Articles in this section

See more

How to allow HTTPS and configure SSL certificate on domain in Plesk which has Hosting Type set as Forwarding?

Avatar
Dinara Aspembitova
Updated
Follow
Plesk for Windows Plesk for Linux kb: how-to ext: le ABT: Group A

Applicable to:

  • Plesk for Linux
  • Plesk for Windows

Question

How to allow HTTPS and configure an SSL certificate on a domain in Plesk which has Hosting Type set as Forwarding in Domains > example.com > Hosting Settings?

Answer

  • The feature of assigning a certificate to domain with type forwarding is implemented in Plesk Obsidian 18.0.26
  • The feature to secure forwarding domains with Let's Encrypt certificate is implemented in SSL It! 1.5.0.
    It works for Plesk Obsidian on Linux with the Let’s Encrypt extension version 2.11 and later.

 

Click on a section to expand

For other versions, check the steps:

  1. Log in to Plesk.

  2. Navigate to the Domains > example.com > SSL/TLS Certificates where example.com is a forwarding domain.

  3. On the SSL/TLS Certificates page, add your certificate:

    • If an SSL certificate is stored in a single *.crt file:

      Click Browse... to select a certificate file. Then click Upload Certificate.

    • If an SSL certificate is stored in the form of *.key and *.crt files:

      Click Add SSL/TLS Certificate and scroll down to the Upload the certificate files section and upload these files. If both the certificate and the private key parts of your certificate are contained in a *.pem file (you can check it by opening the *.pem file in any text editor), just upload it twice, both as the private key and the certificate. Click Upload Certificate once finished.

    • If an SSL certificate is stored as a text:

      Click Add SSL/TLS Certificate and scroll down to the Upload the certificate as text section. There, paste the certificate and the private key parts into the corresponding fields. Click Upload Certificate when finished.

  4. Once the certificate is created, go to Domains > example.com > Hosting Settings and:

    • enable SSL support.

    • select the SSL that was just created and click OK.

 

 

Alternatively, the following workaround may be used: configure the forwarding type manually on a domain with Website hosting and set up the certificate.

For Linux

  1. Log into Plesk.

  2. Change the Hosting type of the domain to Website hosting in Domains > example.com > Hosting Settings.

  3. Go to Domains > example.com > Apache & nginx Settings.

  4. Add the following directives to both fields Additional directives for HTTP and Additional directives for HTTPS:

    CONFIG_TEXT: RewriteRule ^(.*)$ https://example.net/$1 [L,R=301,NC]

    Note: Replace https://example.net/ with the desired target location. In case 302 redirect is required, change 301 to 302.

    OR

    Add the following directives to the field Additional nginx directives, if it is present:

    CONFIG_TEXT: return 301 $scheme://example.net$request_uri;

    Note: The directives above can only be modified by Plesk Administrator. In case they are absent, contact service provider and ask to apply this article.

  5. In case the issue persists, check in Hosting settings that SSL/TLS support option is enabled for the domain.

For Windows

  1. Log into Plesk.

  2. Go to Domains > example.com > File Manager.

  3. Open the file web.config and add the following content right below the <system.webServer> declaration:

    CONFIG_TEXT: <httpRedirect enabled="true" destination="https://example.net/" httpResponseStatus="Permanent" />

    Note: Replace the https://example.net/ with the desired target location. In case 302 redirect is required, change Permanent status to Found.

Comments

9 comments

Sort by Date Votes
  • Avatar
    Atramhasis

    How can I make LetsEncrypt work for the forwarding domain?

    When I try to renew the certificate, I get an error, because /.well-known/acme-challenge gets also forwarded. How can this directory be excluded?

    2
    Comment actions Permalink
  • Avatar
    Ben Oua

    I've created a uservoice for this issue :
    https://plesk.uservoice.com/forums/184549-feature-suggestions/suggestions/44559471-ssl-cert-for-a-domain-with-301-302-redirect

    1
    Comment actions Permalink
  • Avatar
    Alexandr Redikultsev

    Hi, @Rodrigo Marcos!

    Thank you for the feedback.

    I have double-checked that and can confirm that no additional adjustments for Let's Encrypt are required, all Let's Encrypt directives are already included in case the latest version of the extension is in use. 

