Applicable to:
- Plesk for Linux
- Plesk for Windows
Question
How to secure a Plesk hostname on port 8443 with an SSL certificate (Let's Encrypt / other certificate authorities)?
Answer
-
Go to Tools & Settings > SSL/TLS Certificates (under Security).
-
Click Let's Encrypt.
-
Make sure the Domain name and Email address fields contain a valid information:
-
Domain name can be a server hostname (preferable) or any other (sub)domain name hosted on the server. It will be used as an entry point to Plesk over port 8443 (for example, https://server.example.com:8443 ) for all Plesk users (customers, resellers, etc.) who have access to Plesk.
Note: The hostname/domain name must be resolved to a public IP address of the Plesk server from the Internet. If in doubt, check your hostname/domain name availability using DNS Lookup by MxToolBox.
If a domain, e.g. example.com, is using permanent www redirection, specify www.example.com as Domain name. -
Email address will be used to receive important notifications and warnings.
-
-
Click Install. At this stage, an SSL certificate from Let’s Encrypt is generated and set to secure Plesk on port 8443. This certificate will be auto-renewed every 90 days. Here is the final look:
Now, access Plesk over https://server.example.com:8443.
-
-
In Plesk, go to Tools & Settings and click SSL/TLS Certificates.
-
On the SSL/TLS Certificates page, add your certificate:
Note: If you are experiencing issues with a certificate installation, contact your certificate seller and ask for instruction for Plesk.
-
If an SSL certificate is stored in a single
*.crtfile:Click Browse... to select a certificate file. Then click Upload Certificate.
-
If an SSL certificate is stored in the form of
*.keyand*.crtfiles:Click Add under List of certificates in server pool and scroll down to the Upload the certificate files section and upload these files. If both the certificate and the private key parts of your certificate are contained in a
*.pemfile (you can check it by opening the*.pemfile in any text editor), just upload it twice, both as the private key and the certificate. Click Upload Certificate once finished.
-
If an SSL certificate is stored as a text:
Click Add under List of certificates in server pool and scroll down to the Upload the certificate as text section. There, paste the certificate and the private key parts into the corresponding fields. Click Upload Certificate when you have finished.
-
-
Click [Change] next to Certificate for securing Plesk > select an uploaded certificate > click OK. Now Plesk interface is secured with an SSL certificate.
Additional Information
Starting from Onyx 17.8, Plesk secures its hostname with a free Let's Encrypt certificate automatically, if the Let's Encrypt extension is installed and the hostname is a fully qualified domain name (FQDN) and is resolved from the Internet.
Comments
37 comments
Hi there,
This should work, but when I activate "let's encrypt" the domain become un-accessable :)
Best,
Azzam
Hi @Azzam, please let me know the error.
this solution does not work when plesk admin login is installed on a subdomain, e.g.:
https://subdomain.example.com:8443how to solve it?
Hi, Harry!
After assigning a Let's Encrypt certificate to a subdomain just go to Tools & Settings > SSL/TLS Certificates
Find the option Certificate for securing Plesk and click on [Change] button right to it.
Choose the certificate assigned to subdomain and click OK.
Hi Artyom,
i can confirm it works.
looks like it is now also updated in this article.
thx!
It should automatically remove the "Default Certificate" and/or set the Let's Encrypt certificate as default.
The Let's Encrypt certificate should be automatically applied to mail too (and in such casem if hostname is changed, the certificate should be automtically reissued or at least a warning should be generated)
@Marco Marsala
Hello!
The feature that you have reported is yet to be implemented in Plesk, thus I can suggest you take part in our product improvement by referring to the following link: https://plesk.uservoice.com/forums/184549-feature-suggestions
The top-ranked suggestions are likely to be included in the next versions of Plesk.
Hello there;
I applied the existing SSL certificate and compared it to the following problem.
Firstly I am having a plesk update problem.
If this is causing the problem, the YUM update setup can not be done.
I have encountered this problem since I switched to https connection.
@Sait I don't think that the issue with YUM update is the consequence of securing Plesk with an SSL certificate. Can you provide more details of YUM update issue?
[root@sunucu yum.repos.d]# yum update -y
Setting up Update Process
https://autoinstall.plesk.com/PSA_17.5.3/extras-rpm-CentOS-6-x86_64/repodata/repomd.xml: [Errno 14] PYCURL ERROR 77 - "Problem with the SSL CA cert (path? access rights?)"
Trying other mirror.
https://autoinstall.plesk.com/NGINX17/dist-rpm-CentOS-6-x86_64/repodata/repomd.xml: [Errno 14] PYCURL ERROR 77 - "Problem with the SSL CA cert (path? access rights?)"
Trying other mirror.
https://autoinstall.plesk.com/PHP56_17/dist-rpm-CentOS-6-x86_64/repodata/repomd.xml: [Errno 14] PYCURL ERROR 77 - "Problem with the SSL CA cert (path? access rights?)"
Trying other mirror.
https://autoinstall.plesk.com/PHP70_17/dist-rpm-CentOS-6-x86_64/repodata/repomd.xml: [Errno 14] PYCURL ERROR 77 - "Problem with the SSL CA cert (path? access rights?)"
Trying other mirror.
https://autoinstall.plesk.com/PHP71_17/dist-rpm-CentOS-6-x86_64/repodata/repomd.xml: [Errno 14] PYCURL ERROR 77 - "Problem with the SSL CA cert (path? access rights?)"
Trying other mirror.
http://apt.sw.be/redhat/el6/en/x86_64/dag/repodata/repomd.xml: [Errno 14] PYCURL ERROR 6 - "Couldn't resolve host 'apt.sw.be'"
Trying other mirror.
@Sait As I can see from the output you provided, it is trying to get plesk-engine package from apt.sw.be repo which is not resolvable. Try to disable the repo with apt.sw.be and initiate installation of updates again.
Can you tell me how I can keep it disabled? apt.sw.be repo ?
@Sait
To disable repository you need to find appropriate repo file and edit it:
1. Execute the following command to find the .repo file:
grep apt.sw.be /etc/yum.repos.d/
2. Open the file (i.e. some.repo) from the output in editor:
vi /etc/yum.repos.d/some.repo
3. Find the section with apt.sw.be in "baseurl". It will look like this:
[apt.sw.be]
name=apt.sw.be
baseurl=http://apt.sw.be/redhat/el6/en/x86_64/dag/
enabled=1
gpgcheck=0
4. Change "enabled" value to 0
Hi I cant access this page
Hello @Pascu,
Thank you for noticing.
This article is currently under review. For now, this link will be hidden.
Trying to follow procedure described above.
I have a VPS with GoDaddy and the server hostname is in format: s12-345-678-90.secureserver.net
When I click on the " + Let's Encrypt " button (step 4), it fills that hostname in for me as the "Domain Name", and asks for an email address as well (step 5). So I accept this default (but put in a proper email address) and click INSTALL (step 6).
This is the error message:
Could not issue a Let's Encrypt SSL/TLS certificate for s12-345-678-90.secureserver.net. Authorization for the domain failed.
Detail: dns :: DNS problem: NXDOMAIN looking up A for s12-345-678-90.secureserver.net
(I've substituted for the actual IP above of course, but that is the format)
@Scott Saccenti
You need to make sure that s12-345-678-90.secureserver.net properly resolves to 12.345.678.90 (to your IP address). For example, use https://mxtoolbox.com/ to make sure that the hostname is resolving.
If it is not, I recommend checking the GoDaddy documentation in order to find out how to make the hostname resolving.
This worked like a charm.
After assigning a Let's Encrypt certificate to a subdomain just go to Tools & Settings > SSL/TLS Certificates
Find the option Certificate for securing Plesk and click on [Change] button right to it.
Choose the certificate assigned to subdomain and click OK.
Hi there,
I am currently experiencing a problem with SSL encryption Let's Encrypt for plesk hostname on the server.example.com subdomain on port 8443.I am using Plesk Obsidian on Debian 8.11 with shared IP.
Indeed, the server.example.com subdomain is currently properly secured with a Let's Encrypt SSL certificate (port 443) but on port 8443 it is an old expired Let's Encrypt SSL certificate which is used.
However on Tools & Settings > SSL/TLS Certificates I changed the "Certificate for securing Plesk" by specifying the certificate of the server.example.com subdomain. But this has no effect.
How can I via CLI-linux delete the expired certificate for the admin subdomain "server.example.com" and indicate the valid certificate of the subdomain server.example.com? What is the specific path to the admin certificate?
I executed the command:
"plesk bin certificate --assign-cert" Lets Encrypt server.example.com"-admin server.example.com -ip 192.0.2.78" but I get the message: "Unknow option 'server.example.com' :".
Thank you in advance for your help which is welcome
Hello,
the provided steps seem to be correct. If after assigning certificate it is still does not applied, please submit request to support team and we will look closer:
https://support.plesk.com/hc/en-us/articles/213608509-How-to-submit-a-request-to-Plesk-support-
As for the command, the syntax is little bit different. To apply certificate via command line you may use steps from the following article:
https://support.plesk.com/hc/en-us/articles/115000553793-How-to-secure-Plesk-and-mail-server-with-Let-s-Encrypt-certificate-via-CLI-
I am also now experiencing the same issue.
The domain e.g. mydomain.com is secured with the new certificate, but accessing mydomain.com:8443 uses an old expired certificate and shows the SSL browser warning.
How can i force it to use the new one?
Hi Chris Collins, there could be many reasons why this happened. You may take a look here https://support.plesk.com/hc/en-us/search?utf8=%E2%9C%93&query=old+certificate or open a support ticket with us so we can troubleshoot: https://support.plesk.com/hc/en-us/articles/213608509-How-to-submit-a-request-to-Plesk-support-
Thanks, I've had a good read through those articles, but the symptoms are not the same.
I have checked the status of nginx, and its running fine with no dead processes. Restarted it anyway just to check, and still a problem.
If i go to the normal URL, the website works fine and uses the new cert. But as soon as i access it with 8443, it is using the old cert.
I've tried to reassign a different url to secure plesk, I've also renewed the certificate again using the methods in the article, but still nothing.
Hello Chris Collins
Thank you for the information.
In that case, deeper investigation is required, consider submitting a request for Plesk support to us directly or to our partner, depending on from who Plesk license was purchased.
Hello,
I solved the problem with old expired ssl on 8443 port (https://support.plesk.com/hc/en-us/articles/213954265/comments/360001017599) following this steps: https://talk.plesk.com/threads/sw-cp-server-service-doesnt-start-after-update-from-18-0-24-to-18-0-25.355783/post-874698
Hi everyone.
I was having this same issue.
After reading so many posts and possible solutions, I finally got to fix my problem.
1. Created a subdomain for the plesk login "vps.xx.xx" and very important is to choose what kind of host service you want for that subdomain. Here you'll choose the "no hosting" option.
2. Under Tools and Settings -> SSL/TLS Cert. click Let's Encrypt button and enter the subdomain you have created on step 1.
3. Under Tools and Settings -> Customize Plesk URL select the middle option "The specified domain or subdomain that resolves to the server IP address but is not used for hosting" and enter the subdomain you created for this purpose on step 1.
After this 3 steps you be able to simple enter your subdomain.domain.xx and voila.
This worked for me.Just to mention I'm behind an ISP / NAS Router
Hello Ricardo Contente
Thank you for sharing. It may be useful for other Pleskians.
Yep that's how I fixed it too.
I've got 6 different servers with Plesk on, and one by one the SSL protecting the panel expired, even though it used the updated version of the SSL when not accessing it via port 8443.
The only solution was to add a new subdomain for every server, and to use the new "customize plesk URL" setting
I don't know if there's a deeper issue at play with the other ones all expiring, but this is a decent work around - and nicer than adding :8443 to log in.
I tried to install a Plesk extension called "Plesk Security Advisor" suggested in one of Vultr's many articles but it seems Plesk doesn't have this extension included in their extension library. It is only available for "Download" on the Plesk website.
Hence, how do I now install the downloaded Plesk Security Advisor on Plesk online?
Thank you.
Hello @Norbert Hams
Here's how extension may be installed manually: https://docs.plesk.com/en-US/onyx/extensions-guide/plesk-extensions-basics/distributing-extensions.78770/#downloadable-file
I can also recommend a newer extension which is just called "Advisor".
Please sign in to leave a comment.