Issue Plesk 12.5.30 and Lets encrypt - ERR_CONNECTION_RESET

[Sven A.]

So this is wrong? But how do I change this? If I change it by hand it will be changed back later from Plesk (at updates or so).

<IfModule mod_ssl.c>

        <VirtualHost xx.xxx.xxx.xxx:7081 >
                ServerName "mydomain.tld:443"
                ServerAlias "www.mydomain.tld"
                ServerAlias "ipv4.mydomain.tld"
                ServerAdmin "[email protected]"
                UseCanonicalName Off

                DocumentRoot "/var/www/vhosts/mydomain.tld/httpdocs"
                CustomLog /var/www/vhosts/system/mydomain.tld/logs/access_ssl_log plesklog
                ErrorLog "/var/www/vhosts/system/mydomain.tld/logs/error_log"

                <IfModule mod_suexec.c>
                        SuexecUserGroup "wdhgw" "psacln"
                </IfModule>

                <IfModule mod_userdir.c>

                        UserDir "/var/www/vhosts/mydomain.tld/web_users/*"
                </IfModule>

                <IfModule mod_sysenv.c>
                        SetSysEnv PP_VHOST_ID "5cb2a36a-c9eb-43d8-8e14-bc713f0f752d"
                </IfModule>

                ScriptAlias "/cgi-bin/" "/var/www/vhosts/mydomain.tld/httpdocs/cgi-bin/"

                Alias "/plesk-stat" "/var/www/vhosts/system/mydomain.tld/statistics"
                <Location  /plesk-stat/>
                        Options +Indexes
                </Location>
                <Location  /plesk-stat/logs/>
                        Require valid-user
                </Location>
                Alias /webstat /var/www/vhosts/system/mydomain.tld/statistics/webstat
                Alias /webstat-ssl /var/www/vhosts/system/mydomain.tld/statistics/webstat-ssl
                Alias /ftpstat /var/www/vhosts/system/mydomain.tld/statistics/ftpstat
                Alias /anon_ftpstat /var/www/vhosts/system/mydomain.tld/statistics/anon_ftpstat
                Alias /awstats-icon /usr/share/awstats/icon

                SSLEngine on
                SSLVerifyClient none
                SSLCertificateFile /opt/psa/var/certificates/cert-UI2T1H
                SSLCACertificateFile /opt/psa/var/certificates/cert-9GmfWB

                TimeOut 600
                <Directory /var/www/vhosts/mydomain.tld/httpdocs>

                        <IfModule mod_python.c>
                                <Files ~ (\.py$)>
                                        SetHandler python-program
                                        PythonHandler mod_python.cgihandler
                                </Files>
                        </IfModule>
                        <IfModule mod_fcgid.c>
                                <Files ~ (\.fcgi$)>
                                        SetHandler fcgid-script
                                        Options +ExecCGI
                                </Files>
                        </IfModule>
                        <IfModule mod_proxy_fcgi.c>
                                <Files ~ (\.php$)>
                                        SetHandler proxy:unix:///var/www/vhosts/system/mydomain.tld/php-fpm.sock|fcgi://127.0.0.1:9000
                                </Files>
                        </IfModule>

                        SSLRequireSSL

                        Options -Includes +ExecCGI

                </Directory>

                <Directory "/var/www/vhosts/system/mydomain.tld/statistics">
                        AuthType Basic
                        AuthName "Domainstatistiken"
                        AuthUserFile "/var/www/vhosts/system/mydomain.tld/pd/d..httpdocs@plesk-stat"
                        require valid-user
                </Directory>

