Forwarded to devs Wrong SSL certificate for ALL alias domains (and forward to) in one subscription

[Azurel]

Username: Azurel

TITLE

Wrong SSL certificate for ALL alias domains

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

Plesk Obsidian Version 18.0.33, CentOS Linux 8.3.2011

PROBLEM DESCRIPTION

I got few mails for alias domains

Your certificate (or certificates) for the names listed below will expire in 19 days (on 15 Mar 21 08:20 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.

In plesk none alias domain is working anymore for a subscription, because invalid SSL certificate. In browser cert info, its shows valid certificate of the server, not for the domain of this alias.

Each (main) domain for this alias domains have correct and valid certifcates.

STEPS TO REPRODUCE

No idea, an update must have broken something here?

ACTUAL RESULT

All alias domains are not reachable, because wrong certificate.

EXPECTED RESULT

alias domains with valid correct certificate.

ANY ADDITIONAL INFORMATION



YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug

 

[Azurel]

Click on "SSL/TLS Certificate" for alias domains open not Lets Encrypt, instead default SSL Upload form is opened.
In other case for "forward to", its open the option to choose Lets Encrypt for SSL. Click on Lets Enrcypt open a dialog for input mail address, but the submit button (named "get it free") is always disabled.

Alias Domains in another subscriptions working fine. Click here on "SSL/TLS Certificate" opens Lets Enrypt form of the (main) domain.

 

[Aleksey Filatev]

Could you please clarify is SSL It! extension installed on your server?

 

[Azurel]

Yes I have and I am 100% sure its working all fine as I created the alias domains and "forward to"-domains months ago.

In another subscriptions alias-/foward-domains working fine, I found this issue only in one subscription, but this subscription have ~20 alias domains and "forward to"-domains. All with SSL error.

UPDATE: I never installed "Sectigo SSL". So this must be auto-installed.

 

[Aleksey Filatev]

Thank you for the additional information, we continue the investigation.

 

[Azurel]

Today I get a Obsidian Update Version 18.0.33 Update #1
So I tested all alias/forward domains again for this subscription.

DOMAIN www.example1.com with a valid working SSL have 3x aliases all with NET::ERR_CERT_COMMON_NAME_INVALID
In alias domains click on SSl Certificate open "Upload the certificate here" with 6 items. 1 domain and 5 subdomains.

DOMAIN www.example2.de with a valid working SSL have 8x aliases all with NET::ERR_CERT_COMMON_NAME_INVALID
In alias domains click on SSl Certificate open "Upload the certificate here" with 3 items. 1 domain and 2 subdomains.

FORWARD-TO example3.com is working and have 1x alias domain with ERR_CERT_COMMON_NAME_INVALID
In alias domain click on SSl Certificate open "Upload the certificate here" with 0 items.

Same for all others alias domains in this subscription.

Today, maybe with Update #1, all "foward to" domains are working. But all alias domains for domains and "forward to" domains still report error ERR_CERT_COMMON_NAME_INVALID because a valid but wrong certificate is used. Browser shows me server certificate (first added domain in plesk), not from expected domain.

 

[Aleksey Filatev]

Applying Plesk updates in most cases does not affect the functioning of Plesk extensions. So this is expected if you didn't notice any differences in 18.0.33. Or you have noticed some changes after updating Plesk? I mean, except the fact that forwarding domains came back to work.

 

[Azurel]

I found a partly solution.

In this subscription all alias domains was not set as "web service" and had no "301 redirect". After enabled "web service" and enabled "301 redirect" and manually renew certificate for main domains. All alias domains working now with ssl, WITH ONE EXCEPTION.

I have here "FOWARD TO" Domains and "ALIAS DOMAINS" for this "forward to" domains. In alias domains again, I enabled "web service" and "301 redirect", but this domains are not detected in main domains Lets Encrypt as one of the alias domains. So this alias domains of "forward to" domains still not working, because SSL error.

 

[Aleksey Filatev]

Thank you for your clarification!

 

[Azurel]

Today I get two mails from [email protected] for all alias domains that I here manually renewed in my last post.

Your certificate (or certificates) for the names listed below will expire in 9 days (on 15 Mar 21 08:17 +0000). Please make sure to renew your certificate before then, or visitors to your web site will encounter errors.

So there was already a valid certificate for this alias domains in the past. What must have been lost in Plesk.

 

[Aleksey Filatev]

This could mean that the SSL It!'s "Keep Secured" feature is not active for your domains or, for some reason, can not renew your certificates automatically. Did you receive any notifications from your Plesk server recently about attempting to renew certificates? Anyway, I suggest you try to renew any near-to-expire certificate manually. Will you face any issues?

 

[Azurel]

receive any notifications from your Plesk server recently about attempting to renew certificates?

Yes, I get this mails "Let`s Encrypt certificates for NAME have been issued/renewed" (last few days ago) and main domain for this alias domain is checked as

Valid To May 31, 2021
Will be automatically renewed

 

[Aleksey Filatev]

Am I understand correctly that there are no SANs for all aliases you have mentioned in a renewed certificate for your main domain?

 

[Azurel]

Thank you for asking. I would close the ticket. Currently, I see no need for action. If necessary, I will get back to you here.