SAN support

[COhsrt]

As we have a few subdomain (irc.domain.com, mail.domain.com etc) it would be neat to implement adding those subdomains to a normal domain's certificate.

[DavidAkroyd]

It would be useful to have a webroot option or enable the manual option on the CLI to allow automatic certification for non-standard subdomains or domains. (In particular Horde with a non standard webroot and manual certificate entry in the the config file on webmail.domain.tld)

[dakira]

I think you want a multiple SAN cert. Those are possible with a current limit of 100 subdomains per cert. The Plesk client might support this using the cmd line client like this, I haven't tried it, though.

Version 1.1 of the plugin added a checkbox for adding the www-subdomain to the main cert. Maybe it should be allowed to also add all existing subdomains to the cert.

[EarMaster]

This would be very useful. Especially the webmail-Subdomain needs encryption support by default.

[flipme]

A real saver would be the postfix, courier, dovecot ssl. Its a bummer with self signed certs.

[RamonSmit]

:+1: Would love to see this implemented! :smile:

[SolidRhino]

Please include this if it is possible. Including the postfix courier and webmail.

[n4uti]

+1 for securing webmail subdomain and the plesk panel itself.

[SolidRhino]

@n4uti you already can create a certificate for Plesk panel

[flipme]

Setting up SSL for postfix/dovecot/courier isn’t handled well at all inside of Plesk. It’s quite funky that the feature is missing. If your extension would be able to fix that it would be just awesome.

On 13/01/2016, at 12:59, Solid Rhino notifications@github.com wrote:

@n4uti https://github.com/n4uti you already can create a certificate for Plesk panel

— Reply to this email directly or view it on GitHub https://github.com/plesk/letsencrypt-plesk/issues/19#issuecomment-171268367.

[Svenna71]

+1

----- Ursprüngliche Mail -----

Von: "flipme" notifications@github.com An: "plesk/letsencrypt-plesk" letsencrypt-plesk@noreply.github.com Gesendet: Mittwoch, 13. Januar 2016 13:06:22 Betreff: Re: [letsencrypt-plesk] SAN support (#19)

Setting up SSL for postfix/dovecot/courier isn’t handled well at all inside of Plesk. It’s quite funky that the feature is missing. If your extension would be able to fix that it would be just awesome.

On 13/01/2016, at 12:59, Solid Rhino notifications@github.com wrote:

@n4uti https://github.com/n4uti you already can create a certificate for Plesk panel

— Reply to this email directly or view it on GitHub https://github.com/plesk/letsencrypt-plesk/issues/19#issuecomment-171268367.

— Reply to this email directly or view it on GitHub .

[dakira]

Please lets keep the discussion to the issue: SAN support. Using other letsencrypt/acme clients you can create one cert for multiple (sub-)domains.

I think this interface should at least allow for adding subdomains to the cert. Handling mail and webmail certs is a different issue.

[xgin]

How do you expect an arbitrary subdomain to be validated? We should know where the http request points to the file system. Since a domain name or a subdomain name is registered in Plesk, its document root is known, it is written in apache/nginx configuration by Plesk. An alias has the same document root. Webmail subdomain points to the horde/roundcube root - it is also known. I have no idea where to put validation file for unknown mail.domain.tld or irc.domain.tld... I guess some other challenges (dns or tls) should be used for it. Any ideas?

[DavidAkroyd]

So the original LetsEncrypt command line allows for the manual setting of a WebRoot which allows you to set a web-accessible root - this may be an option - however you would need to set a directory for every domain?

[xgin]

@DavidAkroyd yep, every alternative name should be validated. For example, you want a certificate for example.com, sub.example.com, alternative.com The certificate request is created and is sent to Lets Encrypt CA It asks to create a validation file abcdef with content qwerty After the file is created it should be available on every URL: http://example.com/.well-known/acme-challenge/abcdef http://sub.example.com/.well-known/acme-challenge/abcdef http://alternative.com/.well-known/acme-challenge/abcdef

[dakira]

My expected use case would look like this:

1. open Plesk-Letsencrypt-client for a domain within a certain webspace
2. If other (sub-)domains have been created inside the same webspace (meaning their webroots are known) ask if the certificate should include these subdomains as well.

The rest (securing dovecot and postfix with those certs) can easily be done with a script.

[DavidAkroyd]

@dakira Any reason that you would use a SAN for multiple domain/sub-domains like these as opposed to just using a certificate per domain/sub-domain? I think the main reason that people want it for the webmail/mail server, and hence why there have been so many +1s for the feature, is because the default configuration for Plesk uses 1 SSL certificate per IP address, regardless of domains, hence the ONLY way to solve it is to use a SAN in a certificate

@xgin I think that I was expecting the ability to specify a manual Webroot for any domain that Plesk itself is not aware of the webroot for, and then a custom DNS entry in Plesk for the domains that do not have a webroot (Though LetsEncrypt have not yet implemented this feature) - though this would presume Plesk is controlling DNS for the domain. I presume though, TLS/DVSNI would be a lot harder to implement than DNS as an alternative?