                Alias /error_docs /var/www/vhosts/mydomain.tld/error_docs
                ErrorDocument 400 /error_docs/bad_request.html
                ErrorDocument 401 /error_docs/unauthorized.html
                ErrorDocument 403 /error_docs/forbidden.html
                ErrorDocument 404 /error_docs/not_found.html
                ErrorDocument 500 /error_docs/internal_server_error.html
                ErrorDocument 405 /error_docs/method_not_allowed.html
                ErrorDocument 406 /error_docs/not_acceptable.html
                ErrorDocument 407 /error_docs/proxy_authentication_required.html
                ErrorDocument 412 /error_docs/precondition_failed.html
                ErrorDocument 414 /error_docs/request_uri_too_long.html
                ErrorDocument 415 /error_docs/unsupported_media_type.html
                ErrorDocument 501 /error_docs/not_implemented.html
                ErrorDocument 502 /error_docs/bad_gateway.html
                ErrorDocument 503 /error_docs/maintenance.html

                <IfModule mod_security2.c>
                </IfModule>

        </VirtualHost>

</IfModule>

 

[Bitpalast]

Did you ever use/edit/create custom virtual host templates on that system?

 

[Sven A.]

Nope. Never.
As I said before it's almost a default installation.
The only thing I changed is a private/public key based SSH access and removing the password based one.

 

[Bitpalast]

No, it is fine. I was mislead by the short excerpt from the "find" command. The port :443 behind the ServerName is o.k. as long as the VirtualHost is on port 7081. No idea why it should not work with that configuration.

 

[UFHH01]

Hi Sven A.,

I think we shoudl stick to this error message, to find the root cause:

Both tests fail.
SSL Server Test says
"Assessment failed: No secure protocols supported" (I think because it can't connect to the server)
and HTTP Request and Response Header says
"Connect to xx.xxx.xxx.xxx on port 443 ... failed
Error while fetching URL"

But why?

And also I tried to run the domain with Firefox and Edge. With the same result ... I can't connect to the domain.

You already confirmed, that NGINX is listening on port 443 and the service is running and you confirmed as well, that your configuration files are correct.



Pls. let's go back to your firewall and Fail2Ban:

Do you use own firewall rules? If yes, which ones pls.?

Pls. use the command:

iptables -L

... and make sure, that neither your IP(s), nor localhost ist listed there!​

Did you whitelist your server - IP(s) and localhost at Fail2Ban ?

Are you able to connect with the commands ( logged in as user "root" over SSH ):

openssl s_client -connect XXX.XXX.XXX.XXX:443

and

openssl s_client -connect YOUR-DOMAIN.COM:443

 

[Sven A.]

iptables -L

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
REJECT     tcp  --  anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN reject-with tcp-reset
DROP       all  --  anywhere             anywhere             state INVALID
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8443
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8880
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:urd
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pop3
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pop3s
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imap2
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imaps
DROP       tcp  --  anywhere             anywhere             tcp dpt:poppassd
DROP       tcp  --  anywhere             anywhere             tcp dpt:mysql
DROP       tcp  --  anywhere             anywhere             tcp dpt:postgresql
DROP       tcp  --  anywhere             anywhere             tcp dpt:9008
DROP       tcp  --  anywhere             anywhere             tcp dpt:9080
DROP       udp  --  anywhere             anywhere             udp dpt:netbios-ns
DROP       udp  --  anywhere             anywhere             udp dpt:netbios-dgm
DROP       tcp  --  anywhere             anywhere             tcp dpt:netbios-ssn
DROP       tcp  --  anywhere             anywhere             tcp dpt:microsoft-ds
DROP       udp  --  anywhere             anywhere             udp dpt:openvpn
DROP       udp  --  anywhere             anywhere             udp dpt:domain
DROP       tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     icmp --  anywhere             anywhere             icmptype 8 code 0
ACCEPT     all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
REJECT     tcp  --  anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN reject-with tcp-reset
DROP       all  --  anywhere             anywhere             state INVALID
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
REJECT     tcp  --  anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN reject-with tcp-reset
DROP       all  --  anywhere             anywhere             state INVALID
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

openssl s_client -connect XXX.XXX.XXX.XXX:443

CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 295 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

openssl s_client -connect my-domain.tld:443

CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 295 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

And no, there is no firewall in the moment and no fail2ban.

