Applicable to:
- Plesk for Linux
- Plesk Onyx for Windows
- Plesk 12.5 for Windows
Question
When Plesk or another site is opened via HTTPS, a warning is displayed regarding an expired certificate.
How to renew this certificate?
Answer
Note: In case it is required to renew Let's Encrypt certificate for a domain, refer to the following article:
How to renew Let's Encrypt certificate
For the information on how to renew Let's Encrypt certificate for Plesk Interface, see the article below:
How to secure Plesk IP address with Let's Encrypt certificate?
There are no special certificates provided by Plesk. The default SSL certificate is used in Plesk is a self-signed one, which is generated once during the Plesk installation. The presence of this SSL certificate is required for SSL connections.
To create a new self-signed SSL certificate, log into Plesk as an administrator, go to the Certificates page, and create the new certificate: Tools & Settings > SSL Certificates > Add
Fill in the required preferences and click Self-Signed.
A new self-signed SSL certificate will be created in the server certificate repository:
# ls -la /usr/local/psa/admin/conf/httpsd.pem
-r-------- 1 root root 3089 Sep 23 12:50 /usr/local/psa/admin/conf/httpsd.pem
The old one will be renamed as httpsd.pem.sav
# ls -la /usr/local/psa/admin/conf/httpsd.pem.sav
-r-------- 1 root root 3046 Sep 5 01:23 /usr/local/psa/admin/conf/httpsd.pem.sav
To assign this SSL certificate for securing the Plesk installation, check the newly-enabled SSL certificate in the list and click Install.
HTTP mode can also be used to access the Plesk interface: navigate to http://hostname:8880 and follow the same instructions as above.
Renewal is also possible through SSH:
To assign SSL certificate for default Plesk IP address use the following command:
# /usr/local/psa/bin/certificate -ac "Certificate" -admin example.com -ip <YOUR PLESK IP>
Note: example.com should be changed to your valid domain name.
For additional information refer to http://docs.plesk.com/en-US/12.5/cli-linux/using-command-line-utilities/certificate-ssl-certificates.39009/
OR
-
Connect to the Plesk server under
root -
Go to the certificate directory and rename it:
# cd /usr/local/psa/admin/conf/# mv httpsd.pem{,.old}
-
Create a new certificate with the same name:
# openssl req -new -nodes -x509 -out httpsd.pem -newkey rsa:2048 -keyout httpsd.pem -days 3650
Fill out all the required fields.
In this case, a PEM type certificate will be created, valid for 10 years with a private part without a password and 2048 bit key length.
-
Restart sw-cp-server service:
# service sw-cp-server restart
See the Plesk documentation for more information on how to set up self-signed certificates.
After you have created or uploaded a new certificate into Plesk and wish to use it for domains, you should set it for every IP you need.
This can be done at Server > IP Addresses > "Choose IP" by selecting the required certificate in the "SSL Certificate" drop-down menu.
NOTE: The browser will still warn you that the certificate is not from a trusted source since you created a self-signed certificate. In order to get rid of this warning, it is necessary to buy a certificate from an authorized certificate seller.
Comments
4 comments
How can the default certificate being replaced by a Lets Encrypt certificate. I want to get rid from the default self-signed certificate but I can't. I've secured my Plesk panel with a subdomain with Let's Encrypt certificate. Can you please add an option to redirect from the https://<server ip> to a (sub)domain on the server which is al ready secured with a Lets Encrypt certificate? Then I can remove the default certificate from the server because it's not in used anymore and also the ssllabs test is much better without the self signed certificate which is included in the test as second (invalid) certificate.
Hi Pascal, check the section Tools & Settings > IP Addresses - select IP Address and make sure that the default cert is not selected there. You can choose the required one. Also check this https://support.plesk.com/hc/en-us/articles/115001452553-How-to-secure-Plesk-IP-address-with-Let-s-Encrypt-certificate-
The default certificate generated during installation has "Parallels Panel" as domain name. When adding a new self-signed certificate, Plesk will require a well-formed domain name, but entering that, will show a prominent warning in mail client of users that setup mailbox using mail.domain.tld as IMAP server.
Such warning is a red "Wrong site" warning, that is more prominent compared to the yellow warning shown when using the default certificate.
There would be a solution if only Plesk could generate multi-domain certificates (self-signed or Let's Encrypt).
@Marco
Hello!
Thank you for the notice.
The implementation of such functionality is currently under discussion be Development Team.
You may vote for this feature suggestion to show your interest in such functionality.
Please sign in to leave a comment.