• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question Why did Let's Encrypted stop working, all of a sudden.

larryk

Regular Pleskian
CentOS Linux 7.5.1804 (Core)‬
ProductPlesk Onyx
Version 17.8.11 Update #95, last updated on Mar 9, 2021 03:19 AM

So, I've never seen this before, but it just happened.

1) client domain is good and has been good for long time.
2) Lets Encrytpe has been renewing all good. The next renewal was in June.

3) out of the blue, the domain doesn't have SSL working. what!?!!??!!?!?
4) I look at plesk domain under ssl and sure enough, the www is not on.
5) I click regenerate SSL and all is good again.

ANYONE know how or why that could have happened?
thanks
 
Your client has removed the certificate. There is no other explanation, because it takes at least a web server reconfiguration to disable SSL on the domain. This is not done automatically. If there was an error with the certificate file, the web server could not be restarted. The only conclusion is that it is not so much out of the blue as the client says it is.
 
Hi Peter and thanks for the reply.
I'm positive the client, nor anyone did it manually. I'm the only person who does things.
I'm positive, the WWW SSL stopped working on its own.

However, you bring up a good point. Is there a way I can check some log files, etc. to see what happened?

NOTE: when I logged in to see what the SSL/TLS Certificate page had for this domain, ALL other checks were good (green) except this single one:


Domain with the "www" prefix​

www.domain.com


Then when I regenerated the cert, it was now green.
 
Hello...
This is NOT a 1-time incident. It is happening multiple times to different domains?

It is extremely urgent, serious, as sites are seen as NOT working when the SSL messes up.

How to get Plesk Support on this ASAP?

note: I have a site currently that the issue is happening as I right this, but it is my own site. So i can use it as an example for support to investigate with.
 
I found another site and talking with my server support.
there is an issue with:
- common name and alternative name mismatch
- the DLG files get messed up?
 
my hosting/server support said:
he has seen this before.... it might be Lets Encrypt and/or Plesk?
There is "something" that updates and messes up the name...

So while the SSL cert is fine and good, the browser sees a name mismatch and then gives the SSL error.
And obviously, the site does not load.

Plesk Support site -- I'm using 3rd party (my license comes from my host)... so Plesk support doesn't allow me to submit issue, bug, etc.

Will anyone else submit it?

If I were you, I would doubt check all your domains to make sure the SSL is working on the browser.
AGAIN, the SSL is up and working, BUT the broswer sees an issue with a "mismatch name" and then throws SSL error.

argh, this is bad!!
 
Thanks @IgorG

but I'm not buying a Plesk support subscription, only to submit a bug/urgent issue. That makes zero sense.
It is just sad, Plesk forces you to pay to submit an issue. I'm not going to work for free or pay to debug Plesk.

My hosting support (who is a Plesk Partner and where my license came from) is looking into the issue and their initial response/finding was what I posted above.
I'm sure by tomorrow they will have more details.

So I'm assuming, by the type or lack of responses to this thread, NO ONE other than my Plesk server has seen this type of issue?
I'm 98% sure it is not my doing that is causing the SSL name mismatch to create the browser SSL error.
I give it 2% that something I've installed is causing the issue.

I mean, after years of doing the same things... what started happening as of March 25, 2021 ????

Something tells me, this is a Plesk issue or Let's Encrypt issue.
 
Is there a way I can check some log files, etc. to see what happened?
/var/log/plesk/panel.log
maybe in combination with

there is an issue with:
- the DLG files get messed up?
What are "DLG" files?

my hosting/server support said:
he has seen this before.... it might be Lets Encrypt and/or Plesk?
There is "something" that updates and messes up the name...

So while the SSL cert is fine and good, the browser sees a name mismatch and then gives the SSL error.
...
AGAIN, the SSL is up and working, BUT the broswer sees an issue with a "mismatch name" and then throws SSL error.
Please provide the Browser type and the exact, full error message that the browser displays. Sometimes you can click a button like "Expand" or "More information" on a browser error page. This gives more details and explains what the problem is, e.g. if the given domain is not included in a cert etc. You can/should redact
 
but I'm not buying a Plesk support subscription, only to submit a bug/urgent issue. That makes zero sense.
It is just sad, Plesk forces you to pay to submit an issue. I'm not going to work for free or pay to debug Plesk.
...
Something tells me, this is a Plesk issue or Let's Encrypt issue.

You have a 30-day money-back-guarantee.

It sure is some kind of issue with certificate maintenance, but it's probably not a software issue, but more some kind of usability problem.

Have you run
# plesk repair db -y
to fix potential integrity issues with your database? If you have frequently removed and re-added domains without removing certificates first, this could - in combination with integrity errors - lead to a situation where a wrong certificate is applied to a domain configuration in the web server.

Another frequent issue is that people move domains from one subscription to another or are doing restores from a backup set to a system that meanwhile has a different "Let's Encrypt state" or where domains have been moved around.

And when you have placed many additional subdomains or aliases into a certificate and then later took such a domain to run it separately (e.g. remove it as an alias and re-add it as a webspace domain with its own cert) this will also cause trouble when the original certificate is up for renewal.
 
Thanks Peter!
This is the notice on Chrome. This site does not have HSTS turned on.

Your connection is not private​

Attackers might be trying to steal your information from www.123.com (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_COMMON_NAME_INVALID

To get Chrome’s highest level of security, turn on enhanced protection
ReloadHide advanced
www.123.com normally uses encryption to protect your information. When Google Chrome tried to connect to www.123.com this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be www.123.com, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Google Chrome stopped the connection before any data was exchanged.
You cannot visit www.123.com right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.



ALSO, I had another site with the same type of issue, but the message was different. I didn't copy it, but it was the short message? no extra details?

note: to fix the issue, the ONLY think I did was click, Reissue Certifcation.


NEW CHANGE, as of yesterday????
In this example, the www.123.com was my own site. It was messing up and I left it allow, as everyone (support) needs a domain that is currently messing up.
So just now when I went to Plesk > SSL/TLS Certification for the 123 site, I see this: (which I never saw before?)... in a blue bacground box?

-----------

Started issuing a wildcard SSL/TLS certificate from Let's Encrypt for the domain 123.com.

Please wait while Plesk finishes adding a DNS record with the following parameters:
Record type: TXT
Domain name: _acme-challenge.123.com
Record: H9fdkj39fk309fk093ifkf0409kfbRGt6iogp_Kxk93jdj893jDSGD

To terminate and delete the existing certificate request, click "Cancel".

Before clicking "Reload", make sure that the DNS record was added and can be resolved externally.

[reload] [cancel]

------------

I've never seen that type of message before? I'm not sure if my hosting support did something or not?
THey are still investigating :(
 
unless i'm wrong....

POINT BLANK, something is causing the 'name mismatch' ...

so at some point, after the site and SSL is working fine... the browser sees a mismatch and throws the error,
BUT the SSL is technically okay.

what could the 'something' be?

==> from my point of view, Plesk and Let's Encrypt is all automated. I don't do anything except turn it on.
After March 25, 2021, 5 sites have seen this issue out of 60

@UFHH01 @trialotto @Lloyd_mcse @lvalics @Peter Debik @Faris Raouf @IgorG
 
Last edited:
argh... :(
anyway, never mind.
I'm going to migrate to Plesk 18 on a new server, surely the problem doesn't happen there.
 
"Domain validation failed" can mean that your domain has a round robin DNS entry, e.g. does not resolve to the same IP address for each request, but to different IP addresses. This might also be caused by a mismatch of IPv6 and IPv4 targets. Your wildcard message from above also points to a false DNS configuration.
 
Back
Top