 

[UFHH01]

Hi Sven A.,

as you can see, there is no certificate associated to your IP, nor to the domain at the moment.

Pls. download the Let's Encrypt certificate from "HOME > Subscriptions > YOUR-DOMAIN.COM > SSL/TLS certificates" ( green arrow-down button on the very right ) and save the *pem - file on your computer.
Open the *.pem - file with a TXT - Editor of your choice ( i.e.: "notepad.exe" on windows - based systems ) and go to "Tools & Settings > SST/TLS certificates".
ADD your new certificate ( choose a different name as in your domain - certificates ) and insert the necessary KEY, CERT and CA-CERT parts manually, which you see in the *pem - file.
Go to "HOME > Tools & Settings > IP Addresses" , choose your IP address and choose the newly created certificate and define your main - domain for the IP address.

Now go again to "HOME > Subscriptions > YOUR-DOMAIN.COM > Hosting Settings" and choose the newly created certificate, named with "(other repository)" at the end.



Pls. report back with the same ( new ) tests as before:

openssl s_client -connect XXX.XXX.XXX.XXX:443

and

openssl s_client -connect my-domain.tld:443

 

[Sven A.]

Ok. This changes the error if I try to run my domain via https from "can't connect" to "502 bad gateway".
And the proxy_error_log says:

[error] 10698#0: *251562 SSL_do_handshake() failed (SSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol) while SSL handshaking to upstream, client: 77.6.25.107, server: my-domain.tld, request: "GET /favicon.ico HTTP/1.1", upstream: "https://xx.xxx.xxx.xxx:7081/favicon.ico", host: "my-domain.tld"

openssl s_client -connect xxx.xxx.xxx.xxx:443

CONNECTED(00000003)
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/CN=my-domain.tld
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
blabla ... the certificate part ... blabla
-----END CERTIFICATE-----
subject=/CN=my-domain.tld
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
---
SSL handshake has read 3189 bytes and written 421 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: A8CAACA896C2D8E4E9B5A2A58DAE744BB0500007008501F7D281C4A9F3DD6B9D
    Session-ID-ctx:
    Master-Key: 87F1AF796195B1E1B9117ADF2D22AC9738E739F1A89601ECF33A0633A212B8D5CFA0838B01A7AA713C967773874444B6
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 31 46 6a 04 e0 85 51 0c-21 18 b7 4b 0f fa ea 63   1Fj...Q.!..K...c
    0010 - b3 0b 29 2b f3 0d 59 70-a6 63 dd d3 ae 43 bf 2c   ..)+..Yp.c...C.,
    0020 - 9a fc cc c7 51 03 54 f1-85 7e e2 f0 97 ae 8f 54   ....Q.T..~.....T
    0030 - ab 3b 55 0c ab 40 7b 9e-cf 8f d0 d4 07 86 ad 77   .;U..@{........w
    0040 - be 87 42 16 d3 6a 47 51-72 04 5a cf 12 7a 58 b3   ..B..jGQr.Z..zX.
    0050 - 4c 8d 61 99 26 c1 90 fd-aa 4b e0 f0 56 eb 3a 75   L.a.&....K..V.:u
    0060 - 7e 9f 8a 9a 95 d7 bc c3-40 ff e4 b2 e0 c2 13 52   [email protected]
    0070 - f2 cc 99 3b 92 09 14 cc-73 a1 df 4b e1 b9 00 c0   ...;....s..K....
    0080 - c9 cb b0 99 9e 71 c6 a4-3d 71 38 45 5d ba 56 e2   .....q..=q8E].V.
    0090 - fb 87 01 93 de 38 73 61-98 79 41 cd 09 1a 75 2d   .....8sa.yA...u-
    00a0 - 5f bc 0e 4f 0d 94 9d 17-c5 d0 89 ae 85 0e ca 54   _..O...........T

