• Plesk Uservoice will be deprecated by October. Moving forward, all product feature requests and improvement suggestions will be managed through our new platform Plesk Productboard.
    To continue sharing your ideas and feedback, please visit features.plesk.com

SSL auto-renewal attemps do not stop after removing cert and disabling SSL

Bitpalast

Plesk addicted!
Plesk Guru
Username:

TITLE

SSL auto-renewal attemps do not stop after removing cert and disabling SSL

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

Obsidian 18.0.73 #2
Alma 8.10
But the issue exists since 17.8 and CentOS 7

PROBLEM DESCRIPTION

A domain that previously pointed to the server, had a Let's Encrypt SSL cert and was then re-routed to another IP, can no longer have a domain-validated SSL certificate. Hence the auto-renewal feature of the cert tries to renew the cert but fails. It sends daily notifications about the failure.

This is true, although
a) The certificate was completely removed from Plesk.
b) SSL in the domain is turned off (unchecked)
c) The file /usr/local/psa/var/modules/sslit/etc/live/<domainname> was removed and for sure is no longer present in the system.
d) All message entries in the SQLite queue have been removed by
"delete from Notification where params like '%<domainname>%';"

Nevertheless, a new message entry is added to the queue daily:
Code:
180023|1760557037|1760614640|sent|445|certificateAutoRenewalFailed|{"failedKeepDomainsSecured":" ** '<domainname>' **\n   No domains have passed validation","keepDomainsSecuredWithErrors":"<none>","notRenewedCertificates":"<none>","partiallyRenewedCertificates":"<none>","vendor":"Let`s Encrypt"}

STEPS TO REPRODUCE

  1. Create a website and domain. Route the domainname to that website.
  2. Issue a Let's encrypt SSL certficate for that domain and verify that SSL is working.
  3. Re-route the domainname to another IP so that the SSL extension will fail a renewal attempt.
  4. Disable SSL in the website (hosting settings)
  5. Remove the SSL certificate from the website, including removal from the SSL cert file overview.
  6. Remove the /usr/local/psa/var/modules/sslit/etc/live/<domainname> file from the system.
  7. Remove existing notification entries from SQLite ("delete from Notification where params like '%<domainname>%';")
  8. Wait another day

ACTUAL RESULT

The system continues renewal attempts. It also adds a new notification message to the notification queue.

EXPECTED RESULT

  1. If an SSL certificate is removed from a domain, stop renewal attempts of the SSL cert of that domain. (It no longer exists!)
  2. If a domain has SSL turned off, do not attempt to renew an SSL certificate.
  3. If a domain has SSL turned off, do not send notifications on renewal attempts.

ANY ADDITIONAL INFORMATION

One issue with the SSL extension persists through all versions. I brought this up since years, but never put it into a bug report. But it is clearly a bug.

Previously, one argued that when you turn on "keep websites secured", this leads to this behavior. But: Once an SSL certificate is removed, it is not possible to turn that setting off. It needs to be turned off automatically when an SSL certificate is removed. (However, it remains unclear whether that is actually the root cause for the strange behavior that a certificate that does not exist, is still renewed...)

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug
 
Back
Top