Resolved Shared hosting with multiple domains SSL/TLS issues

[bork]

Server operating system version

AlmaLinux 9.2 (Turquoise Kodkod)

Plesk version and microupdate number

Plesk Obsidian v18.0.55

Hi,

I have setup a Hetzner dedicated server with Plesk/AlmaLinux combination. I've setup so far one no hosting domain that is used just for mailing purposes and several others that are website domains.

The certificates for securing Plesk server (the hostname used in the keep Plesk secured toggle is the no hosting domain(domain1)) and mail in Tools&Settings > SSL/TLS are Lets encrypt certificate from server pool. However when trying to access domain1:8443 I am getting -> This server could not prove that it is domain1; its security certificate is from domain3, but when accessing webmail.domain1.com it has ssl certificate.

One question would be, can I have a different hostname just for Plesk server without creating a domain that will use just that certificate, so this type of errors can be avoided?

I have issued a separate Lets encrypt domain1 for the no hosting domain(domain1) that is used for mail/webmail. Or since it is no hosting domain I don't need to secure it with separate certificate it can use the one from the server pool?
I will need to create another domain that will be no host domain(domain2) as well and how will I handle the certificate issuing then?

Thanks for any feedback regarding this issue, I have handled less complicated installations so far, but am kind of stuck with these multiple SSL/TLS certs.

 

[Peter Debik]

You'd normally have a separate domain as the hostname. You can then secure the panel and the mail server with separate certificates from the admin SSL/TLS link in "Tools & Settings". You could also name your server as a subdomain of an existing domain if you want to save the extra expense for a separate domain name. Host certificates should be independent from web server configurations of your domains that are hosted on the server.

 

[bork]

You'd normally have a separate domain as the hostname. You can then secure the panel and the mail server with separate certificates from the admin SSL/TLS link in "Tools & Settings". You could also name your server as a subdomain of an existing domain if you want to save the extra expense for a separate domain name. Host certificates should be independent from web server configurations of your domains that are hosted on the server.

Thank you for your response, I was definitively getting lost in the setup.
If I understand correctly for example, I should name the plesk server hostname plesk.domain1.com and leave the certificates from the server pool.
However, should I actually create a subdomain named plesk.domain1.com and add dns records for it?

Another thing, the certificates issued for domain1 no hosting domain are not being recognized by SSL it!
It remains as an red x. And the certificates issued for the websites, are being recognized just fine.

 

[Kaspar]

However, should I actually create a subdomain named plesk.domain1.com and add dns records for it?

No, you dont need to create a subdomain. But you do need create a DNS record for it at the DNS zone for domain1.com.

 

[bork]

No, you dont need to create a subdomain. But you do need create a DNS record for it at the DNS zone for domain1.com.

Thank you for the clarification. I will attempt this changes later today and report back.
I only forgot to say that this domain1 goes through cloudflare, I assume that the newly created dns records should be placed there as well, only as dns, or proxied?

 

[Kaspar]

You'll have to create the DNS record at whatever place you manage your domains DNS from. If that's CloudFlare, then you'll have to add the record there. Don't proxy it, as it will cause issues.

 

[bork]

I manage the DNS records in the Plesk Websites&Domains -> domain -> DNS. I add the Domain in the DNS zone in Hetzner DNS Console as Secondary and add the Primary server IP to that zone.
Now I have added A and AAAA records for plesk.domain1.com. I have also added those in cloudflare as DNS only. Created Lets Encrypt certificate for plesk.domain1.com, and chose the default certificate from server pool for plesk mail server. The rest of the domains have their own issued Lets Encrypt certs, inluding domain1.

So far there are no security issues prompted by chrome, mozilla when accessing plesk.domain1.com, or webmail.domain1.com, however when going to www. or just domain1.com I get certificate error and when checking it states that certificate viewer is plesk.domain1.com. Why, I do not understand. Is it because domain1 is no hosting domain?

 

[Kaspar]

I manage the DNS records in the Plesk Websites&Domains -> domain -> DNS. I add the Domain in the DNS zone in Hetzner DNS Console as Secondary and add the Primary server IP to that zone.

That sounds rather redundant, but if it working for you I guess it's fine.

[..] So far there are no security issues prompted by chrome, mozilla when accessing plesk.domain1.com, or webmail.domain1.com, however when going to www. or just domain1.com I get certificate error and when checking it states that certificate viewer is plesk.domain1.com. Why, I do not understand. Is it because domain1 is no hosting domain?

Is domain1 setup in Plesk without hosting?

 

[bork]

That sounds rather redundant, but if it working for you I guess it's fine.


Is domain1 setup in Plesk without hosting?

Yes, it's no hosting option. I assume since it's used for mailing purposes only, it doesn't need such records as www.domain1 or just domain1.com, but only webmail and mail?

 

[bork]

I have removed the ftp CNAME, ipv4 A, www. CNAME and domain1.com A records. Everything seems to work fine, except when opening outlook or different inboxes, I get constant prompts about the certificate, even if I install it. In cloudflare the email records are set to DNS only of course. I am using account type POP3 -> mail.domain1.com( incoming/outgoing mail server) and in advanced setting I have checked the option to use SSL.