    Start Time: 1491985789
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

openssl s_client -connect my-domain.tld:443

CONNECTED(00000003)
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/CN=my-domain.tld
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
blabla ... the certificate part ... blabla
-----END CERTIFICATE-----
subject=/CN=my-domain.tld
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
---
SSL handshake has read 3189 bytes and written 421 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: DEB0D8DE8FD58CFBCEA59CD73DED2DA350E9693FED0DADA66797208668B1396A
    Session-ID-ctx:
    Master-Key: 66695061D6193433FFEFC346A044EEFC8A5F4BCD42EA12E596F7919095E8F950065E1FF8929C5CC06202F43A2160A779
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 31 46 6a 04 e0 85 51 0c-21 18 b7 4b 0f fa ea 63   1Fj...Q.!..K...c
    0010 - 5d d7 3e 77 f3 d5 79 87-2b d8 04 98 b5 c5 22 47   ].>w..y.+....."G
    0020 - ad 9e c6 22 06 d8 05 4e-5a f6 c0 9e ff b1 75 c5   ..."...NZ.....u.
    0030 - b4 55 eb 77 d4 5b 84 76-60 ea 19 61 b8 05 df 6c   .U.w.[.v`..a...l
    0040 - 46 2c 5c 93 85 f4 dc 35-5b 2a 72 e2 db b1 89 f2   F,\....5[*r.....
    0050 - 44 a0 46 2a a9 f1 2c 8d-60 c1 77 30 56 ca 53 79   D.F*..,.`.w0V.Sy
    0060 - f8 16 03 e8 80 12 5a ea-d1 10 57 37 30 8e 2a e9   ......Z...W70.*.
    0070 - e8 d8 b5 99 33 71 d6 3d-d6 41 72 52 6f 94 76 2e   ....3q.=.ArRo.v.
    0080 - b6 ac 64 bc 44 09 4a 81-9c 66 20 96 5f 03 8d b6   ..d.D.J..f ._...
    0090 - 9a e8 a2 8f 74 03 20 e4-e2 dc 1d 7e 1e 47 7c e7   ....t. ....~.G|.
    00a0 - 0d 60 3e 8c c2 d5 95 93-3c 3e e6 03 57 ae d1 e8   .`>.....<>..W...

    Start Time: 1491986186
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

P.S. Does this mean the default certificate isn't a valid certificate?

 

[Sven A.]

In Plesk I get now the following error message:
AH00526: Syntax error on line 168 of /etc/apache2/plesk.conf.d/server.conf: SSLCertificateFile: file '/opt/psa/var/certificates/certgz9PAPJ' does not exist or is empty .

 

[UFHH01]

Hi Sven A.,

if you experience issues as:

AH00526: Syntax error on line 168 of /etc/apache2/plesk.conf.d/server.conf: SSLCertificateFile: file '/opt/psa/var/certificates/certgz9PAPJ' does not exist or is empty .

... pls. always try to rebuild a mentioned configuration file, because this points to the fact, that either an old, or not anymore existing certificate is being used. Best practice here is to use the free Plesk Extension "Webserver Configurations Troubleshooter" ( you are able to add it over the Extension catalog ), or consider to use the command:

/usr/local/psa/admin/sbin/httpdmng --reconfigure-all

P.S. Does this mean the default certificate isn't a valid certificate?

I should have been more clear here, because I see in your question, that you are not really informed about CA - root certificates and it's usage.

Pls. go to => Chain of Trust - Let's Encrypt - Free SSL/TLS Certificates
You will see current existent root and intermediate certificates for Let's Encrypt.

