Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Get certificate for Plesk domain #11

Closed
jbbr opened this issue Dec 4, 2015 · 52 comments

Comments

@jbbr
Copy link

@jbbr jbbr commented Dec 4, 2015

Is it possible to use this extension to get a certificate for the Plesk main domain?

Also being able to install these certificates for Mail, FTP and Webmail... would be very useful.

@xgin

This comment has been minimized.

Copy link
Member

@xgin xgin commented Dec 4, 2015

What do you mean the "main" domain in Plesk? I like all my domains :)
If you want to secure Plesk on 8443 port with the certificate, you can download it (Domain > SSL Certificates > click icon) and upload to the server repository (Tools&Settings > SSL Certificates > upload and make it default).

@jbbr

This comment has been minimized.

Copy link
Author

@jbbr jbbr commented Dec 4, 2015

Yes, sorry, I mean Plesk port 8443 - I've dedicated a single (sub-)domain for Plesk with "Custom Plesk Hostname" extension so I have one "main" Plesk domain.

Downloading and uploading would work fine, I agree, but this step would have to be repeated at least every 90 days. It would be nice to be able to set one of the domain certificates as default Plesk certificate.

Unfortunately plesk does not provide a GUI option to set a certificate for mail services.
When using the stock letsencrypt-auto client the currently active certificate has a symlink at /etc/letsencrypt/live/domain.tld/... - It would be nice to have this for the plesk certificates too - this would make it possible to use an always up to date letsencrypt certificate for postfix, dovecot...

Manually updating certs everywhere might be acceptable for 1/2 year certificates - but every ~80 days is a bit too much.

@xgin

This comment has been minimized.

Copy link
Member

@xgin xgin commented Dec 4, 2015

The active certificates could be found here: /usr/local/psa/var/modules/letsencrypt/etc/live/domain.tld

I will think about automated renewal of Plesk certificate.

@mrclschstr

This comment has been minimized.

Copy link

@mrclschstr mrclschstr commented Dec 5, 2015

@jbbr @xgin I have nearly the same setup and it would be great if this could be automated.

EDIT: I don't want to open an issue for this so I'm just asking right here: Will it be a dedicated feature to update postfix or dovecot certificates as well? Or do I have to set up the symlinks manually?

@RamonSmit

This comment has been minimized.

Copy link

@RamonSmit RamonSmit commented Dec 8, 2015

This would be very handy indeed! Would love to see this happen :-)

@JHGitty

This comment has been minimized.

Copy link

@JHGitty JHGitty commented Dec 12, 2015

+1 👍 need this feature.

@Powie

This comment has been minimized.

Copy link

@Powie Powie commented Dec 15, 2015

+1

@agarzon

This comment has been minimized.

Copy link

@agarzon agarzon commented Dec 17, 2015

+1

xgin added a commit that referenced this issue Dec 20, 2015
@xgin

This comment has been minimized.

Copy link
Member

@xgin xgin commented Dec 23, 2015

The extension version 1.2 has been released.
To secure Plesk with example.com certificate the address https://example.com:8443 should be opened.
In CLI use option --letsencrypt-plesk:plesk-secure-panel

@xgin xgin closed this Dec 23, 2015
@pkess

This comment has been minimized.

Copy link

@pkess pkess commented Dec 23, 2015

Could you add some information on how to secure the panel?

@DavidAkroyd

This comment has been minimized.

Copy link

@DavidAkroyd DavidAkroyd commented Dec 23, 2015

I believe this is done by running:

sudo -u psaadm bash /usr/local/psa/admin/plib/modules/letsencrypt/scripts/le-run --letsencrypt-plesk:plesk-secure-panel

Then select the domain that is being used for the Plesk control panel (Presuming that you are using default port) - Or at least appears to work for me!

@xgin

This comment has been minimized.

Copy link
Member

@xgin xgin commented Dec 23, 2015

I hope this screenshot will make it clearer:
letsencrypt-secure-plesk

Note: CLI operation does not store parameters for renew itself. Only operations in UI will be repeated in a month.

