• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved Wrong Let's Encrypt Certificate for alias subdomain

R

Roberto84.c

New Pleskian
Hi all. I am having an annoying problem in assigning the Let's Encrypt SSL certificate for an alias domain. I have several subdomains and with web hosting it works perfectly (and alias too). This is the scenario:

mydomain.tld / www.mydomain.tld / another.mydomain.tld (they work, every certificate belongs to their respective subdomains, no wrong certificate alerts in web browser)
When I create the alias name "cdn.mydomain.tld", the assigned certificate to this one belongs to "another.mydomain.tld" .... I can't understand why and obviously I get a browser alert. I tried to test an alias by creating "cdn2.mydomain.tld" and the certificate is assigned correctly..... o_O what's wrong ?

Plesk Obsidian v18.0.38_build1800211001.19
CentOS Linux 7.9.2009 (Core)

Thank you.
 
Roberto84.c said:
Hi all. I am having an annoying problem in assigning the Let's Encrypt SSL certificate for an alias domain. I have several subdomains and with web hosting it works perfectly (and alias too). This is the scenario:

mydomain.tld / www.mydomain.tld / another.mydomain.tld (they work, every certificate belongs to their respective subdomains, no wrong certificate alerts in web browser)
When I create the alias name "cdn.mydomain.tld", the assigned certificate to this one belongs to "another.mydomain.tld" .... I can't understand why and obviously I get a browser alert. I tried to test an alias by creating "cdn2.mydomain.tld" and the certificate is assigned correctly..... o_O what's wrong ?

Plesk Obsidian v18.0.38_build1800211001.19
CentOS Linux 7.9.2009 (Core)

Thank you.
Click to expand...
Sorry, I posted in the wrong section
 
hello @Roberto84.c ,
could you please provide what version of Let's Encrypt extension is installed in your system ?

could you please explain, did you reissued certificate manually after you created cdn.mydomain.tld to cover alias ?

were there some errors in panel.log within this period?

p.s> I've moved your post to the correct forum.
 
Hello Nik.
Nik G said:
could you please provide what version of Let's Encrypt extension is installed in your system ?
Click to expand...
- Let's Encypt version: 2.13.6-736

Nik G said:
could you please explain, did you reissued certificate manually after you created cdn.mydomain.tld to cover alias ?
Click to expand...
- Well it start to give me browser alert, first days in October. I tried to renew the alias certificate manually for cdn.mydomain.com and for the main domain too (for covering the alias).
Nik G said:
were there some errors in panel.log within this period?
Click to expand...
I cannot check due an error when trying to login with SSH terminal with Plesk GUI: "Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password)
Nik G said:
p.s> I've moved your post to the correct forum.
Click to expand...
Thank you :)
 
I can't understand the logic why only the alias "CDN" is not assigned to the main wildcard domain cert. Which file is responsible for assigning the alias certificate ?
Thanks.
 
Roberto84.c said:
I cannot check due an error when trying to login with SSH terminal with Plesk GUI: "Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password)
Click to expand...
Likely in /etc/ssh/sshd_config the PermitRootLogin parameter is set to "no", prohibiting login with the "root" user. In this case you can still login with SSH, but only with an SSH client and a user account on the system. Onced logged in you can escalate your privileges with the "su" command and gain full console access.
 
@Roberto84.c
domain alias configured in domain config at
/var/ww/vhosts/system/mydomain.tld/conf/httpd.conf

there should be something like like below in this file:

Apache config: 
 <VirtualHost 10.52.76.216:443 >
        ServerName "mydomain.tld"
        ServerAlias "www.mydomain.tld"
        ServerAlias "ipv4.mydomain.tld"
        ServerAlias "cdn.mydomain.tld"
        ServerAlias "www.cdn.mydomain.tld"
        ServerAlias "ipv4.cdn.mydomain.tld"
        UseCanonicalName Off


<-- skipped -->

        SSLEngine on
        SSLVerifyClient none
        SSLCertificateFile /usr/local/psa/var/certificates/scfllyrOx
        SSLCACertificateFile /usr/local/psa/var/certificates/scfU6B3xs

so, after renewal certificate should contain appropriate info that it is valid for cdn.mydomain.tld
and config for domain should contain alias records for new alias.
 
@Peter Debik
thank you, I solved logging through SSH with appropriate user account.

Nik G said:
domain alias configured in domain config at
/var/ww/vhosts/system/mydomain.tld/conf/httpd.conf

there should be something like like below in this file:

<VirtualHost 10.52.76.216:443 >
ServerName "mydomain.tld"
ServerAlias "www.mydomain.tld"
ServerAlias "ipv4.mydomain.tld"
ServerAlias "cdn.mydomain.tld"
ServerAlias "www.cdn.mydomain.tld"
ServerAlias "ipv4.cdn.mydomain.tld"
UseCanonicalName Off


<-- skipped -->

SSLEngine on
SSLVerifyClient none
SSLCertificateFile /usr/local/psa/var/certificates/scfllyrOx
SSLCACertificateFile /usr/local/psa/var/certificates/scfU6B3xs


so, after renewal certificate should contain appropriate info that it is valid for cdn.mydomain.tld
and config for domain should contain alias records for new alias.
Click to expand...

Thank you. I found it in /var/www/vhosts/system/mydomain.tld/conf/nginx.conf

server {
listen 10.52.76.216:443 ssl http2;

server_name www.mydomain.tld;
server_name ipv4.mydomain.tld;
server_name cdn.mydomain.com;
server_name www.cdn.mydomain.com;

ssl_certificate /usr/local/psa/var/certificates/scfe3bsf9;
ssl_certificate_key /usr/local/psa/var/certificates/scfe3bsf9;

client_max_body_size 128m;

root "/var/www/vhosts/mydomain.tld/httpdocs";
access_log "/var/www/vhosts/system/mydomain.tld/logs/proxy_access_ssl_log";
error_log "/var/www/vhosts/system/mydomain.tld/logs/proxy_error_log";

add_header X-Cache-Status $upstream_cache_status;
set $no_cache "";
<-- skipped -->
Click to expand...

in /var/www/vhosts/system/mydomain.tld/conf/httpd.conf

<IfModule mod_ssl.c>

<VirtualHost 5.249.157.125:7081 >
ServerName "mydomain.tld"
ServerAlias "www.mydomain.tld"
ServerAlias "ipv4.mydomain.tld"
ServerAlias "cdn.mydomain.tld"
ServerAlias "www.cdn.mydomain.tld"
ServerAlias "ipv4.cdn.mydomain.tld"
UseCanonicalName Off


<-- skipped -->

SSLEngine on
SSLVerifyClient none
SSLCertificateFile /usr/local/psa/var/certificates/scfe3bsf9
SSLCACertificateFile /usr/local/psa/var/certificates/scfUddJE3

</IfModule>
Click to expand...
Thanks.
 
You must log in or register to reply here.

Similar threads

jradzuweit
Resolved How to update Let'S Encrypt certificate with SSL It!
Replies
4
Views
305
jradzuweit
jradzuweit
M
Resolved Lets Encrypt not issuing certs for subdomains
Replies
2
Views
273
mendip_discovery
M
R
Issue SSL/TLS cert for mail server not updating (Lets Encrypt)
Replies
2
Views
889
tessa67
T
J
Resolved WordPress Network setup on Alias -- how to add alternative domains with Lets Encrypt SSL Certs?
Replies
3
Views
2K
joell
J
crysix
Issue Let's Encrypt Certificates for Domain Alias' Subdomain not working
Replies
13
Views
3K
Kaspar@Plesk
Kaspar@Plesk
Back
Top