Now pls. go to: => "/opt/psa/var/modules/letsencrypt/etc/live/YOUR-DOMAIN.COM" and you will find the current used PRIVATE KEY ( privkey.pem ), (domain - specific) CERT ( cert.pem ) and TWO other *.pem files:

chain.pem = intermediate certificate

fullchain.pem = (domain specific) certificate + intermediate certificate​

Webservers like "Apache < 2.4.8" need "cert.pem + chain.pem", while webservers "Apache >= 2.4.8" AND NGINX need "cert.pem + fullchain.pem"



Conclusion:

For "Apache < 2.4.8" you will add over the Plesk Control Panel:

KEY = privkey.pem
CRT = cert.pem
CA = chain.pem​

For "Apache >= 2.4.8" AND NGINX you will add over the Plesk Control Panel:

KEY = privkey.pem
CRT = cert.pem
CA = fullchain.pem​

 

[Sven A.]

Thanks.

I tried both. The Webserver Configuration Troubleshooter and the command line way.
But both give me the following error:

Execution failed.
Execution failed.
Command: httpdmng
Arguments: Array
(
    [0] => --reconfigure-server
    [1] => -no-restart
)

Details: [2017-04-12 14:26:13] ERR [util_exec] proc_close() failed ['/opt/psa/admin/bin/apache-config' '-t'] with exit code [1]
Error occured while sending feedback. HTTP code returned: 502
[2017-04-12 14:26:18] ERR [util_exec] proc_close() failed ['/opt/psa/admin/bin/apache-config' '-t'] with exit code [1]
Error occured while sending feedback. HTTP code returned: 502
[2017-04-12 14:26:18] ERR [panel] Apache config (14920071690.80782200) generation failed: Template_Exception: AH00526: Syntax error on line 168 of /etc/apache2/plesk.conf.d/server.conf:
SSLCertificateFile: file '/opt/psa/var/certificates/certgz9PAPJ' does not exist or is empty

file: /opt/psa/admin/plib/Template/Writer/Webserver/Abstract.php
line: 75
code: 0
Error occured while sending feedback. HTTP code returned: 502
AH00526: Syntax error on line 168 of /etc/apache2/plesk.conf.d/server.conf:
SSLCertificateFile: file '/opt/psa/var/certificates/certgz9PAPJ' does not exist or is empty

I took a look at the server.conf and there is a second VirtualHost part which contains the path to the existing but empty (don't know why) certificate file certgz9PAPJ.

<IfModule mod_ssl.c>
        <VirtualHost xx.xxx.xxx.xxx:7081 127.0.0.1:7081>
                DocumentRoot "/var/www/vhosts/default/htdocs"
                ServerName lists
                ServerAlias lists.*
                UseCanonicalName Off

                ScriptAlias "/mailman/" "/usr/lib/cgi-bin/mailman/"
                ScriptAlias "/cgi-bin/mailman/" "/usr/lib/cgi-bin/mailman/"

                Alias "/icons/" "/var/lib/mailman/icons/"
                Alias "/pipermail/" "/var/lib/mailman/archives/public/"
                Alias "/images/" "/usr/share/images/"

                SSLEngine on
                SSLVerifyClient none
                SSLCertificateFile "/opt/psa/var/certificates/certgz9PAPJ"

                <Directory /var/lib/mailman/archives/>
                        Options FollowSymLinks
                        Require all granted
                </Directory>

        </VirtualHost>
</IfModule>

Any ideas how I can change this (not by hand in the conf file)?

 

[UFHH01]

Hi Sven A.,

pls. correct the certificate file - name with a manual edit, pointing to the new ( latest ) installed certificate at "/opt/psa/var/certificates" ( example command to list the content by date: ls -lt /opt/psa/var/certificates ) or use phpMyAdmin in order to investigate the certificate - file - name for the newly created certificate in your psa - database.

Afterwards repeat the general command:

/usr/local/psa/admin/sbin/httpdmng --reconfigure-all

 

[Sven A.]

Hm.
I changed the certificate name manually in the server.conf and repeated /usr/local/psa/admin/sbin/httpdmng --reconfigure-all, but I get the same error message.
I don't know why, but he uses the old certificate file name which can't be found in the server.conf anymore.