 

[Peter Debik]

The Outlook error is caused by a mismatch of the domain you tell outlook to use for outgoing and incoming mail server and the actual hostname that is listed in the certificate of the mailserver. Solution: Match your Outlook configuration to your mail server name that is protected by the SSL certificate.

 

[bork]

I should have seen that, since I looked at the certificate dozens of times. Thank you all for the incredibly useful feedback.
I think this thread can be closed as resolved.

 

[bork]

Sorry to reopen this thread, I don't know if I can.

However after several hours, Outlook mail started asking for a different certificate for [email protected], which is the Plesk mail server default certificate. It should be looking for the certificate assigned for the incoming/outgoing mail server certificate which is webmail.domain1.com and which is added in the outlook Account setup. I checked openssl s_client -connect webmail.domain1.com:995, it points to info@plesk.
Here are the dovecot and postfix certificate configuration, I don't know if this maybe is the issue?

smtpd_tls_cert_file = /etc/postfix/postfix.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
ssl_cert = </etc/dovecot/private/ssl-cert-and-key.pem
ssl_key = </etc/dovecot/private/ssl-cert-and-key.pem

 

[Peter Debik]

@plesk.com email addresses are not in your domain. You cannot use our email addresses for your installation. Please make sure that you are using your own email addresses from your own domains.

 

[bork]

@plesk.com email addresses are not in your domain. You cannot use our email addresses for your installation. Please make sure that you are using your own email addresses from your own domains.

I haven't added such an email address, it was prompted by Outlook and it seemed completely wrong then it was hours before.
Does that mean that I need to add to these records an MX record for the subdomain?
plesk.domain1.com. A
plesk.domain1.com. AAAA

 

[bork]

After doing some changes I realize that if I add mail.domain1.com to the Outlook settings, then it requests the correct certificate. However if I add webmail.domain1.com, then it requests the Plesk certificate. Even though on the lets Encrypt certificate for domain1 it states that it is assigned for webmail.domain1.com. The Plesk Lets encrypt certificate for the server and mail is assigned to plesk.domain1.com.
I am quite confused why is that, really.

 

[Peter Debik]

webmail is not your hostname. Please simply address your mail server by the hostname and everything will be fine.

 

[bork]

Understood, thanks again. The issue is resolved.

 

[ronanmarco]

I wanted to share my recent experience with shared hosting and SSL/TLS issues, and hopefully, it might help someone facing similar challenges.

I manage multiple domains on a shared hosting plan, and I decided to secure them all with SSL/TLS certificates for that extra layer of trust and SEO benefits. However, it wasn't all smooth sailing.

Here are a few things I learned along the way:

1. Check Your Hosting Provider: Ensure your hosting provider supports multiple SSL certificates on one account. Some shared hosts limit SSL usage, and you might need to upgrade.
2. Wildcard SSL: Consider getting a wildcard SSL certificate. It covers subdomains too, making management a lot easier.
3. Mixed Content Issues: Be vigilant about mixed content issues, which can lead to SSL/TLS errors. Use tools like "Why No Padlock" to identify and fix them.
4. Update Your Links: If you're moving from HTTP to HTTPS, don't forget to update all your internal and external links to avoid 'mixed content' warnings.
5. Regular Backups: Regularly back up your websites. While configuring SSL, things can go wrong, and having a backup can be a lifesaver.
6. Support: Don't hesitate to contact your hosting support or forum communities for help. They've been invaluable for me.

In the end, while it was a bit of a bumpy ride, the increased security and the SEO benefits of having SSL/TLS on multiple domains were totally worth it. Plus, the learning experience was priceless.

If you have any questions or need help, feel free to ask. We're all here to learn and grow together!

 

[Kaspar]

I wanted to share my recent experience with shared hosting and SSL/TLS issues, and hopefully, it might help someone facing similar challenges.

I manage multiple domains on a shared hosting plan, and I decided to secure them all with SSL/TLS certificates for that extra layer of trust and SEO benefits. However, it wasn't all smooth sailing.

Here are a few things I learned along the way:

1. Check Your Hosting Provider: Ensure your hosting provider supports multiple SSL certificates on one account. Some shared hosts limit SSL usage, and you might need to upgrade.
2. Wildcard SSL: Consider getting a wildcard SSL certificate. It covers subdomains too, making management a lot easier.
3. Mixed Content Issues: Be vigilant about mixed content issues, which can lead to SSL/TLS errors. Use tools like "Why No Padlock" to identify and fix them.
4. Update Your Links: If you're moving from HTTP to HTTPS, don't forget to update all your internal and external links to avoid 'mixed content' warnings.
5. Regular Backups: Regularly back up your websites. While configuring SSL, things can go wrong, and having a backup can be a lifesaver.
6. Support: Don't hesitate to contact your hosting support or forum communities for help. They've been invaluable for me.

In the end, while it was a bit of a bumpy ride, the increased security and the SEO benefits of having SSL/TLS on multiple domains were totally worth it. Plus, the learning experience was priceless.

If you have any questions or need help, feel free to ask. We're all here to learn and grow together!

How is this relevant to this topic?