server><get_protos/></server></packet>
2016-09-09 14:01:39,351:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): 127.0.0.1
2016-09-09 14:01:39,665:DEBUG:requests.packages.urllib3.connectionpool:"POST /enterprise/control/agent.php HTTP/1.1" 200 None
2016-09-09 14:01:39,668:DEBUG:letsencrypt_plesk.api_client:Plesk API-RPC response: <?xml version="1.0" encoding="UTF-8"?>
<packet version="1.6.7.0">
  <server>
    <get_protos>
      <result>
        <status>ok</status>
        <protos>
          <proto>1.0.0.0</proto>
          <proto>1.1.0.0</proto>
          <proto>1.2.0.0</proto>
          <proto>1.3.0.0</proto>
          <proto>1.3.1.0</proto>
          <proto>1.3.2.0</proto>
          <proto>1.3.3.0</proto>
          <proto>1.3.4.0</proto>
          <proto>1.3.5.0</proto>
          <proto>1.4.0.0</proto>
          <proto>1.4.1.0</proto>
          <proto>1.4.2.0</proto>
          <proto>1.4.1.1</proto>
          <proto>1.4.1.2</proto>
          <proto>1.5.0.0</proto>
          <proto>1.5.1.0</proto>
          <proto>1.5.2.0</proto>
          <proto>1.5.2.1</proto>
          <proto>1.6.0.0</proto>
          <proto>1.6.0.1</proto>
          <proto>1.6.0.2</proto>
          <proto>1.6.2.0</proto>
          <proto>1.6.3.0</proto>
          <proto>1.6.3.1</proto>
          <proto>1.6.3.2</proto>
          <proto>1.6.3.3</proto>
          <proto>1.6.3.4</proto>
          <proto>1.6.3.5</proto>
          <proto>1.6.4.0</proto>
          <proto>1.6.5.0</proto>
          <proto>1.6.6.0</proto>
          <proto>1.6.7.0</proto>
        </protos>
      </result>
    </get_protos>
  </server>
</packet>

2016-09-09 14:01:39,677:DEBUG:letsencrypt_plesk.api_client:Plesk API-RPC request: <?xml version="1.0" ?><packet><certificate><get-pool><filter><domain-name>exampledomain.de</domain-name></filter></get-pool></certificate></packet>
2016-09-09 14:01:39,681:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): 127.0.0.1
2016-09-09 14:01:39,975:DEBUG:requests.packages.urllib3.connectionpool:"POST /enterprise/control/agent.php HTTP/1.1" 200 None
2016-09-09 14:01:39,978:DEBUG:letsencrypt_plesk.api_client:Plesk API-RPC response: <?xml version="1.0" encoding="UTF-8"?>
<packet version="1.6.7.0">
  <certificate>
    <get-pool>
      <result>
        <status>ok</status>
        <filter-id>exampledomain.de</filter-id>
        <id>1</id>
        <certificates>
          <certificate>
            <name>Lets Encrypt exampledomain.de</name>
          </certificate>
        </certificates>
      </result>
    </get-pool>
  </certificate>
</packet>
2016-09-09 14:01:39,980:DEBUG:letsencrypt_plesk.api_client:Plesk API-RPC request: <?xml version="1.0" ?><packet><certificate><remove><filter><name>Lets Encrypt exampledomain.de</name></filter><site>exampledomain.de</site></remove></certificate></packet>
2016-09-09 14:01:39,982:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): 127.0.0.1
2016-09-09 14:11:40,027:DEBUG:requests.packages.urllib3.connectionpool:"POST /enterprise/control/agent.php HTTP/1.1" 504 176
2016-09-09 14:11:40,045:DEBUG:letsencrypt_plesk.api_client:Plesk API-RPC response: <html>
<head><title>504 Gateway Time-out</title></head>
<body bgcolor="white">
<center><h1>504 Gateway Time-out</h1></center>
<hr><center>nginx</center>
</body>
</html>

2016-09-09 14:11:40,104:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/local/psa/var/modules/letsencrypt/venv.RB7fT/lib/python2.7/site-packages/certbot/client.py", line 370, in deploy_certificate
    self.installer.save()  # needed by the Apache plugin
  File "/usr/local/psa/var/modules/letsencrypt/venv.RB7fT/lib/python2.7/site-packages/letsencrypt_plesk/configurator.py", line 177, in save
    secure_plesk=self.conf('secure-panel'))
  File "/usr/local/psa/var/modules/letsencrypt/venv.RB7fT/lib/python2.7/site-packages/letsencrypt_plesk/deployer.py", line 133, in save
    self.remove_cert()
  File "/usr/local/psa/var/modules/letsencrypt/venv.RB7fT/lib/python2.7/site-packages/letsencrypt_plesk/deployer.py", line 114, in remove_cert
    response = self.plesk_api_client.request(request)
  File "/usr/local/psa/var/modules/letsencrypt/venv.RB7fT/lib/python2.7/site-packages/letsencrypt_plesk/api_client.py", line 96, in request
    return XmlToDict(response.text.encode('utf-8'))
  File "/usr/local/psa/var/modules/letsencrypt/venv.RB7fT/lib/python2.7/site-packages/letsencrypt_plesk/api_client.py", line 188, in __init__
    dom = parseString(data)
  File "/opt/plesk/python/2.7/lib/python2.7/xml/dom/minidom.py", line 1928, in parseString
    return expatbuilder.parseString(string)
  File "/opt/plesk/python/2.7/lib/python2.7/xml/dom/expatbuilder.py", line 940, in parseString
    return builder.parseString(string)
  File "/opt/plesk/python/2.7/lib/python2.7/xml/dom/expatbuilder.py", line 223, in parseString
    parser.Parse(string, True)
ExpatError: mismatched tag: line 6, column 2

2016-09-09 14:11:40,105:DEBUG:certbot.error_handler:Calling registered functions
2016-09-09 14:11:40,125:DEBUG:certbot.main:Exiting abnormally:
Traceback (most recent call last):
  File "/opt/psa/var/modules/letsencrypt/venv/bin/certbot", line 11, in <module>
    sys.exit(main())
  File "/usr/local/psa/var/modules/letsencrypt/venv.RB7fT/lib/python2.7/site-packages/certbot/main.py", line 744, in main
    return config.func(config, plugins)
  File "/usr/local/psa/var/modules/letsencrypt/venv.RB7fT/lib/python2.7/site-packages/certbot/main.py", line 507, in run
    lineage.chain, lineage.fullchain)
  File "/usr/local/psa/var/modules/letsencrypt/venv.RB7fT/lib/python2.7/site-packages/certbot/client.py", line 370, in deploy_certificate
    self.installer.save()  # needed by the Apache plugin
  File "/usr/local/psa/var/modules/letsencrypt/venv.RB7fT/lib/python2.7/site-packages/letsencrypt_plesk/configurator.py", line 177, in save
    secure_plesk=self.conf('secure-panel'))
  File "/usr/local/psa/var/modules/letsencrypt/venv.RB7fT/lib/python2.7/site-packages/letsencrypt_plesk/deployer.py", line 133, in save
    self.remove_cert()
  File "/usr/local/psa/var/modules/letsencrypt/venv.RB7fT/lib/python2.7/site-packages/letsencrypt_plesk/deployer.py", line 114, in remove_cert
    response = self.plesk_api_client.request(request)
  File "/usr/local/psa/var/modules/letsencrypt/venv.RB7fT/lib/python2.7/site-packages/letsencrypt_plesk/api_client.py", line 96, in request
    return XmlToDict(response.text.encode('utf-8'))
  File "/usr/local/psa/var/modules/letsencrypt/venv.RB7fT/lib/python2.7/site-packages/letsencrypt_plesk/api_client.py", line 188, in __init__
    dom = parseString(data)
  File "/opt/plesk/python/2.7/lib/python2.7/xml/dom/minidom.py", line 1928, in parseString
    return expatbuilder.parseString(string)
  File "/opt/plesk/python/2.7/lib/python2.7/xml/dom/expatbuilder.py", line 940, in parseString
    return builder.parseString(string)
  File "/opt/plesk/python/2.7/lib/python2.7/xml/dom/expatbuilder.py", line 223, in parseString
    parser.Parse(string, True)
ExpatError: mismatched tag: line 6, column 2

 

[Sebastian Lange]

I tried to update different modules using pip but found out, I am missing the complete headers in

/opt/plesk/python/2.7/include

Still not able to use letsencrypt

 

[Sebastian Lange]

After several reboots and (not so sure what I did) different renewals and server-restarts the homepage is now correctly using the letsencrypt certificate.

