Username:
TITLE
SSL auto-renewal attemps do not stop after removing cert and disabling SSL
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE
Obsidian 18.0.73 #2
Alma 8.10
But the issue exists since 17.8 and CentOS 7
PROBLEM DESCRIPTION
A domain that previously pointed to the server, had a Let's Encrypt SSL cert and was then re-routed to another IP, can no longer have a domain-validated SSL certificate. Hence the auto-renewal feature of the cert tries to renew the cert but fails. It sends daily notifications about the failure.
This is true, although
a) The certificate was completely removed from Plesk.
b) SSL in the domain is turned off (unchecked)
c) The file /usr/local/psa/var/modules/sslit/etc/live/<domainname> was removed and for sure is no longer present in the system.
d) All message entries in the SQLite queue have been removed by
"delete from Notification where params like '%<domainname>%';"
Nevertheless, a new message entry is added to the queue daily:
STEPS TO REPRODUCE
ACTUAL RESULT
The system continues renewal attempts. It also adds a new notification message to the notification queue.
EXPECTED RESULT
ANY ADDITIONAL INFORMATION
One issue with the SSL extension persists through all versions. I brought this up since years, but never put it into a bug report. But it is clearly a bug.
Previously, one argued that when you turn on "keep websites secured", this leads to this behavior. But: Once an SSL certificate is removed, it is not possible to turn that setting off. It needs to be turned off automatically when an SSL certificate is removed. (However, it remains unclear whether that is actually the root cause for the strange behavior that a certificate that does not exist, is still renewed...)
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM
Confirm bug
TITLE
SSL auto-renewal attemps do not stop after removing cert and disabling SSL
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE
Obsidian 18.0.73 #2
Alma 8.10
But the issue exists since 17.8 and CentOS 7
PROBLEM DESCRIPTION
A domain that previously pointed to the server, had a Let's Encrypt SSL cert and was then re-routed to another IP, can no longer have a domain-validated SSL certificate. Hence the auto-renewal feature of the cert tries to renew the cert but fails. It sends daily notifications about the failure.
This is true, although
a) The certificate was completely removed from Plesk.
b) SSL in the domain is turned off (unchecked)
c) The file /usr/local/psa/var/modules/sslit/etc/live/<domainname> was removed and for sure is no longer present in the system.
d) All message entries in the SQLite queue have been removed by
"delete from Notification where params like '%<domainname>%';"
Nevertheless, a new message entry is added to the queue daily:
Code:
180023|1760557037|1760614640|sent|445|certificateAutoRenewalFailed|{"failedKeepDomainsSecured":" ** '<domainname>' **\n No domains have passed validation","keepDomainsSecuredWithErrors":"<none>","notRenewedCertificates":"<none>","partiallyRenewedCertificates":"<none>","vendor":"Let`s Encrypt"}
STEPS TO REPRODUCE
- Create a website and domain. Route the domainname to that website.
- Issue a Let's encrypt SSL certficate for that domain and verify that SSL is working.
- Re-route the domainname to another IP so that the SSL extension will fail a renewal attempt.
- Disable SSL in the website (hosting settings)
- Remove the SSL certificate from the website, including removal from the SSL cert file overview.
- Remove the /usr/local/psa/var/modules/sslit/etc/live/<domainname> file from the system.
- Remove existing notification entries from SQLite ("delete from Notification where params like '%<domainname>%';")
- Wait another day
ACTUAL RESULT
The system continues renewal attempts. It also adds a new notification message to the notification queue.
EXPECTED RESULT
- If an SSL certificate is removed from a domain, stop renewal attempts of the SSL cert of that domain. (It no longer exists!)
- If a domain has SSL turned off, do not attempt to renew an SSL certificate.
- If a domain has SSL turned off, do not send notifications on renewal attempts.
ANY ADDITIONAL INFORMATION
One issue with the SSL extension persists through all versions. I brought this up since years, but never put it into a bug report. But it is clearly a bug.
Previously, one argued that when you turn on "keep websites secured", this leads to this behavior. But: Once an SSL certificate is removed, it is not possible to turn that setting off. It needs to be turned off automatically when an SSL certificate is removed. (However, it remains unclear whether that is actually the root cause for the strange behavior that a certificate that does not exist, is still renewed...)
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM
Confirm bug