Any ideas why? Are there any places where he can "remember" old conf files? Weird.

The good thing: Via https I get now everything.
The bad thing: Via http I get now nothing. Everything gives me a 404.

One step ahead, one step back.

P.S. Ok. That's not completely correct. Everything except the plesk default domain index.html and the image and css files for it gives me a 404. Completely weird.
And if I rename any other html file to index.html it will be shown, but not under another name (for example the readme.html of WordPress ... I can't run my-domain.tld/readme.html but if I rename it to index.html it will be shown).
Any ideas what could be wrong?

P.P.S. Ok. Back to start. With plesk repair web -y I have now again a running http and a https that doesn't work.
Next try.

P.P.P.S. Ok. Nevertheless we are one step further. If I include the certificate parts by hand via the form in the plesk control and use it for the IP, nginx seems to accept it and SSL Server Test also. I get a "Bad Gateway" error, but I get it via https.
Remains the 502 Bad Gateway error. So Apache is the one that also must accept it.

 

[UFHH01]

Hi Sven A.,

Bad news: You have some database inconsistency in your "psa" - database. At some point, existing cert-names ( and their entries and cross - links ) in the psa - database doesn't match with the existent files at "/opt/psa/var/certificates". Such issues/errors/problems should never arrise, but it happended.

From my point of view, I would backup the web-content of your domain ( "/var/www/vhosts/YOUR-DOMAIN.COM/httpdocs" and existing web-content from your subdomains of that domain "/var/www/vhosts/YOUR-DOMAIN.COM/SUB-DOMAIN.YOUR-DOMAIN.COM" ) and at "/opt/psa/var/modules/letsencrypt/etc/live" and afterwards, I would delete the domain and the corresponding certificates ( it's just faster than digging around with phpMyAdmin ). Afterwards I would delete ALL possible existing certificates at other domains on your server and I would create a new self-signed certificate for the server IP(s).
Only when you are finished with these processes, I would then delete the Plesk - Let's Encrypt Extension after you assigned the new - self - signed certificate for your IP(s) as default certificate, with NO default domain. Even secure the Plesk Control Panel with the new self - signed certificate, knowing that these means, that you have a ( temporary ) issue here.

Check your psa - database now, for orphaned entries in the table "certificates" and manually delete them. There should be only ONE existing certificate right now.
Check your folder "/opt/psa/var/certificates" and make sure, that there are only key and cert from your newly created self - signed certificate.
Re-Install the Plesk Let's Encrypt Extension and copy back the "live" - folder to "/opt/psa/var/modules/letsencrypt/etc", which you previously backuped up.
Make sure, that your folder "YOUR-DOMAIN.COM" has been deleted from "/var/www/vhosts" and corresponding (sub)domain - folders at "/var/www/vhosts/system".

Re-create the domain YOUR-DOMAIN.COM and add as well "YOUR-SERVER-NAME.YOUR-DOMAIN.COM" as subdomain, to be able to create as well a Let's Encrypt certificate for the Plesk Control Panel.

After you created all certificates for your MAIN - domain and the subdomains, create new "global" certificates, to be able to secure your IP(s) again, using the previous mentioned suggestions. Secure as well your Plesk Control Panel with the corresponding certificate and when you are finished, your self - signed certificate could be removed and the domain - specific Let's Encrypt certificate can be used as default certificate.

 

[Sven A.]

Damn.
Thanks for your suggestions.

One question. If I delete the domain and all certificates and create new ones and delete the Lets Encrypt Extension and reinstall it, why do I have to backup the "/opt/psa/var/modules/letsencrypt/etc/live" folder and copy it back afterwards? I would think I will then have some old things in it.

 

[UFHH01]

Hi Sven A.,

I would think I will then have some old things in it.

... which are totally o.k. there. You will not loose current issued Let's Encrypt certificates this way.
Let's Encrypt itself is not the culprit here.