Plesk panel still has the same issue of not getting the letsencrypt cert. Insists on using the Odin-generated Plesk certificate and does not even show the letsencrypt as available option under tools->certs

 

[UFHH01]

Hi Sebastian Lange,

pls. upload the desired certificate manually at "Home > Tools & Settings > SSL/TLS Certificates" and secure the Plesk Control Panel with the Let's encrypt certificate:



Consider to use the manual creation of a Let's encrypt certificate, described for example at: => https://gethttpsforfree.com/ <= ( External link, pls. inform me, if the link goes dead, so I can provide another working link! )



WIth => Plesk Onyx <= ( currently in "preview state", but will be released in october 2016 ... works quite stable on some of my servers ), the handling is easier and less complicated:

 

[UFHH01]

Hi Sebastian Lange,

I just investigated, that a Plesk developper ( Eugene Kazakov ) invented as well the "Secure plesk clean installation with hostname certificate by Let's Encrypt" => https://gist.github.com/xgin/fbfa4577ad46955f472c <=
( mentioned as well at: https://codegists.com/snippet/shell/letsencrypt-hostnamesh_xgin_shell )

Script "letsencrypt-hostname.sh" :

#!/bin/bash -e
### Copyright 1999-2015. Parallels IP Holdings GmbH. All Rights Reserved.
### Secure plesk clean installation with hostname certificate by Let's Encrypt

export PYTHONWARNINGS="ignore:Non-standard path"
LE_HOME=${LE_HOME:-"/usr/local/psa/var/modules/letsencrypt"}
HOSTNAME=$(hostname)

# Use staging server for testing
# --server https://acme-staging.api.letsencrypt.org/directory
# --server http://letsencrypt.pp.plesk.ru/directory

"${LE_HOME}/venv/bin/letsencrypt" \
    --renew-by-default \
    --no-redirect \
    --agree-tos \
    --text \
    --config-dir "${LE_HOME}/root/etc" \
    --work-dir "${LE_HOME}/root/lib" \
    --logs-dir "${LE_HOME}/root/logs" \
    --webroot \
    --webroot-path "/var/www/vhosts/default/htdocs/" \
    -d "${HOSTNAME}" \
    --register-unsafely-without-email \
    certonly

CERT_PATH="${LE_HOME}/root/etc/live/${HOSTNAME}"
TMP_PATH=$(mktemp "${CERT_PATH}/plesk.XXXXX")
cat "${CERT_PATH}/privkey.pem" <(echo) \
    "${CERT_PATH}/cert.pem" <(echo) \
    "${CERT_PATH}/chain.pem" > "${TMP_PATH}"
echo "Let's Encrypt certificate for Plesk was created: ${TMP_PATH}"
/usr/local/psa/admin/bin/certmng --setup-cp-certificate --certificate="${TMP_PATH}"
echo "Certificate installation was finished successfully"

I didn't test it, but you might get ( inofficial ) support here in the Plesk - Forum from a Plesk-Team-Member ( or from "Eugene Kazakov" himself ), if you have any further question/issues/problems.

 

[IgorG]

or from "Eugene Kazakov" himself

@EugeneKazakov , could you please assist here?

 

[EugeneKazakov]

Hi there!
According to the log Plesk hangs on the API call for more than 10 minutes:
<packet><certificate><remove><filter><name>Lets Encrypt exampledomain.de</name></filter><site>exampledomain.de</site></remove></certificate></packet>
As a workaround you can remove the certificate manually or just rename it.
In Onyx we have changed this behaviour - the certificates are no longer removed, an update API was introduced.

 

[trialotto]

@Sebastian Lange and @EugeneKazakov,

The output of @Sebastian Lange indicates that there is a huge probability and almost certainty that the Plesk Panel has been secured manually (note: often via the command line).

The "failure" of the API call, being that it hangs during some considerable amount of time, does not imply that the API is not working.

In essence, the Let´s Encrypt extension already has an entry for the FQDN of the server, on which the Plesk instance is running.

@EugeneKazakov, since the current extension does not allow to revoke the letsencrypt certificates via the Plesk Panel, can you

a) have a look at this revocation, as a future feature of the Let´s Encrypt extension? (as far as I know, it is on the agenda, but implementation in the near future would be welcome)

b) provide a manual command to revoke/remove a certificate

Regards.....

 

[Sebastian Lange]

Hi, sorry for the long wait. We did not secure it manually it was secured by default plesk ssl self signed certificate. I just wondered why the option in the letsencrypt module would be available but not working. Since its only me working on plesk all of the time this is no big deal. It did work fine for the homepage after several tries and reboots (sounds almost like windows, but is a linux server)