Almost there with GoDaddy Plesk

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: Simplyquality.org

I ran this command: sudo certbot certonly --manual

It produced this output: privkey.pem and fullchain.pem

My web server is (include version): GoDaddy Plesk Windows

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:GoDaddy

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):Plesk

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

I created the certificates, uploaded them (on the Plesk SSL page) and then went to the Hosting Websites & domains page. Selected the new certificate, and clicked on OK. The system responded with a long error message beginning with: Error: certmng failed: Can't create RSAPrivateKey at (CAPI32::RSAPrivateKey::RSAPrivateKey line 650) at Unable to execute console command: '--install-web-certificate'(vconsoleapp::start line 95)

I'm pretty sure I got this to work OK a few month back. GoDaddy will not help because it is a "third party problem" I will greatly appreciate any ideas on how to precede here. Thanks!

2 Likes

What's the output of certbot certificates?

4 Likes

certbot produced output: privkey.pem and fullchain.pem each of which has encrypted character strings with a header and footer. I copied and pasted them into the GoDaddy SSL creation form.

1 Like

Ok, ok. Please run this command:

certbot certificates

And tell us the output. :smiley:

4 Likes

Hi Leland :slightly_smiling_face:

I think maybe you've got the wrong idea about what you're trying to accomplish in Plesk. You're trying to install the cert you've acquired, not create another cert. Also, you could have just used CertSage to quickly acquire the cert rather than using certbot's manual mode, which is much slower and more error-prone.

3 Likes

If you are already correctly using the steps in the article that I linked, it's possible that the private key you are trying to install either has the wrong header line and/or internal format or is an ECDSA key, not an RSA key.

3 Likes

Thanks, I would love to use certsage, but have not been able to. I use it on my cpanel managed sites and it works well. The certsge developer said it does not work with Plesk, and I am unable to install the certbot extension into my (GoDaddy) managed Plesk site. Thanks!

3 Likes

I'm the developer of CertSage. :slightly_smiling_face:

If I recall now, you may have run into permissional problems with CertSage creating challenge files. :thinking:

The other advice I've mentioned above should still hold though.

4 Likes

Thanks for this. I did follow the steps as you described. Thanks! One difference I see is that the contents of the privkey.pem begins with -----BEGIN PRIVATE KEY----- rather than the -----BEGIN RSA PRIVATE KEY----- as shown in your example. Also, instructions from certbot said to use the fullchain.pem file, which contains 3 BEGIN / END pairs. I copied this into the Certificate (*.crt) field, not the CA field.

I appreciate your help. Thanks!

2 Likes
  • If your private key is an RSA key and not an ECDSA key, modify the header line of your private key in your privkey.pem file to be "BEGIN RSA PRIVATE KEY" then use the result as your private key in Plesk
  • Use the first certificate in your fullchain.pem file as your certificate in Plesk
  • Use the second certificate in your fullchain.pem file as your CA certificate in Plesk
  • Ignore the third certificate in your fullchain.pem file
  • Let me know how this goes :slightly_smiling_face:
4 Likes

If you'd just show us the output of:

We'd already know if that cert was RSA or ECDSA.
[mentioned in several posts]

4 Likes

Based on the recent LE certs issued, I'd say they are ECDSA - NOT RSA:
crt.sh | 11218042368
crt.sh | 11222592984

Translation: Square PEG > Round HOLE.

4 Likes

Thanks, but that failed.
I get the message:

Error: Unable to set the private key: Probably, the private key format is invalid.

When I try to upload the certificate (modified as you suggest).

2 Likes

Yes, thanks, I was pretty sure you were the Certsage developer. Thanks for your help with certsage on my other sites. If you ever get certsage working on Plesk, I will be very grateful.

3 Likes

sudo certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: simplyquality.org
Serial Number: 43502c818a3c05d12b22c62dee2c30daf6b
Key Type: ECDSA
Domains: simplyquality.org
Expiry Date: 2024-02-24 02:09:54+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/simplyquality.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/simplyquality.org/privkey.pem


1 Like

You already have a valid cert:
[there is no need to renew it]

It is NOT of type RSA:

You will have to review the Plesk certificate requirements more closely.
And, if it can't accept ECDSA type, you will have to replace that cert with one of RSA type.

3 Likes

Bingo!
It is now working.
Plesk requires RSA type, but the certbot default is now ECDSA type. I used the --key-type rsa flag to convert the certificate and it is now installed and working! (The certificate you saw earlier was on my Mac, not on the server, that is why it is still good)

Thanks so much for your help and patience!

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.