Question SNI Problem (Plesk certificate ist delivered for domain without www)

[Bonsai78]

I use the current Version of Plesk Onix running on CentOS 7.5.1804.
There are 2 productive domains an a testdomain on the server.
(Dont' know if relevant) using php5.6 with php-frm, no ngix
Plesk itsself is secured only by the Plesk self signed certificate
Plesk is running on Port 8443
For all domains I redirect all port 80 http connections by apache config to https 443
For all domains I redirect all non www. connections by .htaccess config to Example Domain

After I saw the issue that a PayPal module can't comunicate properly with my server, I found out, there's a SNI Problem
www.ssllabs.com shows me, my domains with www are secued by my Let's Encrypt cerificates, valid for example.org and www.example.org, but for the domains without the www it gets my Plesk ceritifcate.
The certificates are installed with the Plesk extension for Let's Encrypt

I googled for the issue, but I can't find the menue items others seem to have in my plesk?!?

Does somebody have an idea? You need more information?

 

[Brujo]

have you seen this KB Article A newly assigned SSL certificate is not used by website

if the above does not help, how looks you settings for:
Plesk Panel > Domain > Hosting Settings > Security (SSL/TLS support, Permanent SEO-safe 301 redirect from HTTP to HTTPS & Certificate)
and Plesk Panel > Domain > Let's Encrypt

Plesk itsself is secured only by the Plesk self signed certificate

Is there a reason to not secure the panel also with Letsencrypt? How to secure Plesk login page URL with SSL certificate

see also How to enable redirection from HTTP to HTTPS for a domain in Plesk

 

[Bonsai78]

Here are the settings. I think they look fine, as everything works, except server name identification.

If I call Example Domain in a browser, I get Example Domain without any error messages. I also get the green lock symbol, and if I look in the certificate, it is for example.com and www.example.com. There's no problem with the certificate, only with SNI.

But if PayPal does a (I guess curl) connect, and checks the certificate for the domain without the www, the Plesk certificate is delivered.

Is there a reason to not secure the panel also with Letsencrypt?

Yes, as long this SNI request gets the plesk certificate instead the domain certificate, I can't use one of the domain certificates, as the two domains are from different publishing houses and it would be blaming if somebody sees, that the certificate for one domain is delivered for the other ....

I tried out now to assign another domain, and use this for the Plesk. Even if this was successfull, ssllabs.com still reports a second certificate "Self signed Plesk Certificate" :-( It doesn't matter if I put example.com or www.example.com in ssllabs.com, the first certificate is always good, but it finds always this second one.

Where is this freaking default certificate on the filesystem? I want to try to move it away.

 

[Bonsai78]

I guess I found the resson, but no solution. Here in Tools and settings -> Ip Adresses I cannot select a different certificate:


What I read in Wikipedia is, that SNI means to do after getting the certificate a reverse lookup for the certificate what is delivered for the IP address of this server.

So I guess here is the problem.

 

[Bonsai78]

Now I know the problem is there. If I choose my domain dedicated for Plesk as "Default site" the second certificate displayed in ssllabs.com is the certificate of this site.

So I could fix the issue for one of the two productive sites if I select one of the productive domains. But I need it on both ....