Get certificate for Plesk domain

[jbbr]

Is it possible to use this extension to get a certificate for the Plesk main domain?

Also being able to install these certificates for Mail, FTP and Webmail... would be very useful.

[xgin]

What do you mean the "main" domain in Plesk? I like all my domains :)
If you want to secure Plesk on 8443 port with the certificate, you can download it (Domain > SSL Certificates > click icon) and upload to the server repository (Tools&Settings > SSL Certificates > upload and make it default).

[jbbr]

Yes, sorry, I mean Plesk port 8443 - I've dedicated a single (sub-)domain for Plesk with "Custom Plesk Hostname" extension so I have one "main" Plesk domain.

Downloading and uploading would work fine, I agree, but this step would have to be repeated at least every 90 days. It would be nice to be able to set one of the domain certificates as default Plesk certificate.

Unfortunately plesk does not provide a GUI option to set a certificate for mail services.
When using the stock letsencrypt-auto client the currently active certificate has a symlink at /etc/letsencrypt/live/domain.tld/... - It would be nice to have this for the plesk certificates too - this would make it possible to use an always up to date letsencrypt certificate for postfix, dovecot...

Manually updating certs everywhere might be acceptable for 1/2 year certificates - but every ~80 days is a bit too much.

[xgin]

The active certificates could be found here: /usr/local/psa/var/modules/letsencrypt/etc/live/domain.tld

I will think about automated renewal of Plesk certificate.

[mrclschstr]

@jbbr @xgin I have nearly the same setup and it would be great if this could be automated.

EDIT: I don't want to open an issue for this so I'm just asking right here: Will it be a dedicated feature to update postfix or dovecot certificates as well? Or do I have to set up the symlinks manually?

[RamonSmit]

This would be very handy indeed! Would love to see this happen :-)

[JHGitty]

+1 👍 need this feature.

[Powie]

+1

[agarzon]

+1

[xgin]

The extension version 1.2 has been released.
To secure Plesk with example.com certificate the address https://example.com:8443 should be opened.
In CLI use option --letsencrypt-plesk:plesk-secure-panel

[pkess]

Could you add some information on how to secure the panel?

[DavidAkroyd]

I believe this is done by running:

sudo -u psaadm bash /usr/local/psa/admin/plib/modules/letsencrypt/scripts/le-run --letsencrypt-plesk:plesk-secure-panel

Then select the domain that is being used for the Plesk control panel (Presuming that you are using default port) - Or at least appears to work for me!

[xgin]

I hope this screenshot will make it clearer:

Note: CLI operation does not store parameters for renew itself. Only operations in UI will be repeated in a month.

[JHGitty]

@xgin Awesome, thanks!

[tofi86]

Does this also work when running plesk on a subdomain like plesk.domain.tld ?
I have this situation and don't have plesk.domain.tld set up as a subdomain in plesk itself and therefore can't do this with the plesk web gui...

[xgin]

@tofi86 it is exactly #44 and #19

[tofi86]

@xgin thanks, that helps... looking forward to those implementations...

[donmike73]

@xgin Hm. There is no option 'Use this certificate to secure connections to Plesk' on my installation. I'm using plugin version 1.2 on Plesk 12.5

[Huskynarr]

@donmike73 I have the Same Problem, think we must update our Plugin. :)

[tofi86]

I think this only available for new certificates and not when you try to update an existing, right?

[Huskynarr]

👍
You have right, only on New Domains. :)

[xgin]

It is not clear for me why did you come to the decision about new domains.
In fact there is no difference between "old" and "new" domains.
As you may see on my screenshot, the certificate had already been issued and it was renewed again.

There are only 2 conditions for Plesk certificate: admin user (and its aliases) is allowed and the domain should match currently opened Plesk address.

[Caroga]

I'm not really getting how this works.
Currently my plesk installation uses port 8880 and runs on servername.domain.tld, but is not registered inside my DNS and not as a subdomain but just a CNAME record and voila.

I have a working, really expensive, ssl cert on domain.tld so I do not want to change this.

How would I proceed in securing this so plesk can run on https://servername.domain.tld:8443 using letsencryppt?

Kind regards,
Caroga

[TeHashX]

I'm confused, why I don't have option "Use this certificate to secure connections to plesk" like in picture?

[xgin]

@Caroga the domains name should be registered in Plesk, elsewise you should install and renew it by yourself: an example is here https://gist.github.com/xgin/fbfa4577ad46955f472c

[xgin]

@TeHashX take a screenshot with all the elements highlighted above (essentially with browser address bar)

[TeHashX]

Solved 👍
I look better and the only difference was the www in the address bar, I leaved https://domain.com and option shows up. Should be a warning somewhere to remove www from address.
Thanks

[xgin]

@TeHashX I see, will fix the case.

[Caroga]

@xgin Hi, I have the domain name registered in Plesk, it's already in use. But the situation is as follows:

• www.domain.tld <= uses very expensive SSL cert which I don't want to change.
• plesk.domain.tld <= is the plesk CNAME record in DNS which Plesk uses, NOT a subdomain within Plesk, only this record.

