Applicable to:
- Plesk for Linux
Symptoms
-
A wildcard certificate is issued for example.com with 'secure www' option enabled.
-
alias.com and subdomain.example.com are added to the list of issued certificates.
-
On opening https://www.alias.com, a warning about incorrect certificate is shown, for example:
PLESK_WARN: HSTS warning - incorrect cert
Cause
"www" of domain alias and subdomain are not added to SANs list and therefore are not secured by the Wildcard certificate.
This is Let's Encrypt extension bug with ID EXTLETSENC-568 which is planned to be fixed in future updates.
Resolution
Note: Due to Let's Encrypt auto renew is not working for domains or Plesk with renamed certificates bug certificates in below workaround will not be renewed automatically and they should be issued manually each time.
As a workaround, it's possible to order few certificates:
-
Go to Domains > example.com > Let's Encrypt
-
Issue a wildcard certificate _without_ including the aliases.
Note: As a result, a certificate which secures "example.com" and " * .example.com" will be obtained.
-
Go to Domains > example.com > SSL/TLS Certificates > Lets Encrypt example.com
-
Rename it to, for example: "Wildcard example.com".
-
Go to Domains > example.com > Let's Encrypt
-
Issue an non-wildcard certificate with marked "Include a "www" subdomain for the domain and each selected alias" and "Secure webmail on this domain" checkboxes and added all aliases to the right-side list.
Note: As a result, will be obtained a certificate for "example.com", "www.example.com", "alias.com", "www.alias.com", etc aliases.
-
Go to Domains > one.example.com > Hosting Settings
-
Select a "Wildcard example.com (one.example.com)"certificate.
Note: Repeat this step (8-9) for each subdomain (two.example.com, three.example.com, etc...)
Comments
12 comments
would be really nice if *.example.com i mean wildcard SSL would be working...
Hello @Jan,
Thank you for the feedback.
Generally, a wildcard certificate may be issued using this instruction.
But indeed, currently due to this bug www is not included.
Hey guys!
I couldn't get this work around to function correctly on Plesk Obsidian.
I'm trying to secure www. on an alias. I can get up to Step 7, but Step 8 appears to be impossible as I am not able to select which certificate the alias should use. Any ideas?
Hi Zacchary Puckeridge step 8 is for subdomains and it is not needed for aliases. The alias is included in the certificate generated in step 7. Please verify from your side if accessing the alias is done in a secured way.
Plesk Obsidian does the job really better.
The SSL IT Extension is really great.
This doesn't help with non www.alias.com domains, it doesn't help with getting example.alias.com to work, when example.main.com works.
Hi Chris Barfitt,
This is caused by a bug which as well. You may find a solution here
I found a simple workaround. Just add www.domain.com alias in addition to the domain.com alias. It worked perfectly.
For step 5 above, according to my experience, and the Plesk article linked below, renaming the certificate will prevent it from being renewed.
https://support.plesk.com/hc/en-us/articles/213930645--BUG-Let-s-Encrypt-auto-renew-is-not-working-for-domains-or-Plesk-with-renamed-certificates
Has the auto-renew for renamed certificates been fixed?
Hi Dr. Koontz
Indeed, these two bugs interfere with each other. Thank you for bringing our attention to this fact.
We will review the article in order to add the warning about the inability to auto-update a renamed certificate.
Regarding the question, there is no exact ETA for fixing these bugs since they require global changes in the extension. Once the bug is fixed the article will be updated accordingly.
hi,
Seems that issue is related with wordpress multisite subdomain, certificate is not applied to www.mysub.domain.tld. So i try ti test the workaround. But i'm confused
in step 3 : Issue a wildcard certificate _without_ including the aliases.
When i click (first checkbox) Protect wildcard domain so automatically it include "Include a "www" subdomain for the domain and each selected alias"
So how can issue wildcard without including the aliases ?
Hi @Dimitri Longo!
You need to uncheck all aliases under "Available Domain Aliases", I've highlighted it with red on the screenshot:
Please sign in to leave a comment.