This would probably have to be a separate menu since you may be trying to generate a certificate ONLY for a sub-domain that Plesk is not aware of.

[dakira]

@DavidAkroyd Yes. For one, it's just one cronjob for renewal instead of 50+.

[grunsch]

@xgin Afaik (sub)domains which are not registered in plesk but where the dns points to the pleskserver (e.g. mail domain) the webroot is /var/www/vhosts/default/htdocs and the challenge file could be placed there

[xgin]

@grunsch Good point. In general the order of virtual hosts that could respond to the request is the following:

1. exact subdomain name sub.domain.tld and its aliases
2. wildcard subdomain *.domain.tld
3. default website for IP address (set in Tools&Settings > IP Addresses)
4. default webserver page (/var/www/vhosts/default/htdocs) All of them should be checked for existence and could be used for verification. Am I missing something?

[grunsch]

@xgin from my point of view these are all valid possibilities right Now. I'd love to see it in Next Version!

[Dieblich]

+1

The integration for a certificate for subdomains like https://webmail.yourdomain.tld would be such a great addition to the service.

[AmaZili]

+1

[dzedward]

+1. I was expecting it to work exactly as @dakira described here https://github.com/plesk/letsencrypt-plesk/issues/19#issuecomment-171778076

[mschroettle]

+1 right now if you have say a wp multisite with more than 4 subdomains, you have to issue 5 cert requests (1 for the main domain and 4 for each sub-domain) and then wait another week for more cert requests due to the LE limitations. Since they all go to the main domain, LE will limit those at a certain point (max # of certs per domain...). Using the CLI is not a viable alternative, since you lose the auto-renew feature... so actually this is a +100 from me...

[futureweb]

:+1:

[CoskunSunali]

+1

[Mythos]

+1

[Hativ]

+1

[PatrickHuetter]

+1

[derStephan]

+1 Especially valid certificates for webmail.domain.tld would be great.

Thanks for all you've done!

[twistedpixel]

+1

Great work so far guys!

[mickert]

+1 definitely! Like I wrote in #28, it is a real Must Have for me. The possibility to add custom (domain) SANs would be a very nice option also. Possibly they could be verified in DNS (if A or AAAA record exists with IP of client) and then verified with LE using the default vhost.

Thanks for this great extension!

[StoneISStephan]

+1

[ravage2k]

+1

[n3roGit]

+1

[BastianBalthasarBux]

+1 for including the securing of domain-aliases (at least if they have the same webroot), webmail subdomain, smtp, imap and the plesk-panel (ordered descending by importance)

[flipme]

The Plesk Panel is already working with it, for some time now. But webmail still isn’t, which is a bummer.

Securing the mail service already works with some manual setup. It would be all so great if that could happen by a mouseclick, at least on a per-host basis, when the hostname matches the mailserver domain name it would be quite easy.

On 17/08/2016, at 15:13, BastianBalthasarBux notifications@github.com wrote:

+1 for including the securing of domain-aliases (at least if they have the same webroot), webmail subdomain, smtp, imap and the plesk-panel (ordered descending by importance)

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/plesk/letsencrypt-plesk/issues/19#issuecomment-240406590, or mute the thread https://github.com/notifications/unsubscribe-auth/AGNwe678seFRxp0RBpgJ4eFvd9KqmZ5Sks5qgwkJgaJpZM4GvdJi.

[salvis]

+1

[rvdb]

+1

[mintalicious]

+1 !

[tokp]

+1

[Ogy]

+1

[BastianBalthasarBux]

@flipme I know this works with manual action, also securing Plesk. But securing mail on a 'per host base' isn't satisfying. Customers want to use their own domainname to connect to their mailserver. Also if it just not matter! it is unsexy for them to have something like 'server15.hosting-company.xyz' as imap/smtp ... (and additionally i do not like it either, what if i have to move a customer from server a to server b??)

[bitfabrikken]

+1

[mpscy]

+1 !

[pizzi80]

+1

[solucionesuno]

+1

[CoskunSunali]

COhsrt opened this issue on Dec 5, 2015 Assignees: No one assigned Milestone: No milestone

It looks like this feature will hopefully be implemented in 2050.

That being said, I wonder what is the sense of putting this project on GitHub if you (Plesk) are not even going to listen to people's requests/feedback.

[Ogy]

+1

[freezy23]

+1