@JHGitty

This comment has been minimized.

Copy link

@JHGitty JHGitty commented Dec 23, 2015

@xgin Awesome, thanks!

@tofi86

This comment has been minimized.

Copy link

@tofi86 tofi86 commented Dec 25, 2015

Does this also work when running plesk on a subdomain like plesk.domain.tld ?
I have this situation and don't have plesk.domain.tld set up as a subdomain in plesk itself and therefore can't do this with the plesk web gui...

@xgin

This comment has been minimized.

Copy link
Member

@xgin xgin commented Dec 26, 2015

@tofi86 it is exactly #44 and #19

@tofi86

This comment has been minimized.

Copy link

@tofi86 tofi86 commented Dec 26, 2015

@xgin thanks, that helps... looking forward to those implementations...

@donmike73

This comment has been minimized.

Copy link

@donmike73 donmike73 commented Dec 31, 2015

@xgin Hm. There is no option 'Use this certificate to secure connections to Plesk' on my installation. I'm using plugin version 1.2 on Plesk 12.5

@Huskynarr

This comment has been minimized.

Copy link

@Huskynarr Huskynarr commented Dec 31, 2015

@donmike73 I have the Same Problem, think we must update our Plugin. :)

@tofi86

This comment has been minimized.

Copy link

@tofi86 tofi86 commented Dec 31, 2015

I think this only available for new certificates and not when you try to update an existing, right?

@Huskynarr

This comment has been minimized.

Copy link

@Huskynarr Huskynarr commented Dec 31, 2015

👍
You have right, only on New Domains. :)

@xgin

This comment has been minimized.

Copy link
Member

@xgin xgin commented Jan 7, 2016

It is not clear for me why did you come to the decision about new domains.
In fact there is no difference between "old" and "new" domains.
As you may see on my screenshot, the certificate had already been issued and it was renewed again.

There are only 2 conditions for Plesk certificate: admin user (and its aliases) is allowed and the domain should match currently opened Plesk address.

@Caroga

This comment has been minimized.

Copy link

@Caroga Caroga commented Jan 31, 2016

I'm not really getting how this works.
Currently my plesk installation uses port 8880 and runs on servername.domain.tld, but is not registered inside my DNS and not as a subdomain but just a CNAME record and voila.

I have a working, really expensive, ssl cert on domain.tld so I do not want to change this.

How would I proceed in securing this so plesk can run on https://servername.domain.tld:8443 using letsencryppt?

Kind regards,
Caroga

@TeHashX

This comment has been minimized.

Copy link

@TeHashX TeHashX commented Feb 4, 2016

I'm confused, why I don't have option "Use this certificate to secure connections to plesk" like in picture?

@xgin

This comment has been minimized.

Copy link
Member

@xgin xgin commented Feb 5, 2016

@Caroga the domains name should be registered in Plesk, elsewise you should install and renew it by yourself: an example is here https://gist.github.com/xgin/fbfa4577ad46955f472c

@xgin

This comment has been minimized.

Copy link
Member

@xgin xgin commented Feb 5, 2016

@TeHashX take a screenshot with all the elements highlighted above (essentially with browser address bar)

@TeHashX

This comment has been minimized.

Copy link

@TeHashX TeHashX commented Feb 5, 2016

Solved 👍
I look better and the only difference was the www in the address bar, I leaved https://domain.com and option shows up. Should be a warning somewhere to remove www from address.
Thanks

@xgin

This comment has been minimized.

Copy link
Member

@xgin xgin commented Feb 5, 2016

@TeHashX I see, will fix the case.

@Caroga

This comment has been minimized.

Copy link

@Caroga Caroga commented Feb 8, 2016

@xgin Hi, I have the domain name registered in Plesk, it's already in use. But the situation is as follows:

  • www.domain.tld <= uses very expensive SSL cert which I don't want to change.
  • plesk.domain.tld <= is the plesk CNAME record in DNS which Plesk uses, NOT a subdomain within Plesk, only this record.

I wish to create a SSL cert for plesk.domain.tld, but I cannot select this inside the Let's Encrypt plugin.
I wish to understand how to achieve the desired situation: should I make a subdomain or is there another way of achieving this (for example with your code snippet)?

Kind regards,
Caroga

@xgin

This comment has been minimized.

Copy link
Member

@xgin xgin commented Feb 8, 2016

@Caroga create a subdomain - it is the simplest solution

@Caroga

This comment has been minimized.

Copy link

@Caroga Caroga commented Feb 8, 2016

Okay, will do so.
I will create the subdomain and use apache/nginx as a forward proxy. Think this might be the better setup.

@xgin

This comment has been minimized.

Copy link
Member

@xgin xgin commented Feb 8, 2016

I guess you need no proxy. Just try it :)

@Caroga

This comment has been minimized.

Copy link

@Caroga Caroga commented Feb 10, 2016

Okay I got it to generate a ssl cert for plesk.domain.tld now. I also got the option to use this cert for securring plesk. So I ques this is good to go.
Im now searching where to improve my cipher suites for plesk itself, as this is kinda old.
Thank you very much for all your help!

@Caroga

This comment has been minimized.

Copy link

@Caroga Caroga commented Feb 10, 2016

Nevermind, already fixed. Thanks again!

@MartinBoernert

This comment has been minimized.

Copy link

@MartinBoernert MartinBoernert commented Feb 14, 2016

Hi @xgin,
may it's already answered. How about the automated update of the cert for mail, ftp ...?
My panel is working fine, but mail is still manual...

Thank you in advance!

@Powie

This comment has been minimized.

Copy link

@Powie Powie commented Feb 15, 2016

You can use my script for automated updates of the cert for mailservers on debian systems!
https://github.com/Powie/plesk_mailcert

@xgin

This comment has been minimized.

Copy link
Member

@xgin xgin commented Feb 15, 2016

@MartinBoernert

This comment has been minimized.

Copy link

@MartinBoernert MartinBoernert commented Feb 15, 2016

@xgin thumps up
THX - workx

@trialotto

This comment has been minimized.

Copy link

@trialotto trialotto commented Mar 15, 2016

@xgin

What I do not understand: why are the mail server security settings not automatically applied, when running the plesk sbin pci_compliance_resolver?

Regards....

@xgin

This comment has been minimized.

Copy link
Member

@xgin xgin commented Mar 15, 2016

@trialotto
pci_compliance_resolver applies some presets that were recommended by our security team.
AFAIK mail server should use the same ciphers suite when it is supported.
Anyway it is not related to the Let's Encrypt integration. I suggest to report your problem in comments to the documentation http://docs.plesk.com/en-US/12.5/advanced-administration-guide-linux/pci-dss-compliance/tune-plesk-to-meet-pci-dss-on-linux.65871/

@iamkingsleyf

This comment has been minimized.

Copy link

@iamkingsleyf iamkingsleyf commented Mar 27, 2016

NOT WORKING

`Error: Let's Encrypt SSL certificate installation failed: Failed letsencrypt execution: Failed authorization procedure. www.ZZZZZ.kraftysprouts.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A for www.zzzzzzz.kraftysprouts.com
IMPORTANT NOTES:

  • If you lose your account credentials, you can recover through
    e-mails sent to hello @ kraftysprouts.com.
  • The following errors were reported by the server:

Domain: www.ZZZZZZ.kraftysprouts.com
Type: connection
Detail: DNS problem: NXDOMAIN looking up A for
www.zzzzzzzzz.kraftysprouts.com

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

  • Your account credentials have been saved in your Let's Encrypt
    configuration directory at /opt/psa/var/modules/letsencrypt/etc.
    You should make a secure backup of this folder now. This
    configuration directory will also contain certificates and private
    keys obtained by Let's Encrypt so making regular backups of this
    folder is ideal.`
@ansemjo

This comment has been minimized.

Copy link

@ansemjo ansemjo commented May 4, 2016

Thanks for this @xgin! Especially this comment.

That worked fine for the admin interface on port 8443 having a plesk. subdomain. But this did not set the certificate for the plesk installer interface on port 8447. I found the ssl cert for the latter to be /opt/psa/etc/httpsd.pem, symlinked that to /opt/psa/admin/conf/httpsd.pem, rebooted and it was 'fixed'. Maybe add that to your script too?

cp /opt/psa/etc/httpsd.pem{,.sav}
ln -s ../admin/conf/httpsd.pem /opt/psa/etc/httpsd.pem
@ArashiKorosu

This comment has been minimized.

Copy link

@ArashiKorosu ArashiKorosu commented Mar 10, 2017

The option to protect the panel does not appear for me:

image

What am I doing wrong?

I using:
Plesk 17.0.17 Update #18
Let's Encrypt 1.9 3

@xgin

This comment has been minimized.

Copy link
Member

@xgin xgin commented Mar 10, 2017

@ArashiKorosu In onyx we suggest another way to secure Plesk: https://docs.plesk.com/en-US/onyx/administrator-guide/plesk-administration/securing-plesk/securing-plesk-and-mail-server.76576/
Exactly the same question has been asked recently. We might have to add some hint here.

@heinrich-k

This comment has been minimized.

Copy link

@heinrich-k heinrich-k commented Jun 15, 2017

Using Plesk Onyx Version 17.5.3 Update #9 on https://domain.tld:8443 but the option in the screenshot from xgin is not present. Only the option to include www. and secure webmail, too.

Do I need anything else, so the option appears ?

@trialotto

This comment has been minimized.

Copy link

@trialotto trialotto commented Jun 15, 2017

@xgin

There are many current issues that are interrelated and/or can be interrelated with other issues or even the bugs in other extensions/components of Plesk.

Please note that the current issue in this thread can be related to migration issues.

It would be good to consider that, in almost all cases of migration, the Plesk Let´s Encrypt extension can or will result in many errors.

The most common error (in case of migration) is the fact that certificates (of a domain or the server) are NOT migrated (read: Plesk settings are not migrated fully).

This will hinder the proper functioning of the Plesk Let´s Encrypt extension.

I certainly hope that one can pay some attention to that too.

In addition, there are two absolutely required functions for the Plesk Let´s Encrypt extension:

  1. the possibility to revoke a Let´s Encrypt certificate (on a domain or the server), (and)

  2. allow for HA/Fail-over domain certification: two identical domain names, present on two servers (for reasons of HA and/or Fail-over) should be able to have the same Let´s Encrypt certificate assigned.

I am aware that point 2 is rather difficult, but point 1 is a feature that can be developed shortly.

The "revoke function" would certainly reduce a number of issues, in the sense that potential issues can be resolved by simply revoking a certificate and re-assigning the certificate.

Hope the above feedback will help a bit.

Regards.....

@xgin

This comment has been minimized.

Copy link
Member

@xgin xgin commented Jun 16, 2017

@heinrich-k have you seen the latest comment related to the Onyx version?

@trialotto I don't think mixing different problems in the another (closed by the way) issue is something perspective.
Regarding the absent ability to revoke a certificate there is the issue #105 but there is no significant activity and votes that does not make this feature higher priority then others. Also I could not find any suggestion on https://plesk.uservoice.com/ but this is very important tracker of consumer demands.
AFAIK there is no open issues in migration, feel free to describe the problem (in separate issue or forum thread) and it would be great if you have steps to reproduce.

@heinrich-k

This comment has been minimized.

Copy link

@heinrich-k heinrich-k commented Jun 16, 2017

@xgin: I had not seen it. But it isn't a tutorial to use the Let's encrypt certificate either. I want to move away from self signed certificates.

@trialotto

This comment has been minimized.

Copy link

@trialotto trialotto commented Jun 16, 2017

@xgin

I just wanted to point out that there are many "cause > consequence" combinations of LE related issues.

This often causes discussions about solutions for specific LE related issues to be scrambled with noise.

For instance, consider the "revoke issue" (and #105).

