How to allow HTTPS and configure SSL certificate on domain in Plesk which has Hosting type set as Forwarding?

Follow

Comments

8 comments

  • Avatar
    Atramhasis

    How can I make LetsEncrypt work for the forwarding domain?

    When I try to renew the certificate, I get an error, because /.well-known/acme-challenge gets also forwarded. How can this directory be excluded?

    2
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello @Atramhasis, it is required to secure the domain where forwarding domain is redirected.

    The directory /.well-known/acme-challenge should not be excluded as its content is required for Let's Encrypt extension to issue the certificate.

    Use this article to resolve the issue.

    -3
    Comment actions Permalink
  • Avatar
    Tristan-Matthieu Robichaud (Edited )

    The gentleman up above is right, this solution simply won't work. The NGINX instructions are wrong regarding Let's Encrypt.

    On Onyx 17.5, we get this when entering this NGINX snippet in Plesk:

    location ^~ /.well-known/acme-challenge/ {
    default_type "text/plain";
    }

    We obtain: Invalid nginx configuration: nginx: [emerg] duplicate location "/.well-known/acme-challenge/" in /var/www/vhosts/system/(DOMAIN NAME)/conf/vhost_nginx.conf:1 nginx: configuration file /etc/nginx/nginx.conf test failed

    For Let's Encrypt to work, the /.well-known/acme-challenge NEEDS to be excluded from the redirection, or else it just redirects to the other site, and the challenge file cannot be read and validated by Let's Encrypt. 

    Could you please provide us with a proper way to exclude that folder from the redirect, so that Let's encrypt can both issue and renew the certificate properly?

    Thanks in advance

     

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello @Tristan,

    The example of such exclusion may be found here.

    0
    Comment actions Permalink
  • Avatar
    Rodrigo Marcos

    Hi,

    Same problem here.

    Configuración de nginx inválida: nginx: [emerg] duplicate location "/.well-known/acme-challenge/" in /var/www/vhosts/system/pertegaz.es/conf/vhost_nginx.conf:1 nginx: configuration file /etc/nginx/nginx.conf test failed

    Please, if is possible, edit the article and include specific instructions to solve that error.

    Thank you,

     

    0
    Comment actions Permalink
  • Avatar
    Alexandr Redikultsev

    Hi, @Rodrigo Marcos!

    Thank you for the feedback.

    I have double-checked that and can confirm that no additional adjustments for Let's Encrypt are required, all Let's Encrypt directives are already included in case the latest version of the extension is in use. 

    That is the reason of "duplicate location" error.

    I have removed extra directives from the article.

    0
    Comment actions Permalink
  • Avatar
    TomBob

    Exactly Atramhasis  his scenario. On renew, lets encrypt expects the challenge to be on the domain that is forwarded to. But that domain is outside our control.
    Lets Encrypt should - despite the domain forwarding - still use the challenge on the domain that is being forwarded.

    Could not secure domains of client with Let`s Encrypt certificates. Please log in to Plesk and secure the domains listed below manually.
    Securing of the following domains has failed:
    
     * 'clientdomain.com'
       Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/374170658.
       Details:
       Type: urn:ietf:params:acme:error:unauthorized
       Status: 403
       Detail: Invalid response from https://forwarded-to-domain.com/subfolder/.well-known/acme-challenge/2MY1cUhtJbo4QnlfhJP3j0fLkojkA15gRX2OfJVCo0Y [35.222.37.107]: "<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n  <meta charset=\"utf-8\">\n  <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\">\n  <meta"
    
    The following domains have been secured without some of their Subject Alternative Names:
    
    <none>
    
    Could not renew Let`s Encrypt certificates for client. Please log in to Plesk and renew the certificates listed below manually.
    Renewal of the following Let`s Encrypt certificates has failed:
    
     * 'Lets Encrypt hyenapan.com' [already expired]
       [-] clientdomain.com
       [-] webmail.clientdomain.com
       [-] www.clientdomain.com
    
       Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/374178603.
       Details:
       Type: urn:ietf:params:acme:error:unauthorized
       Status: 403
       Detail: Invalid response from https://forwarded-to-domain.com/subfolder/.well-known/acme-challenge/IAOOoUgFvGv9ZNNlc2yVm0NPNXf90Jg2dgStCnhQdEc [35.222.37.107]: "<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n  <meta charset=\"utf-8\">\n  <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\">\n  <meta"
    0
    Comment actions Permalink
  • Avatar
    Ekaterina Babenko

    Hello TomBob,

    I just checked the resolution on Plesk Onyx 17.8 #MU 70 with Let’s Encrypt version 2.8.2-529: indeed when redirect enabled, the extension is trying to assign certificate to the domain forwarded to. This is how it works for now. To avoid any confusion, I removed the workaround from the article. Currently there is no workaround for that case and I suggest you to vote for implementing such feature and share your ideas with our developers.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request