I have an installation of PLESK17 on AWS EC2 and using DOVECOT
I want to use this service's certificates to secure POP/SMTP and found articles on how to achieve this.
Some sources:
+some more.
They all mention PEM files that 'should' be located here:
/usr/local/psa/var/modules/letsencrypt/etc/live/[domain.tld]
I do have some domains in there but not the one I am looking for. The ones there belong to domains for which we requested SSL Certificates from LetsEncrypt before the server was upgraded to PLESK 17 (ONYX) ( previous version: PLESK 12.5 ) - so the issue may be related and specific to PLESK 17 (ONYX)
After some looking around I located the "certs" for the desired domain here:
/usr/local/psa/var/certificates/ with names like "cert-[7-random-characters]"
inside that file I can see all the different components/PEM files needed to allow for the setup described on the sources above.
These files seem to change names each time the a certificate is deleted/renewed/etc so I cannot(?) automate looking for the right file, extract each component and place them on:
/usr/local/psa/var/modules/letsencrypt/etc/live/[domain.tld] - I would like to take advantage of the auto-renewal process each time the plesk plugin gets a new certificate DOVECOT will always have access to latest PEM files in distinct files to match the DOVECOT syntax requirements.
If I do this myself I may cause problems(?). In the future LetsEncrypt might want to write to those locations -- so I would need(?) to create my own custom location for 'my' PEM files which in turn makes maintenance more complex.
So.. where are the missing PEM files? Why is let's encrypt not saving the PEM files to their correct location or is plesk hijacking the creation of these files and putting them on this other location? how can I reliably + programmatically reach the correct "cert-[7-random-characters]" file.
I would contact plesk about this as they have changed their plugin. Their code is obfuscated so it’s hard to understand what the logic is (i.e. where they put certificates if anywhere)
Do you think there is a way to anticipate/retrieve those 7 characters? there has to be a record somewhere so that Plesk knows what CERT to serve for each domain. Maybe I can read that value and automate that way.
I deleted my plesk instance as I was running a trial
What I would evaluate
A) Is it related to the domain (i believe each domain in Plesk has a unique ID)
B) Is it related to thumbprints or serials of the certificate in anyway
C) The fact that the name convention uses cert-XXXXX makes me suspicious that it is a certificate property
You can use certificate transparency (crt.sh) as a way of finding thumbprints and serials of the latest certificate and point your script that way
As I said i have sometime in the weekend which i will expore this with.
Great news, Let's Encrypt updated their extension to READD this location. Update to LE Extension 2.0.2 Release 29 and then RENEW your certificates. New certificates will be populated there.
I am unable to reference the files from within Plesk Nginx Additional Directives... If I stop the nginx service and attempt to restart, it won't allow the restart due to permissions error. If I comment out the entry with the directory location, then nginx service will restart without error.
Here are the permissions assigned to the certificates... very broad???
Those are symlinks, which are always displayed as lrwxrwxrwx. The underlying permissions would be the permissions on the files they link to (in archive).