The status quo is

  • Plesk Panel does not allow it (as many people would expect)
  • letsencrypt binary allows it (and many other things)
  • CLI interface (plesk bin extension) is relatively unknown (and some commands do not work)

and the whole problem is that new issues often arise when trying to solve another one.

Simply because Plesk Panel, letsencrypt binary and CLI interface are not aligned.

In my humble opinion, it would be a good starting point to

a) create crystal clear (online) documentation (as you suggested yourself previously),

b) create a description of all possible CLI interface commands,

this in order to keep discussions about alleged (!) issues with the LE extension pure.

Regards......

@trialotto

This comment has been minimized.

Copy link

@trialotto trialotto commented Jun 16, 2017

@heinrich-k

You can always create a domain with the identical name of your server´s FQDN.

This will result in the following:

a) when assigning a letsencrypt certificate to the domain in question, the Let´s Encrypt extension will be automatically asking whether you want to secure Plesk Panel (with the LE certificate)

Note: simply follow the steps

1 - create a domain or subdomain with name [server FQDN]
2 - go to "Domains > [server FQDN] (select) > Let´s Encrypt (click)"
3 - select option "Secure Plesk Panel" (if possible; if not possible, then step 3 is not required: the Plesk panel will be secured with the LE certificate, but in a different way)

and that is it.

Note the steps 1 and 2 (and potentially 3) are a "dirty work-around" for securing Plesk Panel, it is not a solution, but it is a "required work-around": the interaction between the Let´s Encrypt extension and the Security Advisor extension can cause some problems, requiring this "work-around".

b) the created (sub- or) domain with name [server FQDN] will allow you to create common mailboxes like hostmaster@[server FQDN], with the particular advantages that

  • webmail will be secured with LE certificates
  • mail send by the system or privileged users will come from a "trusted" domain (to some extent)
  • security can be enhanced to some extent
  • and so on

and even a mailbox like root@[server FQDN] can be used, as long as you use a mail forward (highly recommended!!).

In general, note that letsencrypt certification does not secure all SSL/TLS connections!

And this is also an important topic for (online) documentation with respect to the Let´s Encrypt extension.

@trialotto

This comment has been minimized.

Copy link

@trialotto trialotto commented Jun 16, 2017

@xgin

Please (also) see my comment to @heinrich-k.

I suggest that we further use the Plesk forum to communicate, if desired by you.

Regards!

@heinrich-k

This comment has been minimized.

Copy link

@heinrich-k heinrich-k commented Jun 16, 2017

@trialotto
I tried to do what you described in a), but the option to secure PLESK did not show up.

@trialotto

This comment has been minimized.

Copy link

@trialotto trialotto commented Jun 16, 2017

@heinrich-k

I know, that is different amongst a number of Plesk versions and even amongst LE extension versions.

The step 3 is optional, it is not required.

Essentially, by creating and securing the domain or subdomain with name [server FQDN], one can access the Plesk Panel by using that specific (sub-)domain name and still have the green lock in the browser.

However, this still allows you to access the Plesk Panel with another URL that has a DNS record pointing to the IP of the server in question .......... and this URL is not secured (only with the default certificate).

One way to get LE certificate on the (sub-)domain with name [server FQDN] working for all URLs is simply by using a (Nginx based) redirect OR changing the Plesk (Nginx) config (read: adjust the lines pointing to the default certificate and let them point to the directory and file location of the LE certificates that are active on the (sub-)domain with name [server FQDN]).

Again, it is a work-around, not a solution.

Another way to get your system "clean" is to remove and re-install both the Security Advisor extension and the Let´s Encrypt extension: these two extensions can be the cause of Let´s Encrypt related issues.

Again, both the before mentioned extensions can interfere with each other and cause severe issues.

The best way to get your system "clean" is to follow the steps 1 to 6, as mentioned here: https://talk.plesk.com/threads/solutions-for-recent-lets-encrypt-issues.342567/

In most cases, a good "clean" will allow you to get your server-side LE certificate up and running.

Hope this helps!

Regards......

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
You can’t perform that action at this time.