I wish to create a SSL cert for plesk.domain.tld, but I cannot select this inside the Let's Encrypt plugin.
I wish to understand how to achieve the desired situation: should I make a subdomain or is there another way of achieving this (for example with your code snippet)?

Kind regards,
Caroga

[xgin]

@Caroga create a subdomain - it is the simplest solution

[Caroga]

Okay, will do so.
I will create the subdomain and use apache/nginx as a forward proxy. Think this might be the better setup.

[xgin]

I guess you need no proxy. Just try it :)

[Caroga]

Okay I got it to generate a ssl cert for plesk.domain.tld now. I also got the option to use this cert for securring plesk. So I ques this is good to go.
Im now searching where to improve my cipher suites for plesk itself, as this is kinda old.
Thank you very much for all your help!

[Caroga]

Nevermind, already fixed. Thanks again!

[MartinBoernert]

Hi @xgin,
may it's already answered. How about the automated update of the cert for mail, ftp ...?
My panel is working fine, but mail is still manual...

Thank you in advance!

[Powie]

You can use my script for automated updates of the cert for mailservers on debian systems!
https://github.com/Powie/plesk_mailcert

[xgin]

@Bambi42 take a look https://github.com/plesk/letsencrypt-plesk/wiki/Secure-Mail-Server

[MartinBoernert]

@xgin thumps up
THX - workx

[trialotto]

@xgin

What I do not understand: why are the mail server security settings not automatically applied, when running the plesk sbin pci_compliance_resolver?

Regards....

[xgin]

@trialotto
pci_compliance_resolver applies some presets that were recommended by our security team.
AFAIK mail server should use the same ciphers suite when it is supported.
Anyway it is not related to the Let's Encrypt integration. I suggest to report your problem in comments to the documentation http://docs.plesk.com/en-US/12.5/advanced-administration-guide-linux/pci-dss-compliance/tune-plesk-to-meet-pci-dss-on-linux.65871/

[iamkingsleyf]

NOT WORKING

`Error: Let's Encrypt SSL certificate installation failed: Failed letsencrypt execution: Failed authorization procedure. www.ZZZZZ.kraftysprouts.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A for www.zzzzzzz.kraftysprouts.com
IMPORTANT NOTES:

• If you lose your account credentials, you can recover through
  e-mails sent to hello @ kraftysprouts.com.
• The following errors were reported by the server:

Domain: www.ZZZZZZ.kraftysprouts.com
Type: connection
Detail: DNS problem: NXDOMAIN looking up A for
www.zzzzzzzzz.kraftysprouts.com

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

• Your account credentials have been saved in your Let's Encrypt
  configuration directory at /opt/psa/var/modules/letsencrypt/etc.
  You should make a secure backup of this folder now. This
  configuration directory will also contain certificates and private
  keys obtained by Let's Encrypt so making regular backups of this
  folder is ideal.`

[ansemjo]

Thanks for this @xgin! Especially this comment.

That worked fine for the admin interface on port 8443 having a plesk. subdomain. But this did not set the certificate for the plesk installer interface on port 8447. I found the ssl cert for the latter to be /opt/psa/etc/httpsd.pem, symlinked that to /opt/psa/admin/conf/httpsd.pem, rebooted and it was 'fixed'. Maybe add that to your script too?

cp /opt/psa/etc/httpsd.pem{,.sav}
ln -s ../admin/conf/httpsd.pem /opt/psa/etc/httpsd.pem

[ArashiKorosu]

The option to protect the panel does not appear for me:

What am I doing wrong?

I using:
Plesk 17.0.17 Update #18
Let's Encrypt 1.9 3

[xgin]

@ArashiKorosu In onyx we suggest another way to secure Plesk: https://docs.plesk.com/en-US/onyx/administrator-guide/plesk-administration/securing-plesk/securing-plesk-and-mail-server.76576/
Exactly the same question has been asked recently. We might have to add some hint here.

[heinrich-k]

Using Plesk Onyx Version 17.5.3 Update #9 on https://domain.tld:8443 but the option in the screenshot from xgin is not present. Only the option to include www. and secure webmail, too.

Do I need anything else, so the option appears ?

[trialotto]

@xgin

There are many current issues that are interrelated and/or can be interrelated with other issues or even the bugs in other extensions/components of Plesk.

Please note that the current issue in this thread can be related to migration issues.

It would be good to consider that, in almost all cases of migration, the Plesk Let´s Encrypt extension can or will result in many errors.

The most common error (in case of migration) is the fact that certificates (of a domain or the server) are NOT migrated (read: Plesk settings are not migrated fully).

This will hinder the proper functioning of the Plesk Let´s Encrypt extension.

I certainly hope that one can pay some attention to that too.

In addition, there are two absolutely required functions for the Plesk Let´s Encrypt extension:

1. the possibility to revoke a Let´s Encrypt certificate (on a domain or the server), (and)

2. allow for HA/Fail-over domain certification: two identical domain names, present on two servers (for reasons of HA and/or Fail-over) should be able to have the same Let´s Encrypt certificate assigned.

