How to install Let's Encrypt certificate for domain alias in Plesk

Follow

Comments

20 comments

  • Avatar
    Remy Vaartjes

    I am having issues with this. If the domain alias has an ipv6 address in the DNS, it does not work. Is there a way I can assign the ipv6 address to the domain alias? Via ipv6 the challenge is not found by the Lets Encrypt server. 

    In the hosting settings for the domain alias it says (ip is changed by me):

    Web service Web hosting is configured for this domain on IP address 000.000.000.00 

    The ipv6 address is not mentioned. 

    If I go to Tools & Settings and view the IP-adresses. It is also not added to the list op domains under the ipv6 address.

    Have this issue with: Plesk Onyx Version 17.5.3 Update #45

    Still have this issue with: Plesk Onyx Version 17.8.11 Update #5

    Can you please help adding the ipv6 to domain aliases?

    Regards,
    Remy Vaartjes

     

    0
    Comment actions Permalink
  • Avatar
    Alexandr Tumanov

    @Remy, is this IP address really can be accessed and pinged?

    0
    Comment actions Permalink
  • Avatar
    Remy Vaartjes (Edited )

    Do you mean ipv6 or ipv4?

    It is not possible to assign an ipv6 to a domain alias?

    it should be visible is in the list in Tool & Settings -> IP adresses?

    You can PM me for details.

    0
    Comment actions Permalink
  • Avatar
    Alexandr Tumanov

    @Remy, I mean that the ipv6 address that assigned to a domain alias should be accessible from external network. Check your domain alias for ipv6 availability https://mxtoolbox.com/DNSLookup.aspx 

     

    0
    Comment actions Permalink
  • Avatar
    Remy Vaartjes

    It is accessible, but not assigned to the alias.

    Can you tell me where I can see if the actual ipv6 address is assigned to the domain alias?

    0
    Comment actions Permalink
  • Avatar
    Alexandr Tumanov

    Remy, ipv6 address should be assigned at Domains > yourmaindomain.com > Web Hosting Access.

    Then, recreate alias for your domain and check section DNS Settings under domain alias, it should contain ipv6 address.

    0
    Comment actions Permalink
  • Avatar
    Remy Vaartjes

    Thank you, it is working now.

    Still I think the aliases should also be listed in de section: IP-adresses

    Home>IP-adresses:

    'Websites that use shared IP address aaaa:aaa:aaaa:aaa::1.'

    The aliases domains are not listed and counted, this is confusing.

    0
    Comment actions Permalink
  • Avatar
    Patrick Meppe

    Hi there, I added an alias (mail.<domain>) for the default subdomain webmail.<domain> based on the following article https://support.plesk.com/hc/en-us/articles/213947325-How-to-set-up-an-access-to-webmail-over-mail-example-com.

    However when trying to (re-)secure the domain & the alias with it, the third row doesn't appear in my case. Would you happen to know why? I'm using the version: 2.5.3-354.

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello @Patrick, this is an expected behavior.

    mail.example.com is redirected to webmail.example.com, it is enough to secure webmail.example.com.

    Set of "what else can be secured" is hardcoded.

     

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello @Remy, glad that it is working now.

    Please, leave your suggestion at Plesk User Voice. Popular suggestions will be implemented in future Plesk updates.

    0
    Comment actions Permalink
  • Avatar
    Multimedia Pool

    Hi PLESK support, I've problem in securing www.alias-domain.eu in the new wildcard environment. Wildcard works fine in usual. I don't know if I have to configure DNS synchronisation with the main domain, or better set to no sychronisation. In order that the alias.eu will be "securely" redirected with and without www.  to main domain. Actually only the alias without www. (alias.eu) is redirected secure to www.main-domain.com. When I click www.alias.eu browser firefox gives me a HSTS warning.

    Greets

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello @Markus, the behavior was reproduced and reported to developers.

    Thank you for bringing this to our attention.

    0
    Comment actions Permalink
  • Avatar
    Alexander Tsmokalyuk

    @Markus This behavior was recognized as Let's Encrypt extension bug EXTLETSENC-568 which will be fixed in future updates. Thank you for reporting this.

    0
    Comment actions Permalink
  • Avatar
    Iain

    I cannot get this to work.

    I have a domain I look after it and a long list of protectively registered domains associated with it. All are setup as domain aliases of the principal domain. All works fine other than over https to any of the aliases.

