Forwarded to devs SSL auto-renewal attemps do not stop after removing cert and disabling SSL

[Bitpalast]

Username:

TITLE

SSL auto-renewal attemps do not stop after removing cert and disabling SSL

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

Obsidian 18.0.73 #2
Alma 8.10
But the issue exists since 17.8 and CentOS 7

PROBLEM DESCRIPTION

A domain that previously pointed to the server, had a Let's Encrypt SSL cert and was then re-routed to another IP, can no longer have a domain-validated SSL certificate. Hence the auto-renewal feature of the cert tries to renew the cert but fails. It sends daily notifications about the failure.

This is true, although
a) The certificate was completely removed from Plesk.
b) SSL in the domain is turned off (unchecked)
c) The file /usr/local/psa/var/modules/sslit/etc/live/<domainname> was removed and for sure is no longer present in the system.
d) All message entries in the SQLite queue have been removed by
"delete from Notification where params like '%<domainname>%';"

Nevertheless, a new message entry is added to the queue daily:

180023|1760557037|1760614640|sent|445|certificateAutoRenewalFailed|{"failedKeepDomainsSecured":" ** '<domainname>' **\n   No domains have passed validation","keepDomainsSecuredWithErrors":"<none>","notRenewedCertificates":"<none>","partiallyRenewedCertificates":"<none>","vendor":"Let`s Encrypt"}

STEPS TO REPRODUCE

1. Create a website and domain. Route the domainname to that website.
2. Issue a Let's encrypt SSL certficate for that domain and verify that SSL is working.
3. Re-route the domainname to another IP so that the SSL extension will fail a renewal attempt.
4. Disable SSL in the website (hosting settings)
5. Remove the SSL certificate from the website, including removal from the SSL cert file overview.
6. Remove the /usr/local/psa/var/modules/sslit/etc/live/<domainname> file from the system.
7. Remove existing notification entries from SQLite ("delete from Notification where params like '%<domainname>%';")
8. Wait another day

ACTUAL RESULT

The system continues renewal attempts. It also adds a new notification message to the notification queue.

EXPECTED RESULT

1. If an SSL certificate is removed from a domain, stop renewal attempts of the SSL cert of that domain. (It no longer exists!)
2. If a domain has SSL turned off, do not attempt to renew an SSL certificate.
3. If a domain has SSL turned off, do not send notifications on renewal attempts.

ANY ADDITIONAL INFORMATION

One issue with the SSL extension persists through all versions. I brought this up since years, but never put it into a bug report. But it is clearly a bug.

Previously, one argued that when you turn on "keep websites secured", this leads to this behavior. But: Once an SSL certificate is removed, it is not possible to turn that setting off. It needs to be turned off automatically when an SSL certificate is removed. (However, it remains unclear whether that is actually the root cause for the strange behavior that a certificate that does not exist, is still renewed...)

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug

 

[Sebahat.hadzhi]

Thank you for the report, Peter. I forward it to our engineers for further review. I will follow-up with more details as soon as possible.

 

[Sebahat.hadzhi]

Peter, I got an update from our team about this case. In a simple way, if SSL/TLS support is disabled for web hosting, neither aut-orenew, nor keep-secured service do not try to reissue a certificate for the domain. Though, if the certificate was issued with a number of SANs (that most probably happened if there’s keep-secured enabled), then auto-renew can ignore the fact that SSL/TLS support is disabled for the domain. Our team found the way to reproduce the issue, which was registered as bug with ID EXTSSLIT-2242. However, they can’t reproduce anything like that in the situation when the certificate is completely removed from the server (step 5). For SSL It! to try to renew the certificate, it must be assigned anywhere (e.g. to webmail), but in such case Plesk won’t allow to remove the certificate.
With that said, please let me know if you have an option to open a ticket and grant server access. If not, we will figure out an alternative way for determining the potential root cause. Thank you in advance.

 

[Bitpalast]

I've created ticket #95829596

 

[Bitpalast]

The ticket has been processed, as usual with precision and within a good time frame. But the outcome was not satisfying. My argument is that when a domain is set to "no SSL" meaning SSL is disabled, this does not affect the "webmail" subdomain of that domain, even if that webmail subdomain is not listed as a separate subdomain in the panel.

So when a domain is routed away from the server, but "keep websites secured" was "on", the server will keep trying to renew the SSL certificate for the sake of the webmail subdomain. And it will do it even if you turn SSL off for that domain. The only solution in that case is to disable webmail in the account (or to remove the domain altogether). I still believe that this is a bug, because when the vendor or the user explicitely chooses to disable SSL, no renewal attempts should continue. But developers say, it should keep trying to renew the webmail domain unless webmail is turned off.

So by Plesk it seems to be solved, but for practical use, it's nonsense. A user who turns off SSL does not want SSL to work and does not want certificates to renew. Especially as there is no option to handle the webmail subdomain separately in such a case. Well, at least we now understand what is going on and why this case occurs so frequently. As I am writing this I have just gotten a new complaint by another customer on exactly the same situation ...