Forwarded to devs SSL It! breaks renewal and usage of Let's Encrypt wildcard certificates when subdomains are involved

[Hangover2]

Username:

TITLE

SSL It! breaks renewal and usage of Let's Encrypt wildcard certificates when subdomains are involved

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

Plesk Obsidian 18.0.57 Update #5, Debian 10.13, x86-64, SSL It! 1.14.5-1856

PROBLEM DESCRIPTION

Since mid of December 2023 we are getting warnings for all of our Plesk servers, that some Let's Encrypt certificates cannot be renewed on time. After some investigation we could break down the problem to wildcard certificates that are shared with subdomains.

STEPS TO REPRODUCE

- create a wildcard certificate for a domain
- use the same wildcard certificate for a subdomain of the domain ("Hosting Settings -> Certificate")
- wait 60 days till the wildcard certificate will be renewed automatically by Plesk

ACTUAL RESULT

a) for the subdomain:

- suddenly an own certificate is generated for the subdomain (can be seen in the advanced settings of "SSL/TLS Certificates")
- this certificate is also selected under the "Hosting Settings" of the subdomain
- but: it seems not to be used for the subdomain, the webserver is still using the old wildcard certificate (that will expire soon) for the subdomain (we checked Nginx config + SSL It! advanced settings, it is still using the old one)
- in the SSL/TLS Certificate section of the subdomain also some info is missing, it shows "Certificate attributes are not available."

b) for the main domain

- the wildcard certificate is not renewed and ends up in a freezing state with no error message at all, it shows the known buttons for "continue" and "cancel" of the wildcard certificate generation process under the SSL/TLS Certificate section of the domain

EXPECTED RESULT

- Only the wildcard certificate should be renewed and be used for the domain and subdomain(s).

ANY ADDITIONAL INFORMATION

- If many subdomains are involved, more problems can occur, e.g. the rate limit of Let's encrypt can be triggered. This is why this bug can be quite annoying for big shared hosting providers.
- The only time-consuming workaround right now is to generate the wildcard certificate manually again and then assign it manually to all subdomains. After this you can delete all own certificates of the subdomains under "Advanced Settings".

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug

 

[Peter Debik]

Thank you for your report, forwarded to developers as internal ID PPS-15436.

 

[Bobbbb]

Can confirm. Following. Also experiencing this with LE wildcard certs on subscriptions with subdomains. Was about to post a new thread.

 

[Peter Debik]

I got some feedback from developers on it. We know of an issue where subdomain SSL cert renewals break due to previous pending SSL renewal orders not having been removed from the order queue (EXTSSLIT-1879). But a general issue with the wildcard SSL renewal could not be reproduced.

I suggest that you please open a support ticket with reference to ID PPS-15346. It will at least help to raise awareness and priority level of the case.

 

[Hangover2]

@Peter Debik The affected servers have reseller licenses without direct support by Plesk. Maybe @Bobbbb has a proper license to open a ticket.

 

[Bobbbb]

@Peter Debik The affected servers have reseller licenses without direct support by Plesk. Maybe @Bobbbb has a proper license to open a ticket.

I'm sorry, I do not. I go through a reseller as well. Additionally, since I only had a relatively small number of affected subscriptions, and the subdomains in question were all "staging" subdomains, I just removed them to work around the issue, for now.

 

[Bobbbb]

Also, in trying to think of anything I might have changed that could be related to the issue, I remember that, in the past, we had to change a Let's Encrypt certificate setting in panel.ini. I don't think this could cause the issue, but it's the only change I remember making...

[ext-letsencrypt]
enabled = on
log-requests = true
key-algorithm = ECDSA

 

[Paul Hermans]

We are also seeing several Wildcard Let's Encrypt certificates not being renewed automatically.

When logging in Plesk and opening "SSL/TLS Certificates" we see the "Continue" button like in the screenshot above.

When clicking on the Continue button the SSL/TLS certificate will be installed succesfully.

 

[BNO]

i got the same problem. on 2 Servers with different licenses. i see just like this:

 

[Peter Debik]

@AYamshanov Recently also seen on FB group; Plesk Online Community | Facebook

@BNO please open a support ticket so that engineers can investigate the issue on your server.

