SAN support

[COhsrt]

As we have a few subdomain (irc.domain.com, mail.domain.com etc) it would be neat to implement adding those subdomains to a normal domain's certificate.

[jarne]

+1

[alexzimmer96]

+1

[kitoban]

+1

[ghost]

+1

[jicao]

+1

[johnny-bit]

+1

[rkosolapov]

Let’s Encrypt 2.0.0 extension with Domain Aliases support is now available.

https://ext.plesk.com/packages/f6847e61-33a7-4104-8dc9-d26a0183a8dd-letsencrypt

We would love to hear your feedback on our forum at http://talk.plesk.com. We’d like to thank everyone who commented on this request and provided invaluable feedback. Thanks!

[StoneISStephan]

This very good news! Thanks for updating us here.

[mathiasbynens]

The UI from the screenshot does not seem to be available unless it’s a new LE activation:

Is it possible to add a domain alias to a site that was already using Let’s Encrypt through this extension?

[StoneISStephan]

@mathiasbynens I can confirm this to be the case, you can even remove domain aliasses from the list / certificate if you don't need it anymore. Just tried this, and you can add/remove at any time.

Very modular, I'm a happy camper 👍

[jicao]

Can't get it to work... Just installed the new version on Onyx and it's not showing... Anyone ?

[DavidAkroyd]

In order to view the full box with aliases, you must already have an alias configured for this domain. If your domain is standalone you will not view the full box, only the normal one

[jicao]

In order to view the full box with aliases, you must already have an alias configured for this domain. If your domain is standalone you will not view the full box, only the normal one No this is not correct, I get a domain with a subdomain and both of them don't have a LE cert :(

[Ogy]

Wow, thanks for your work. BTW when will be available support of webmail, imap and so on?

[DavidAkroyd]

I get this (LE upgraded from 1.9 on Onyx, to 2.0 on Onyx) Without Domain alias on domain

With domain aliases on domain:

@jicao -what does yours look like?

[BastianBalthasarBux]

There is a problem with adding Domain-Aliases which are not working with the www subdomain e.g. extranet.acme.com. Let's encrypt then tries to resolve then www.extranet.acme.com which leads to an error. ATM I can see no way via gui to prevent the www. prefix for (sub-) domains.

[jicao]

@DavidAkroyd look :

This is a domain and the subdomain

Plesk Onyx Version 17.0.17

[DavidAkroyd]

@jicao For me, I receive the option on any domain which has an alias where the Web Service option is enabled on the alias. This is shown by the Lets Encrypt option appearing on the Domain Alias page when web service is ticked. What does your Domain Alias page do when you tick the Web Service option?

[jicao]

I think I'm wrong... This is for Aliases and I was talking about subdomain...

[DavidAkroyd]

@jicao Yes, this is only support for SAN (as per the title of the request) At the moment, this only allows you to add aliases since all the addresses on the certificate must resolve to the same directory, as per Xgin's response Jan 2016

yep, every alternative name should be validated. For example, you want a certificate for example.com, sub.example.com, alternative.com The certificate request is created and is sent to Lets Encrypt CA It asks to create a validation file abcdef with content qwerty After the file is created it should be available on every URL: http://example.com/.well-known/acme-challenge/abcdef http://sub.example.com/.well-known/acme-challenge/abcdef http://alternative.com/.well-known/acme-challenge/abcdef

Therefore you can make a single certificate currently for:

• a domain
• a domain and its aliases (domain.com, domain2.com) [New!]
• a sub-domain with web-content
• a domain and an alias sub-domain (domain.com, www.domain.com, alias.domain.com) [New!]

This is done by allowing a Subject Alternative Name (SAN) that includes aliases as opposed to just www. as per v1.1

However, you can not create a single certificate for:

• a domain and a completely separate sub-domain (domain.com, ftp.domain.com)
• a sub-domain and alias (as you can not make an alias of a sub-domain)
• a sub-domain without hosted content (i.e. webmail.domain.com, mail.domain.com etc)

Hopefully it is still coming that either we will be able to generate separate certificates for sub-domains like webmail.domain.com, or to generate them as SANs, so that they can be used for the whole domain Hope this helps

[amavarick]

DavidAkroyd, thank you for the detailed explanation.

Question, Could I create an alias for imap to point to the server for mail clients to use the certificate? What settings would I select for the alias options in Plesk Onyx?

[Kovah]

I see that it's not possible to request a certificate for my main domain and a set of subdomains as of DavidAkroyds post.

However, I think there is an issue with the plugin. At the moment I can only requests certs for maindomain.com but not for any of the subdomains because I am given the renew option only.

After requesting a cert for the main domain everything works as expected and the cert is valid for maindomain.com and www.maindomain.com. But if I want to request a new certificate for a subdomain, say example.maindomain.com, the plugin only shows me the option to renew the cert for maindomain.com even if the subdomain is not even part of the cert. I can also select the cert for the subdomain, it is shown as example.maindomain.com but opening the sub in a browser gives me a bad domain error for the cert. Sure, because it's not valid for the subdomain.

I still have an older, working cert I can use, but this should be fixed as soon as possible. Might be just a false mapping of the cert for the subdomains?

[shoopdawoop]

Similar issue here: I used to be able to create a certificates for a Plesk 17.5.x servers main domain including several alternative names and using this certificate for the mail services. At least this still worked last time I updated this certificate roughly 3 months ago. With this workaround I could secure the mail. subdomain for all the domains I am hosting. I did this by running the command:

plesk bin extension --exec letsencrypt cli.php -d myserversdomain.com -d mail.domain1.com -d mail.domain2.com --email blah@blah.com --expand

Now this no longer works. All I am getting now is the certificate for myserversdomain.com without any of the additional mail.domain1.com in it.

I tried using

plesk bin extension --exec letsencrypt renew.php -d myserversdomain.com -d mail.domain1.com -d mail.domain2.com --email blah@blah.com --expand

but that did not work either.

So... is there a current workaround to get the alternative (sub)domains included back in the servers "main" certificate? I tired deleting all the mail. subdomains and starting over from scratch but all I am getting now is a bunch of extra errors from the LE plugin.

Thanks for any ideas on how to fix this.