• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Resolved Wrong Let's Encrypt Certificate for alias subdomain

R

Roberto84.c

New Pleskian
Hi all. I am having an annoying problem in assigning the Let's Encrypt SSL certificate for an alias domain. I have several subdomains and with web hosting it works perfectly (and alias too). This is the scenario:

mydomain.tld / www.mydomain.tld / another.mydomain.tld (they work, every certificate belongs to their respective subdomains, no wrong certificate alerts in web browser)
When I create the alias name "cdn.mydomain.tld", the assigned certificate to this one belongs to "another.mydomain.tld" .... I can't understand why and obviously I get a browser alert. I tried to test an alias by creating "cdn2.mydomain.tld" and the certificate is assigned correctly..... o_O what's wrong ?

Plesk Obsidian v18.0.38_build1800211001.19
CentOS Linux 7.9.2009 (Core)

Thank you.
 
Roberto84.c said:
Hi all. I am having an annoying problem in assigning the Let's Encrypt SSL certificate for an alias domain. I have several subdomains and with web hosting it works perfectly (and alias too). This is the scenario:

mydomain.tld / www.mydomain.tld / another.mydomain.tld (they work, every certificate belongs to their respective subdomains, no wrong certificate alerts in web browser)
When I create the alias name "cdn.mydomain.tld", the assigned certificate to this one belongs to "another.mydomain.tld" .... I can't understand why and obviously I get a browser alert. I tried to test an alias by creating "cdn2.mydomain.tld" and the certificate is assigned correctly..... o_O what's wrong ?

Plesk Obsidian v18.0.38_build1800211001.19
CentOS Linux 7.9.2009 (Core)

Thank you.
Click to expand...
Sorry, I posted in the wrong section
 
hello @Roberto84.c ,
could you please provide what version of Let's Encrypt extension is installed in your system ?

could you please explain, did you reissued certificate manually after you created cdn.mydomain.tld to cover alias ?

were there some errors in panel.log within this period?

p.s> I've moved your post to the correct forum.
 
Hello Nik.
Nik G said:
could you please provide what version of Let's Encrypt extension is installed in your system ?
Click to expand...
- Let's Encypt version: 2.13.6-736

Nik G said:
could you please explain, did you reissued certificate manually after you created cdn.mydomain.tld to cover alias ?
Click to expand...
- Well it start to give me browser alert, first days in October. I tried to renew the alias certificate manually for cdn.mydomain.com and for the main domain too (for covering the alias).
Nik G said:
were there some errors in panel.log within this period?
Click to expand...
I cannot check due an error when trying to login with SSH terminal with Plesk GUI: "Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password)
Nik G said:
p.s> I've moved your post to the correct forum.
Click to expand...
Thank you :)
 
I can't understand the logic why only the alias "CDN" is not assigned to the main wildcard domain cert. Which file is responsible for assigning the alias certificate ?
Thanks.
 
Roberto84.c said:
I cannot check due an error when trying to login with SSH terminal with Plesk GUI: "Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password)
Click to expand...
Likely in /etc/ssh/sshd_config the PermitRootLogin parameter is set to "no", prohibiting login with the "root" user. In this case you can still login with SSH, but only with an SSH client and a user account on the system. Onced logged in you can escalate your privileges with the "su" command and gain full console access.
 
@Roberto84.c
domain alias configured in domain config at
/var/ww/vhosts/system/mydomain.tld/conf/httpd.conf

there should be something like like below in this file:

Apache config: 
 <VirtualHost 10.52.76.216:443 >
        ServerName "mydomain.tld"
        ServerAlias "www.mydomain.tld"
        ServerAlias "ipv4.mydomain.tld"
        ServerAlias "cdn.mydomain.tld"
        ServerAlias "www.cdn.mydomain.tld"
        ServerAlias "ipv4.cdn.mydomain.tld"
        UseCanonicalName Off


<-- skipped -->

        SSLEngine on
        SSLVerifyClient none
        SSLCertificateFile /usr/local/psa/var/certificates/scfllyrOx
        SSLCACertificateFile /usr/local/psa/var/certificates/scfU6B3xs

so, after renewal certificate should contain appropriate info that it is valid for cdn.mydomain.tld
and config for domain should contain alias records for new alias.
 
@Peter Debik
thank you, I solved logging through SSH with appropriate user account.

Nik G said:
domain alias configured in domain config at
/var/ww/vhosts/system/mydomain.tld/conf/httpd.conf

there should be something like like below in this file:

<VirtualHost 10.52.76.216:443 >
ServerName "mydomain.tld"
ServerAlias "www.mydomain.tld"
ServerAlias "ipv4.mydomain.tld"
ServerAlias "cdn.mydomain.tld"
ServerAlias "www.cdn.mydomain.tld"
ServerAlias "ipv4.cdn.mydomain.tld"
UseCanonicalName Off


<-- skipped -->

SSLEngine on
SSLVerifyClient none
SSLCertificateFile /usr/local/psa/var/certificates/scfllyrOx
SSLCACertificateFile /usr/local/psa/var/certificates/scfU6B3xs


so, after renewal certificate should contain appropriate info that it is valid for cdn.mydomain.tld
and config for domain should contain alias records for new alias.
Click to expand...

Thank you. I found it in /var/www/vhosts/system/mydomain.tld/conf/nginx.conf

server {
listen 10.52.76.216:443 ssl http2;

server_name www.mydomain.tld;
server_name ipv4.mydomain.tld;
server_name cdn.mydomain.com;
server_name www.cdn.mydomain.com;

ssl_certificate /usr/local/psa/var/certificates/scfe3bsf9;
ssl_certificate_key /usr/local/psa/var/certificates/scfe3bsf9;

client_max_body_size 128m;

root "/var/www/vhosts/mydomain.tld/httpdocs";
access_log "/var/www/vhosts/system/mydomain.tld/logs/proxy_access_ssl_log";
error_log "/var/www/vhosts/system/mydomain.tld/logs/proxy_error_log";

add_header X-Cache-Status $upstream_cache_status;
set $no_cache "";
<-- skipped -->
Click to expand...

in /var/www/vhosts/system/mydomain.tld/conf/httpd.conf

<IfModule mod_ssl.c>

<VirtualHost 5.249.157.125:7081 >
ServerName "mydomain.tld"
ServerAlias "www.mydomain.tld"
ServerAlias "ipv4.mydomain.tld"
ServerAlias "cdn.mydomain.tld"
ServerAlias "www.cdn.mydomain.tld"
ServerAlias "ipv4.cdn.mydomain.tld"
UseCanonicalName Off


<-- skipped -->

SSLEngine on
SSLVerifyClient none
SSLCertificateFile /usr/local/psa/var/certificates/scfe3bsf9
SSLCACertificateFile /usr/local/psa/var/certificates/scfUddJE3

</IfModule>
Click to expand...
Thanks.
 
You must log in or register to reply here.

Similar threads

J
Resolved WordPress Network setup on Alias -- how to add alternative domains with Lets Encrypt SSL Certs?
Replies
3
Views
340
joell
J
crysix
Issue Let's Encrypt Certificates for Domain Alias' Subdomain not working
Replies
8
Views
2K
ajimenez
A
Nextgen-Networks
Issue Lets Encrypt - error in certificate renew process
2
Replies
21
Views
2K
Peter Debik
P
V
Issue Let's Encrypt wildcard certificate renewal : some subdomains are not secured
Replies
0
Views
926
Vincent Brouchet
V
R
Issue Wrong Let's Encrypt Certificate for alias subdomain
Replies
1
Views
950
Roberto84.c
R
Back
Top