• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved Older Plesk Versions + Let's Encrypt Asynchronous Order Finalization

futureweb

Regular Pleskian
Server operating system version
Centos
Plesk version and microupdate number
multiple
Hello,

Unfortunately, some of our customers are still using outdated Plesk servers (including CentOS 6, Plesk: version 18.0.31 Update No. 3). These servers also use LE SSL certificates (from what I have seen, several hundred domains on multiple servers, yes, we are aware that this is a nuisance, I would also prefer it weren't the case - but that's the way it is).

Please consider releasing an unscheduled update for the SSLIt extension to address this breaking change. Otherwise, when LE rolls out the final change, several hundred domains will lose their SSL certificate. We will strongly recommend our customers to migrate to an up-to-date Plesk server, but some are reluctant due to the time and effort involved. It is unlikely that all Plesk servers can be migrated before the rollout, especially since there was no advance warning from LE until the first brownout occurred.

Additionally, I suspect that other hosting providers may also be affected by this issue, not just us. It would be helpful if the SSLIt extension update could be made available to all affected providers as soon as possible. Guess you can check how many are affected on your side.

Thank you very much.
Andy
 
I think this is a very basic issue that affects all users, independent of the Plesk version used. We conducted tests last night and found that the update on Let's Encrypt's end has affected not only the latest version, but also previous versions. It also became clear that this is not limited to Plesk, but to almost all who are using Let's Encrypt. The Let's Encrypt extension will for sure be updated here. I cannot say though, if that will work with an outdated, unsupported old Plesk version.
 
Hello Peter,
I am familiar with the changes that Let's Encrypt (LE) has made as I develop a custom LE client for our company, and I implemented the protocol changes in our client yesterday. The ACME protocol has supported this asynchronous certificate issuance for a long time, and LE has only now implemented it, which makes sense. Therefore, I am quite confident that this change will definitely go live sooner or later. (certbot supporting async finalization since v0.22.0 for example)
Currently, this change affects all Plesk versions because this change has not yet been programmed into the SSLIt extension. However, I am not worried about this as it will happen eventually.
My concern is that this change may not be backported to older, unsupported Plesk versions because the last version of SSLIt rolled out for these older Plesk versions is version 1.10.4-1511, while we are currently at version 1.12.8-1619 for the latest Plesk versions. Could you please investigate whether this breaking change can be backported to these "out of support" Plesk versions, as it would have a HUGE IMPACT if no SSL certificates could be issued via LE at all.
Thank you, best regards from Tirol,
Andreas
 
Thank you for rising that topic, @futureweb.

To be more precise, the fix should be implemented into the Let's Encrypt extension (as a plugin for SSL It!). Anyway, first of all, we need to release a fix for supported versions.

Last Friday, we released an update for the LE extension (Let's Encrypt 3.1.8 => Let's Encrypt 3.1.9), the new version is available for Plesk 18.0.36+. But LE v3.1.9 can't be installed on more earlier versions of Plesk.

We were discussing what to do with back-port of the fix, but after an announce from LE (that they decided to cancel the rest of the prod brownouts), we decided the issue with outdated Plesk and extensions not so urgent as before.
[...] Based on that data and the great conversations in this forum yesterday, we've decided to cancel the rest of the prod brownouts, and to indefinitely postpone enabling asynchronous finalization in prod. [...] (c) Enabling Asynchronous Order Finalization
 
Back
Top