Google thinks my certificate is self signed - Plesk

#1

Hello

First off, please forgive the lack of details here. I can’t share the domain this query is about, as it belongs to a customer who wants to stay anonymous.

I use the Plesk control panel and am using the Lets Encrypt Plesk addon to enable https on a few of the domain in my hosting account.

Most of my domain secure very easily using the addon, without a problem.

I just added a Lets Encrypt certificate to 1 domain and received the following message from Google:

Self-signed SSL/TLS certificate for https://mycustomersdomain.com
To: Webmaster of https://mycustomersdomain.com

Google has detected that the SSL/TLS certificate used on https://mycustomersdomain.com is self-signed, which means that it was issued by your server rather than by a Certificate Authority. Because only Certificate Authorities are considered trusted sources for SSL/TLS certificates, your certificate cannot be trusted by most of the browsers. In addition, a self-signed certificate means that your content is not authenticated, it can be modified, and your user’s data or browsing behaviour can be intercepted by a third party. As a result, many web browsers will block users by displaying a security warning message when your site is accessed. This is done to protect users’ browsing behaviour from being intercepted by a third party, which can happen on sites that are not secure.

The domain is 1 of 5 subdomains of the parent domain.

The first thing I did, following receiving this email, was to restore the default Plesk certificate to the domain, then setup a new Lets Encrypt cetificate on the same domain.

My question is this: How can I see if Google is happy with the new certificate?

Many thanks in advance for any help.

D

#2

Google performs this check without using Server Name Indication (SNI). Without SNI, you can only use one certificate per IP address. In your case, the certificate that Plesk uses when no SNI extension is present is a self-signed one.

If you do not care about clients (browsers) without SNI support (see this list for details), you can ignore this message. Generally speaking, all modern browsers and operating systems support SNI.

Otherwise, you would have to either:

  • get one IP address per certificate that you use, and configure
  • or get a certificate that covers all domain names you use behind the same IP address. Let’s Encrypt allows you to put up to 100 domains in a certificate.

In my experience, this tends to get very complex (and is often not officially supported) when using a control panel like Plesk, so unless you know you have lot of users who use something like Internet Explorer on Windows XP, my advice would be to not bother and leave things as they are.

(Note: You missed one occurrence of the real domain in the error body. )

2 Likes
#3

A great, thank you for the reply.

I am only using 6 or 7 domains per IP Address. This is the only occurance of Google grumbling at me.

Yup, I spotted that occurrence just now too :slight_smile:

You’ve made things much clearer for me.

Many thanks again :slight_smile:

D

closed #4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.