Plesk for Windows
Plesk for Linux
kb: how-to
ext: le
ABT: Group A
Applicable to:
- Plesk for Linux
- Plesk for Windows
Question
How to install SSL certificate for domain alias in Plesk?
Answer
A separate certificate only for the domain alias cannot be created or uploaded. Instead, create a new Let's Encrypt certificate for the main domain and specify the alias to secure:
I. Log in to Plesk and install SSLIt! from Extensions catalog if it is not yet installed.
II. Create a new certificate:
- Go to Extensions > My Extensions tab > SSLIt! and click Install button in Recommended extensions next to Let's Encrypt icon.
- Go to Websites & Domains > SSL/TLS Certificates and click Get Certificates button. Scroll down to "More options" and click Install button next to "Install a free basic certificate provided by Let's Encrypt"
- Specify email address of domain owner.
- Specify if you want to include an alternative domain name for the domain and each selected alias, for example:
www.example.comfor example.com. It is recommended to select this checkbox. - Specify if you want to include webmail, for example:
webmail.example.com. It is recommended to select this checkbox. - Select the domain alias to secure and click Install
III. Secure the main domain with it's aliases:
- Go to Websites & Domains and click Hosting Settings.
- Select the SSL/TLS support checkbox.
- Select the newly issued Let's Encrypt certificate from the Certificate menu, and click OK.
Additional information
To secure domain alias with a paid certificate, contact a certificate provider to add the alias name to the certificate as the subject alternative name (SAN). Then, secure the main domain with this certificate as described here.
Comments
22 comments
I am having issues with this. If the domain alias has an ipv6 address in the DNS, it does not work. Is there a way I can assign the ipv6 address to the domain alias? Via ipv6 the challenge is not found by the Lets Encrypt server.
In the hosting settings for the domain alias it says (ip is changed by me):
The ipv6 address is not mentioned.
If I go to Tools & Settings and view the IP-adresses. It is also not added to the list op domains under the ipv6 address.
Have this issue with: Plesk Onyx Version 17.5.3 Update #45
Still have this issue with: Plesk Onyx Version 17.8.11 Update #5
Can you please help adding the ipv6 to domain aliases?
Regards,
Remy Vaartjes
@Remy, is this IP address really can be accessed and pinged?
Do you mean ipv6 or ipv4?
It is not possible to assign an ipv6 to a domain alias?
it should be visible is in the list in Tool & Settings -> IP adresses?
You can PM me for details.
@Remy, I mean that the ipv6 address that assigned to a domain alias should be accessible from external network. Check your domain alias for ipv6 availability https://mxtoolbox.com/DNSLookup.aspx
It is accessible, but not assigned to the alias.
Can you tell me where I can see if the actual ipv6 address is assigned to the domain alias?
Remy, ipv6 address should be assigned at Domains > yourmaindomain.com > Web Hosting Access.
Then, recreate alias for your domain and check section DNS Settings under domain alias, it should contain ipv6 address.
Thank you, it is working now.
Still I think the aliases should also be listed in de section: IP-adresses
Home>IP-adresses:
'Websites that use shared IP address aaaa:aaa:aaaa:aaa::1.'
The aliases domains are not listed and counted, this is confusing.
Hi there, I added an alias (mail.<domain>) for the default subdomain webmail.<domain> based on the following article https://support.plesk.com/hc/en-us/articles/213947325-How-to-set-up-an-access-to-webmail-over-mail-example-com.
However when trying to (re-)secure the domain & the alias with it, the third row doesn't appear in my case.
Would you happen to know why? I'm using the version: 2.5.3-354.
Hello @Patrick, this is an expected behavior.
mail.example.com is redirected to webmail.example.com, it is enough to secure webmail.example.com.
Set of "what else can be secured" is hardcoded.
Hello @Remy, glad that it is working now.
Please, leave your suggestion at Plesk User Voice. Popular suggestions will be implemented in future Plesk updates.
Hi PLESK support, I've problem in securing www.alias-domain.eu in the new wildcard environment. Wildcard works fine in usual. I don't know if I have to configure DNS synchronisation with the main domain, or better set to no sychronisation. In order that the alias.eu will be "securely" redirected with and without www. to main domain. Actually only the alias without www. (alias.eu) is redirected secure to www.main-domain.com. When I click www.alias.eu browser firefox gives me a HSTS warning.
Greets
Hello @Markus, the behavior was reproduced and reported to developers.
Thank you for bringing this to our attention.
@Markus This behavior was recognized as Let's Encrypt extension bug EXTLETSENC-568 which will be fixed in future updates. Thank you for reporting this.
I cannot get this to work.
I have a domain I look after it and a long list of protectively registered domains associated with it. All are setup as domain aliases of the principal domain. All works fine other than over https to any of the aliases.
In the Let's Encrypt panel I include both the 'www' option on the principal domain and all the domain aliases as below:
But when I try and access any of the alias names over https I get a cert CN mismatch error with the cert showing the principal domain and www qualified name as the only names included in the cert:
And if I go to the principal domain site ... which all works ... and examine the cert, the CN is in the unqualified name of the domain and the SAN list includes just the unqualified and www qualified names of the principal domain only. None of the domain alias names, with or without the www qualifying name, as included in the cert, hence the https connection failures:
And while there's a Let's Encrypt icon in the hosting panel under each of the alias names, trying to encrypt any one domain alias individually simply takes you back to the principal name and its cert ... which is where I start this story above.
So it seems you don't/can't secure each alias individually, you apply a single cert to the root domain and include all the domain alias names in that one cert. However, despite doing this, the resulting issued cert only includes the principle domain in unqualieid and www qualified form, with not a single alias name in sight :-(
How can I enable https connection through the alias names?
As a further tale of woe on this issue, if I change the site to 'Forwarding hosting', then even the principal domain cert is lost and instead the default server certificate is used :-(
So do I also need to enable web hosting and then set my own redirect via either an Apache directive or .htaccess URL rewrite so that all requests go the docroot and use a piece of php to issue a 301 redirect?
Hi @Iain,
From the issue description regarding aliases and www., it seemed like you faced the bug EXTLETSENC-568 that is documented on the following link:
https://support.plesk.com/hc/en-us/articles/360008040893-www-alias-subdomains-are-not-included-into-the-issued-wildcard-Let-s-Encrypt-Certificate
As for the question regarding forwarding, HTTPS forwarding is indeed not yet implemented, see the following link:
https://support.plesk.com/hc/en-us/articles/115002150313-Forwarding-to-another-website-does-not-work-for-HTTPS-connection-in-Plesk
So the manual approach you are describing might be the preferred solution.
Hi Alexandr, thanks for the confirmation over HTTPS forwarding. I have my own php code in play, and excepting the cert issue, that's working nicely. Thanks for your advice and confirming this.
Re the cert issue, thanks for at least confirming the problem.Looking at the article, it suggests starting by registering a wildcard from the principal domain, however, how? There are options for:
But I see nothing for selecting a wildcard. A different article on 'Getting Free Wildcard SSL/TLS Certificates from Let's Encrypt' talks about setting the panel.ini with:
Do I need to do this to obtain the wildcard cert and is the wildcard cert necessary? I currently have a cert in the names of <domain.tld> and <www.domain.tld>, so if I rename this can I then create certs for each domain alias?
Is this the way I need to go and MUST I use/issue a wildcard cert, or could I rename the issued cer in the name domain.tld and www.domain.tld?
My other confusion is this is talking about wildcards and subdomains. My domain aliases aren't subdomains, I have:
name.tld
www.name.tld
alternate_name.tld
www.alternate_name.tld
another_variant_name.tld
www.another_variant_name.tld
etc.
Will this work for me? I can see it would work if I made each alternative a different subscription or domain in Plesk. Then each could have it's own Plesk cert and all would work, but then I'd pay for a lot of domains, all of which are domain aliases for one domain?
Hi, Lain,
The wildcard certificate will not be a suitable solution in the described case.
I have noticed that the aliases on your screenshots are not selected for adding to the certificate.
I want to point out that to add aliases to the certificate, you need to move them to the right column by pressing the button 'Select n objects', as shown on the screenshot here:
If you did that and the issue with aliases not being listed in the certificate, I strongly suggest creating a support ticket for proper investigation of the issue: https://plesk.zendesk.com/
Oh doh! Just realised I was misreading the UI and was thinking I needed to select the domains to be included in the SAN. Instead I was deselecting them. Doh!
So, when I do it properly it all works perfectly. Thanks for your help and sorry for being a bit slow on the uptake! All works perfectly when I don't deselected the alias names.
Hi @lain!
I am so glad to hear that the issue is sorted out!
in modules/letsencrypt/index.php/index/install?site_id=5 doesn't show up alias domains to select , also last update mage icons of let encript disappear from websites & domains , I go to letsencrypt page through page extensions letencrypt .
Alternatively since web page doesn't show the alias domains How I add one alias domain via comand line ?
Thank you
Let's encrypt to show the alias domains we need that alias have the web service enabled
Please sign in to leave a comment.