    In the Let's Encrypt panel I include both the 'www' option on the principal domain and all the domain aliases as below:

    But when I try and access any of the alias names over https I get a cert CN mismatch error with the cert showing the principal domain and www qualified name as the only names included in the cert:

    And if I go to the principal domain site ... which all works ... and examine the cert, the CN is in the unqualified name of the domain and the SAN list includes just the unqualified and www qualified names of the principal domain only. None of the domain alias names, with or without the www qualifying name, as included in the cert, hence the https connection failures:

    And while there's a Let's Encrypt icon in the hosting panel under each of the alias names, trying to encrypt any one domain alias individually simply takes you back to the principal name and its cert ... which is where I start this story above.

    So it seems you don't/can't secure each alias individually, you apply a single cert to the root domain and include all the domain alias names in that one cert. However, despite doing this, the resulting issued cert only includes the principle domain in unqualieid and www qualified form, with not a single alias name in sight :-(

    How can I enable https connection through the alias names?

    0
    Comment actions Permalink
  • Avatar
    Iain (Edited )

    As a further tale of woe on this issue, if I change the site to 'Forwarding hosting', then even the principal domain cert is lost and instead the default server certificate is used :-(

    So do I also need to enable web hosting and then set my own redirect via either an Apache directive or .htaccess URL rewrite so that all requests go the docroot and use a piece of php to issue a 301 redirect?

    0
    Comment actions Permalink
  • Avatar
    Alexandr Redikultsev

    Hi @Iain,

    From the issue description regarding aliases and www., it seemed like you faced the bug EXTLETSENC-568 that is documented on the following link:

    https://support.plesk.com/hc/en-us/articles/360008040893-www-alias-subdomains-are-not-included-into-the-issued-wildcard-Let-s-Encrypt-Certificate 

    As for the question regarding forwarding, HTTPS forwarding is indeed not yet implemented, see the following link:

    https://support.plesk.com/hc/en-us/articles/115002150313-Forwarding-to-another-website-does-not-work-for-HTTPS-connection-in-Plesk 

    So the manual approach you are describing might be the preferred solution.

    0
    Comment actions Permalink
  • Avatar
    Iain

    Hi Alexandr, thanks for the confirmation over HTTPS forwarding. I have my own php code in play, and excepting the cert issue, that's working nicely. Thanks for your advice and confirming this.

    Re the cert issue, thanks for at least confirming the problem.Looking at the article, it suggests starting by registering a wildcard from the principal domain, however, how? There are options for:

    1. Include a "www" subdomain for the domain and each selected alias
    2. Secure webmail on this domain

    But I see nothing for selecting a wildcard. A different article on 'Getting Free Wildcard SSL/TLS Certificates from Let's Encrypt' talks about setting the panel.ini with:

    [ext-letsencrypt]
    acme-directory-url = "https://acme-v02.api.letsencrypt.org/directory"
    acme-protocol-version = "acme-v02"

    Do I need to do this to obtain the wildcard cert and is the wildcard cert necessary? I currently have a cert in the names of <domain.tld> and <www.domain.tld>, so if I rename this can I then create certs for each domain alias?

    Is this the way I need to go and MUST I use/issue a wildcard cert, or could I rename the issued cer in the name domain.tld and www.domain.tld?

    My other confusion is this is talking about wildcards and subdomains. My domain aliases aren't subdomains, I have:

    name.tld
    www.name.tld
    alternate_name.tld
    www.alternate_name.tld
    another_variant_name.tld
    www.another_variant_name.tld
    etc.

    Will this work for me? I can see it would work if I made each alternative a different subscription or domain in Plesk. Then each could have it's own Plesk cert and all would work, but then I'd pay for a lot of domains, all of which are domain aliases for one domain?

    0
    Comment actions Permalink
  • Avatar
    Pavel Mikhaylov

    Hi, Lain,

    The wildcard certificate will not be a suitable solution in the described case.

    I have noticed that the aliases on your screenshots are not selected for adding to the certificate.

    I want to point out that to add aliases to the certificate, you need to move them to the right column by pressing the button 'Select n objects', as shown on the screenshot here:

    If you did that and the issue with aliases not being listed in the certificate, I strongly suggest creating a support ticket for proper investigation of the issue: https://plesk.zendesk.com/

    0
    Comment actions Permalink
  • Avatar
    Iain

    Oh doh! Just realised I was misreading the UI and was thinking I needed to select the domains to be included in the SAN. Instead I was deselecting them. Doh!

    So, when I do it properly it all works perfectly. Thanks for your help and sorry for being a bit slow on the uptake! All works perfectly when I don't deselected the alias names.

    0
    Comment actions Permalink
  • Avatar
    Alexandr Redikultsev

    Hi @lain!

    I am so glad to hear that the issue is sorted out!

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request