I am aware that point 2 is rather difficult, but point 1 is a feature that can be developed shortly.

The "revoke function" would certainly reduce a number of issues, in the sense that potential issues can be resolved by simply revoking a certificate and re-assigning the certificate.

Hope the above feedback will help a bit.

Regards.....

[xgin]

@heinrich-k have you seen the latest comment related to the Onyx version?

@trialotto I don't think mixing different problems in the another (closed by the way) issue is something perspective.
Regarding the absent ability to revoke a certificate there is the issue #105 but there is no significant activity and votes that does not make this feature higher priority then others. Also I could not find any suggestion on https://plesk.uservoice.com/ but this is very important tracker of consumer demands.
AFAIK there is no open issues in migration, feel free to describe the problem (in separate issue or forum thread) and it would be great if you have steps to reproduce.

[heinrich-k]

@xgin: I had not seen it. But it isn't a tutorial to use the Let's encrypt certificate either. I want to move away from self signed certificates.

[trialotto]

@xgin

I just wanted to point out that there are many "cause > consequence" combinations of LE related issues.

This often causes discussions about solutions for specific LE related issues to be scrambled with noise.

For instance, consider the "revoke issue" (and #105).

The status quo is

• Plesk Panel does not allow it (as many people would expect)
• letsencrypt binary allows it (and many other things)
• CLI interface (plesk bin extension) is relatively unknown (and some commands do not work)

and the whole problem is that new issues often arise when trying to solve another one.

Simply because Plesk Panel, letsencrypt binary and CLI interface are not aligned.

In my humble opinion, it would be a good starting point to

a) create crystal clear (online) documentation (as you suggested yourself previously),

b) create a description of all possible CLI interface commands,

this in order to keep discussions about alleged (!) issues with the LE extension pure.

Regards......

[trialotto]

@heinrich-k

You can always create a domain with the identical name of your server´s FQDN.

This will result in the following:

a) when assigning a letsencrypt certificate to the domain in question, the Let´s Encrypt extension will be automatically asking whether you want to secure Plesk Panel (with the LE certificate)

Note: simply follow the steps

1 - create a domain or subdomain with name [server FQDN]
2 - go to "Domains > [server FQDN] (select) > Let´s Encrypt (click)"
3 - select option "Secure Plesk Panel" (if possible; if not possible, then step 3 is not required: the Plesk panel will be secured with the LE certificate, but in a different way)

and that is it.

Note the steps 1 and 2 (and potentially 3) are a "dirty work-around" for securing Plesk Panel, it is not a solution, but it is a "required work-around": the interaction between the Let´s Encrypt extension and the Security Advisor extension can cause some problems, requiring this "work-around".

b) the created (sub- or) domain with name [server FQDN] will allow you to create common mailboxes like hostmaster@[server FQDN], with the particular advantages that

• webmail will be secured with LE certificates
• mail send by the system or privileged users will come from a "trusted" domain (to some extent)
• security can be enhanced to some extent
• and so on

and even a mailbox like root@[server FQDN] can be used, as long as you use a mail forward (highly recommended!!).

In general, note that letsencrypt certification does not secure all SSL/TLS connections!

And this is also an important topic for (online) documentation with respect to the Let´s Encrypt extension.

[trialotto]

@xgin

Please (also) see my comment to @heinrich-k.

I suggest that we further use the Plesk forum to communicate, if desired by you.

Regards!

[heinrich-k]

@trialotto
I tried to do what you described in a), but the option to secure PLESK did not show up.

[trialotto]

@heinrich-k

I know, that is different amongst a number of Plesk versions and even amongst LE extension versions.

The step 3 is optional, it is not required.

Essentially, by creating and securing the domain or subdomain with name [server FQDN], one can access the Plesk Panel by using that specific (sub-)domain name and still have the green lock in the browser.

However, this still allows you to access the Plesk Panel with another URL that has a DNS record pointing to the IP of the server in question .......... and this URL is not secured (only with the default certificate).

One way to get LE certificate on the (sub-)domain with name [server FQDN] working for all URLs is simply by using a (Nginx based) redirect OR changing the Plesk (Nginx) config (read: adjust the lines pointing to the default certificate and let them point to the directory and file location of the LE certificates that are active on the (sub-)domain with name [server FQDN]).

Again, it is a work-around, not a solution.

Another way to get your system "clean" is to remove and re-install both the Security Advisor extension and the Let´s Encrypt extension: these two extensions can be the cause of Let´s Encrypt related issues.

Again, both the before mentioned extensions can interfere with each other and cause severe issues.

The best way to get your system "clean" is to follow the steps 1 to 6, as mentioned here: https://talk.plesk.com/threads/solutions-for-recent-lets-encrypt-issues.342567/

In most cases, a good "clean" will allow you to get your server-side LE certificate up and running.

Hope this helps!

Regards......