    That is the reason of "duplicate location" error.

    I have removed extra directives from the article.

    0
    Comment actions Permalink
  • Avatar
    Rodrigo Marcos

    Hi,

    Same problem here.

    Configuración de nginx inválida: nginx: [emerg] duplicate location "/.well-known/acme-challenge/" in /var/www/vhosts/system/pertegaz.es/conf/vhost_nginx.conf:1 nginx: configuration file /etc/nginx/nginx.conf test failed

    Please, if is possible, edit the article and include specific instructions to solve that error.

    Thank you,

     

    0
    Comment actions Permalink
  • Avatar
    Tristan-Matthieu Robichaud (Edited )

    The gentleman up above is right, this solution simply won't work. The NGINX instructions are wrong regarding Let's Encrypt.

    On Onyx 17.5, we get this when entering this NGINX snippet in Plesk:

    location ^~ /.well-known/acme-challenge/ {
    default_type "text/plain";
    }

    We obtain: Invalid nginx configuration: nginx: [emerg] duplicate location "/.well-known/acme-challenge/" in /var/www/vhosts/system/(DOMAIN NAME)/conf/vhost_nginx.conf:1 nginx: configuration file /etc/nginx/nginx.conf test failed

    For Let's Encrypt to work, the /.well-known/acme-challenge NEEDS to be excluded from the redirection, or else it just redirects to the other site, and the challenge file cannot be read and validated by Let's Encrypt. 

    Could you please provide us with a proper way to exclude that folder from the redirect, so that Let's encrypt can both issue and renew the certificate properly?

    Thanks in advance

     

    0
    Comment actions Permalink
  • Avatar
    TomBob

    Exactly Atramhasis  his scenario. On renew, lets encrypt expects the challenge to be on the domain that is forwarded to. But that domain is outside our control.
    Lets Encrypt should - despite the domain forwarding - still use the challenge on the domain that is being forwarded.

    Could not secure domains of client with Let`s Encrypt certificates. Please log in to Plesk and secure the domains listed below manually.
Securing of the following domains has failed:

 * 'clientdomain.com'
   Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/374170658.
   Details:
   Type: urn:ietf:params:acme:error:unauthorized
   Status: 403
   Detail: Invalid response from https://forwarded-to-domain.com/subfolder/.well-known/acme-challenge/2MY1cUhtJbo4QnlfhJP3j0fLkojkA15gRX2OfJVCo0Y [35.222.37.107]: "<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n  <meta charset=\"utf-8\">\n  <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\">\n  <meta"

The following domains have been secured without some of their Subject Alternative Names:

<none>

Could not renew Let`s Encrypt certificates for client. Please log in to Plesk and renew the certificates listed below manually.
Renewal of the following Let`s Encrypt certificates has failed:

 * 'Lets Encrypt hyenapan.com' [already expired]
   [-] clientdomain.com
   [-] webmail.clientdomain.com
   [-] www.clientdomain.com

   Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/374178603.
   Details:
   Type: urn:ietf:params:acme:error:unauthorized
   Status: 403
   Detail: Invalid response from https://forwarded-to-domain.com/subfolder/.well-known/acme-challenge/IAOOoUgFvGv9ZNNlc2yVm0NPNXf90Jg2dgStCnhQdEc [35.222.37.107]: "<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n  <meta charset=\"utf-8\">\n  <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\">\n  <meta"
    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello @Tristan,

    The example of such exclusion may be found here.

    0
    Comment actions Permalink
  • Avatar
    Ekaterina Babenko

    Hello TomBob,

    I just checked the resolution on Plesk Onyx 17.8 #MU 70 with Let’s Encrypt version 2.8.2-529: indeed when redirect enabled, the extension is trying to assign certificate to the domain forwarded to. This is how it works for now. To avoid any confusion, I removed the workaround from the article. Currently there is no workaround for that case and I suggest you to vote for implementing such feature and share your ideas with our developers.

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello @Atramhasis, it is required to secure the domain where forwarding domain is redirected.

    The directory /.well-known/acme-challenge should not be excluded as its content is required for Let's Encrypt extension to issue the certificate.

    Use this article to resolve the issue.

    -3
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles