Applicable to:
- Plesk for Linux
- Plesk for Windows
Question
How to secure a Plesk hostname on port 8443 with an SSL certificate (Let's Encrypt / other certificate authorities)?
Answer
-
Go to Tools & Settings > SSL/TLS Certificates (under Security).
-
Click Let's Encrypt.
-
Make sure the Domain name and Email address fields contain a valid information:
-
Domain name can be a server hostname (preferable) or any other (sub)domain name hosted on the server. It will be used as an entry point to Plesk over port 8443 (for example, https://server.example.com:8443 ) for all Plesk users (customers, resellers, etc.) who have access to Plesk.
Note: The hostname/domain name must be resolved to a public IP address of the Plesk server from the Internet. If in doubt, check your hostname/domain name availability using DNS Lookup by MxToolBox.
If a domain, e.g. example.com, is using permanent www redirection, specify www.example.com as Domain name. -
Email address will be used to receive important notifications and warnings.
-
-
Click Install. At this stage, an SSL certificate from Let’s Encrypt is generated and set to secure Plesk on port 8443. This certificate will be auto-renewed every 90 days. Here is the final look:
Now, access Plesk over https://server.example.com:8443.
-
-
In Plesk, go to Tools & Settings and click SSL/TLS Certificates.
-
On the SSL/TLS Certificates page, add your certificate:
Note: If you are experiencing issues with a certificate installation, contact your certificate seller and ask for instruction for Plesk.
-
If an SSL certificate is stored in a single
*.crt
file:Click Browse... to select a certificate file. Then click Upload Certificate.
-
If an SSL certificate is stored in the form of
*.key
and*.crt
files:Click Add under List of certificates in server pool and scroll down to the Upload the certificate files section and upload these files. If both the certificate and the private key parts of your certificate are contained in a
*.pem
file (you can check it by opening the*.pem
file in any text editor), just upload it twice, both as the private key and the certificate. Click Upload Certificate once finished. -
If an SSL certificate is stored as a text:
Click Add under List of certificates in server pool and scroll down to the Upload the certificate as text section. There, paste the certificate and the private key parts into the corresponding fields. Click Upload Certificate when you have finished.
-
-
Click [Change] next to Certificate for securing Plesk > select an uploaded certificate > click OK. Now Plesk interface is secured with an SSL certificate.
Additional Information
Starting from Onyx 17.8, Plesk secures its hostname with a free Let's Encrypt certificate automatically, if the Let's Encrypt extension is installed and the hostname is a fully qualified domain name (FQDN) and is resolved from the Internet.
Comments
37 comments
@Sait I don't think that the issue with YUM update is the consequence of securing Plesk with an SSL certificate. Can you provide more details of YUM update issue?
This worked like a charm.
After assigning a Let's Encrypt certificate to a subdomain just go to Tools & Settings > SSL/TLS Certificates
Find the option Certificate for securing Plesk and click on [Change] button right to it.
Choose the certificate assigned to subdomain and click OK.
Hi there,
This should work, but when I activate "let's encrypt" the domain become un-accessable :)
Best,
Azzam
@Sait As I can see from the output you provided, it is trying to get plesk-engine package from apt.sw.be repo which is not resolvable. Try to disable the repo with apt.sw.be and initiate installation of updates again.
this solution does not work when plesk admin login is installed on a subdomain, e.g.:
https://subdomain.example.com:8443
how to solve it?
Hi everyone.
I was having this same issue.
After reading so many posts and possible solutions, I finally got to fix my problem.
1. Created a subdomain for the plesk login "vps.xx.xx" and very important is to choose what kind of host service you want for that subdomain. Here you'll choose the "no hosting" option.
2. Under Tools and Settings -> SSL/TLS Cert. click Let's Encrypt button and enter the subdomain you have created on step 1.
3. Under Tools and Settings -> Customize Plesk URL select the middle option "The specified domain or subdomain that resolves to the server IP address but is not used for hosting" and enter the subdomain you created for this purpose on step 1.
After this 3 steps you be able to simple enter your subdomain.domain.xx and voila.
This worked for me.Just to mention I'm behind an ISP / NAS Router
Hi, Harry!
After assigning a Let's Encrypt certificate to a subdomain just go to Tools & Settings > SSL/TLS Certificates
Find the option Certificate for securing Plesk and click on [Change] button right to it.
Choose the certificate assigned to subdomain and click OK.
Hello,
I solved the problem with old expired ssl on 8443 port (https://support.plesk.com/hc/en-us/articles/213954265/comments/360001017599) following this steps: https://talk.plesk.com/threads/sw-cp-server-service-doesnt-start-after-update-from-18-0-24-to-18-0-25.355783/post-874698
Hi there,
I am currently experiencing a problem with SSL encryption Let's Encrypt for plesk hostname on the server.example.com subdomain on port 8443.I am using Plesk Obsidian on Debian 8.11 with shared IP.
Indeed, the server.example.com subdomain is currently properly secured with a Let's Encrypt SSL certificate (port 443) but on port 8443 it is an old expired Let's Encrypt SSL certificate which is used.
However on Tools & Settings > SSL/TLS Certificates I changed the "Certificate for securing Plesk" by specifying the certificate of the server.example.com subdomain. But this has no effect.
How can I via CLI-linux delete the expired certificate for the admin subdomain "server.example.com" and indicate the valid certificate of the subdomain server.example.com? What is the specific path to the admin certificate?
I executed the command:
"plesk bin certificate --assign-cert" Lets Encrypt server.example.com"-admin server.example.com -ip 192.0.2.78" but I get the message: "Unknow option 'server.example.com' :".
Thank you in advance for your help which is welcome
Hello Chris Collins
Thank you for the information.
In that case, deeper investigation is required, consider submitting a request for Plesk support to us directly or to our partner, depending on from who Plesk license was purchased.
[root@sunucu yum.repos.d]# yum update -y
Setting up Update Process
https://autoinstall.plesk.com/PSA_17.5.3/extras-rpm-CentOS-6-x86_64/repodata/repomd.xml: [Errno 14] PYCURL ERROR 77 - "Problem with the SSL CA cert (path? access rights?)"
Trying other mirror.
https://autoinstall.plesk.com/NGINX17/dist-rpm-CentOS-6-x86_64/repodata/repomd.xml: [Errno 14] PYCURL ERROR 77 - "Problem with the SSL CA cert (path? access rights?)"
Trying other mirror.
https://autoinstall.plesk.com/PHP56_17/dist-rpm-CentOS-6-x86_64/repodata/repomd.xml: [Errno 14] PYCURL ERROR 77 - "Problem with the SSL CA cert (path? access rights?)"
Trying other mirror.
https://autoinstall.plesk.com/PHP70_17/dist-rpm-CentOS-6-x86_64/repodata/repomd.xml: [Errno 14] PYCURL ERROR 77 - "Problem with the SSL CA cert (path? access rights?)"
Trying other mirror.
https://autoinstall.plesk.com/PHP71_17/dist-rpm-CentOS-6-x86_64/repodata/repomd.xml: [Errno 14] PYCURL ERROR 77 - "Problem with the SSL CA cert (path? access rights?)"
Trying other mirror.
http://apt.sw.be/redhat/el6/en/x86_64/dag/repodata/repomd.xml: [Errno 14] PYCURL ERROR 6 - "Couldn't resolve host 'apt.sw.be'"
Trying other mirror.
Hi I cant access this page
Hello
B Pfleging
I see what you mean now. Yes, I believe that should be possible from a technical perspective. Feel free to submit a feature suggestion here.
Lisa Bond
Plesk doesn't support this custom scenario. Your App may be secured manually only.
Hi @Azzam, please let me know the error.
Hello Ricardo Contente
Thank you for sharing. It may be useful for other Pleskians.
Can you tell me how I can keep it disabled? apt.sw.be repo ?
Hello @Norbert Hams
Here's how extension may be installed manually: https://docs.plesk.com/en-US/onyx/extensions-guide/plesk-extensions-basics/distributing-extensions.78770/#downloadable-file
I can also recommend a newer extension which is just called "Advisor".
If you try to use a custom URL/domain to access the panel (https://docs.plesk.com/en-US/obsidian/deployment-guide/plesk-installation-and-upgrade-on-single-server/customizing-plesk-url.76455/), how do we need to set up Plesk so that the proper SSL certificate is provided? Right now, the general server name is server.example.com (which is used for mail access and panel access via https://server.example.com:8443), while I tried to set up a different subdomain (sub.anotherdomain.com) as Plesk URL.
If you do so, the server does not deliver the right certificate when trying to access https://sub.anotherdomain.com, no matter whether I set the hosting type of sub.anotherdomain (in one of the subscriptions) to webhosting or no hosting.
Hello,
the provided steps seem to be correct. If after assigning certificate it is still does not applied, please submit request to support team and we will look closer:
https://support.plesk.com/hc/en-us/articles/213608509-How-to-submit-a-request-to-Plesk-support-
As for the command, the syntax is little bit different. To apply certificate via command line you may use steps from the following article:
https://support.plesk.com/hc/en-us/articles/115000553793-How-to-secure-Plesk-and-mail-server-with-Let-s-Encrypt-certificate-via-CLI-
@Sait
To disable repository you need to find appropriate repo file and edit it:
1. Execute the following command to find the .repo file:
grep apt.sw.be /etc/yum.repos.d/
2. Open the file (i.e. some.repo) from the output in editor:
vi /etc/yum.repos.d/some.repo
3. Find the section with apt.sw.be in "baseurl". It will look like this:
[apt.sw.be]
name=apt.sw.be
baseurl=http://apt.sw.be/redhat/el6/en/x86_64/dag/
enabled=1
gpgcheck=0
4. Change "enabled" value to 0
Can someone help pls I have port 8443 secured however I'm unable to secure open port 9001 which I need for my app to work can you please link me or provide solution how to ssl custom port 9001 please? Thank you
I followed the instructions and got the Lets Encrypt to install and it works.
How can you create a redirect now so when you type server.example.com into the browser it sends it to the https://server.example.com automatically?
Hello Tony Hager
This instruction should help: https://support.plesk.com/hc/en-us/articles/115000327829
Yep that's how I fixed it too.
I've got 6 different servers with Plesk on, and one by one the SSL protecting the panel expired, even though it used the updated version of the SSL when not accessing it via port 8443.
The only solution was to add a new subdomain for every server, and to use the new "customize plesk URL" setting
I don't know if there's a deeper issue at play with the other ones all expiring, but this is a decent work around - and nicer than adding :8443 to log in.
Hello B Pfleging
To be on the same page, please let me know whether the certificate for sub.anotherdomain.com is selected at Tools & Settings > SSL/TLS Certificates > Certificate for securing Plesk? If not, please, select it.
I am also now experiencing the same issue.
The domain e.g. mydomain.com is secured with the new certificate, but accessing mydomain.com:8443 uses an old expired certificate and shows the SSL browser warning.
How can i force it to use the new one?
Hi Ivan Postnikov my idea was that
a) the server remains accessible at https://server.example.com:8443 (this is the address all existing clients know and use and this is also the smtp host name for all incoming mails) and
b) will additionally be accessible at https://sub.anotherdomain.com (for new clients or those who update their bookmarks)
Given that the "normal" nginx (hosting all other sites and sub.anotherdomain.com) is used as well as the sw-cp-panel nginx (for direct access to port 8443, I'd assume that this should be possible except for having to choose two different certificates.
@Marco Marsala
Hello!
The feature that you have reported is yet to be implemented in Plesk, thus I can suggest you take part in our product improvement by referring to the following link: https://plesk.uservoice.com/forums/184549-feature-suggestions
The top-ranked suggestions are likely to be included in the next versions of Plesk.
Hello there;
I applied the existing SSL certificate and compared it to the following problem.
Firstly I am having a plesk update problem.
If this is causing the problem, the YUM update setup can not be done.
I have encountered this problem since I switched to https connection.
Hi Chris Collins, there could be many reasons why this happened. You may take a look here https://support.plesk.com/hc/en-us/search?utf8=%E2%9C%93&query=old+certificate or open a support ticket with us so we can troubleshoot: https://support.plesk.com/hc/en-us/articles/213608509-How-to-submit-a-request-to-Plesk-support-
Please sign in to leave a comment.