• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question SNI Problem (Plesk certificate ist delivered for domain without www)

Bonsai78

Basic Pleskian
I use the current Version of Plesk Onix running on CentOS 7.5.1804.
There are 2 productive domains an a testdomain on the server.
(Dont' know if relevant) using php5.6 with php-frm, no ngix
Plesk itsself is secured only by the Plesk self signed certificate
Plesk is running on Port 8443
For all domains I redirect all port 80 http connections by apache config to https 443
For all domains I redirect all non www. connections by .htaccess config to Example Domain

After I saw the issue that a PayPal module can't comunicate properly with my server, I found out, there's a SNI Problem
www.ssllabs.com shows me, my domains with www are secued by my Let's Encrypt cerificates, valid for example.org and www.example.org, but for the domains without the www it gets my Plesk ceritifcate.
The certificates are installed with the Plesk extension for Let's Encrypt

I googled for the issue, but I can't find the menue items others seem to have in my plesk?!?

Does somebody have an idea? You need more information?
 
have you seen this KB Article A newly assigned SSL certificate is not used by website

if the above does not help, how looks you settings for:
Plesk Panel > Domain > Hosting Settings > Security (SSL/TLS support, Permanent SEO-safe 301 redirect from HTTP to HTTPS & Certificate)
and Plesk Panel > Domain > Let's Encrypt

Plesk itsself is secured only by the Plesk self signed certificate

Is there a reason to not secure the panel also with Letsencrypt? How to secure Plesk login page URL with SSL certificate

see also How to enable redirection from HTTP to HTTPS for a domain in Plesk
 
Last edited:
hosting_settings.jpg lets_encrypt.jpg
Here are the settings. I think they look fine, as everything works, except server name identification.

If I call Example Domain in a browser, I get Example Domain without any error messages. I also get the green lock symbol, and if I look in the certificate, it is for example.com and www.example.com. There's no problem with the certificate, only with SNI.

But if PayPal does a (I guess curl) connect, and checks the certificate for the domain without the www, the Plesk certificate is delivered.

Is there a reason to not secure the panel also with Letsencrypt?
Yes, as long this SNI request gets the plesk certificate instead the domain certificate, I can't use one of the domain certificates, as the two domains are from different publishing houses and it would be blaming if somebody sees, that the certificate for one domain is delivered for the other ....

I tried out now to assign another domain, and use this for the Plesk. Even if this was successfull, ssllabs.com still reports a second certificate "Self signed Plesk Certificate" :-( It doesn't matter if I put example.com or www.example.com in ssllabs.com, the first certificate is always good, but it finds always this second one.

Where is this freaking default certificate on the filesystem? I want to try to move it away.
 
I guess I found the resson, but no solution. Here in Tools and settings -> Ip Adresses I cannot select a different certificate:
upload_2018-7-13_12-26-2.png

What I read in Wikipedia is, that SNI means to do after getting the certificate a reverse lookup for the certificate what is delivered for the IP address of this server.

So I guess here is the problem.
 
Now I know the problem is there. If I choose my domain dedicated for Plesk as "Default site" the second certificate displayed in ssllabs.com is the certificate of this site.

So I could fix the issue for one of the two productive sites if I select one of the productive domains. But I need it on both ....
 
Back
Top