 

[BNO]

i got my server on Hetzner and License Too. But Hetzner says, they give no Plesk Support.
i think it's a Plesk related Problem, not just server side?

 

[Peter Debik]

i got my server on Hetzner and License Too. But Hetzner says, they give no Plesk Support.
i think it's a Plesk related Problem, not just server side?

By "on your server" I am not saying, it is a hardware problem. It is some sort of configuration issue on the operating system or in the Plesk software, but to date we did not have the opportunity to actually see it on a user's server. For that reason I have asked to please contact support so that someone may look into the server and fix the issue.

 

[BNO]

yes i know what you mean. but we did not pay for support. so we got no plesk support.

 

[Peter Debik]

Resellers are obligued to provide support. Unfortunately some don't play by the rules. If your provider where you bought your license from does not abide to what they should actually do, your option is to buy a support subscription from Plesk. This comes with a 30 days trial period. You could just cancel the subscription once the ticket is through to avoid payment.

 

[AYamshanov]

I would like to add that the bug (EXTSSLIT-1879) mentioned earlier is still in 'open" status and we are going to review the bug more detailed because of new details.
Anyway, new support tickets will help us to collect more details about steps-to-reproduce and configurations which cause the issue.

 

[ScottGoddard]

+1
Been seeing this exact issue for a while now.

 

[enerspace]

We also have this problem on several servers.

 

[Hangover2]

This bug is super annoying. Since end of December we are forced nearly daily to manually create and clean-up the certificates for our hosting clients on all of our servers as otherwise warning emails are sent to our clients and/or the websites get non accessible after the certificates finally expire. On top we experienced the problem, that the bug sometimes leads to the removal of the "SSL/TLS certificate for mail". Then all mail clients trigger errors about the not matching hostname/certificate combination. I really cannot understand that such a huge bug is open now since December last year and that the Plesk team does not have the awareness of it yet. Are there no test servers with an appropriate amount of domain / subdomain / settings combinations for testing purposes? But he, at least we got 4 new website templates for the Sitejet Builder.

 

[arupa]

Has there been a workaround or resolution on this one?

 

[Hangover2]

@arupa No, there is no workaround, only a lot of manual click around. The bug also changes its behavior sometimes. Maybe because of some of the latest updates of Plesk and/or SSL It!.

Here is one example scenario of an affected client (the ACTUAL RESULT is a bit different than in my bug report):

The client has a wildcard certificate that is used for the main domain + 3 subdomains.

29.02.2024 (1 day before auto-renewal of the certificate:

SSL It!:




Settings for the main domain:



01.03.2024 (auto-renewal of the certificate was done):

SSL It! with problems:





This time the wildcard certificate was renewed (we checked also under /opt/psa/var/certificates/*).
The Nginx config was rewritten and the new certificate is used for the main domain. So far so good.

Settings for the main domain with problems:



- we checked the new wildcard certificate again under /opt/psa/var/certificates/* and it still has the -----BEGIN CERTIFICATE REQUEST----- inside the file, some other current certificates do not have it anymore, but some have it too

For the subdomains the situations is now the following:
- the "Certificate Authority" is red "NONE"
- under Hosting we see, that an own subdomain certificate is now present and chosen and the wildcard is not used anymore:



- BUT: what we see here is not what's actual the case
- we checked the Nginx config (that was regenerated) and it points to an own certificate
- BUT: this certificate is a copy of the new wildcard certificate that was generated for the main domain

Settings for one subdomain with problems:



Our clean-up is now the following:
- we cancel the certificate request for the main domain
- we update the hosting settings of the subdomain to use the certificate of the main domain (certificate attributes and certificate authority is then available again and the Nginx config is now pointing to the same certificate as the main domain - no copy anymore)
- we remove the subdomain certificate entry in the advanced settings of the SSL/TLS Certificates settings of the subdomain

As we do repair the problems immediately now, we cannot say, if the actual result will change by time, if it is ignored same like in the past when we did the bug report.

But as you can see, if there are hundreds of subdomains, this manual job to repair the mess is quite time consuming. The costs for our company are much higher than our monthly fees for all Plesk licenses together.

We really hope, that this bugfix gets #1 priority. Thanks in advance!