PLESK 17 (ONYX) + LetsEncrypt | Where are my PEMs?


#1

Hello Everyone!

I have an installation of PLESK17 on AWS EC2 and using DOVECOT

I want to use this service’s certificates to secure POP/SMTP and found articles on how to achieve this.

Some sources:



+some more.

They all mention PEM files that ‘should’ be located here:
/usr/local/psa/var/modules/letsencrypt/etc/live/[domain.tld]

I do have some domains in there but not the one I am looking for. The ones there belong to domains for which we requested SSL Certificates from LetsEncrypt before the server was upgraded to PLESK 17 (ONYX) ( previous version: PLESK 12.5 ) - so the issue may be related and specific to PLESK 17 (ONYX)

After some looking around I located the “certs” for the desired domain here:

/usr/local/psa/var/certificates/ with names like “cert-[7-random-characters]”

inside that file I can see all the different components/PEM files needed to allow for the setup described on the sources above.

These files seem to change names each time the a certificate is deleted/renewed/etc so I cannot(?) automate looking for the right file, extract each component and place them on:

/usr/local/psa/var/modules/letsencrypt/etc/live/[domain.tld] - I would like to take advantage of the auto-renewal process each time the plesk plugin gets a new certificate DOVECOT will always have access to latest PEM files in distinct files to match the DOVECOT syntax requirements.

If I do this myself I may cause problems(?). In the future LetsEncrypt might want to write to those locations – so I would need(?) to create my own custom location for ‘my’ PEM files which in turn makes maintenance more complex.

So… where are the missing PEM files? Why is let’s encrypt not saving the PEM files to their correct location or is plesk hijacking the creation of these files and putting them on this other location? how can I reliably + programmatically reach the correct “cert-[7-random-characters]” file.

Am I missing something?


Plesk Let's Encrypt Plugin - Where Are Certificates Stored
#2

Hi @oweux

Review: Latest LE Extension, Plesk and OCSP

I would contact plesk about this as they have changed their plugin. Their code is obfuscated so it’s hard to understand what the logic is (i.e. where they put certificates if anywhere)

Andrei


Latest LE Extension, Plesk and OCSP
#3

Thank you for your answer.

Seems like they land here:

/usr/local/psa/var/certificates/cert-[7-random-characters]

Do you think there is a way to anticipate/retrieve those 7 characters? there has to be a record somewhere so that Plesk knows what CERT to serve for each domain. Maybe I can read that value and automate that way.


#4

Hi @oweux

Good finding!

I deleted my plesk instance as I was running a trial

What I would evaluate

A) Is it related to the domain (i believe each domain in Plesk has a unique ID)
B) Is it related to thumbprints or serials of the certificate in anyway
C) The fact that the name convention uses cert-XXXXX makes me suspicious that it is a certificate property

You can use certificate transparency (crt.sh) as a way of finding thumbprints and serials of the latest certificate and point your script that way

As I said i have sometime in the weekend which i will expore this with.

Andrei


#5

Bivas Mandal (Plesk Support)

Apr 5, 23:03 +07

Dear Customer,

Thank you for the reply.

I completely understood your concern but I am extremely sorry that you can not get the correct certificate file path.

The filename will change in each renewal cycle.

As of now there is no possible way to OCSP stapling for let’s encrypt.

Please let me know if there any other issue I can help you with.

Regards,
Bivas Mandal
Technical Support Engineer
Plesk


#6

#7

You could also try parsing the content of the certificates using openssl x509, although the output format isn’t all that machine-readable.


#8

Great news, Let’s Encrypt updated their extension to READD this location. Update to LE Extension 2.0.2 Release 29 and then RENEW your certificates. New certificates will be populated there.


#9

I guess you mean “Plesk” instead of “Let’s Encrypt” here?

Thanks for following up on this issue and letting people here know about this.


#10

Tested and Confirmed.

After upgrading the LE Extension (to 2.0.2) and renewing the LetsEncrypt SSL certificate, the PEM files have been created as expected under:

/usr/local/psa/var/modules/letsencrypt/etc/live/[domain.tld]

Thanks to everyone who commented and added to the discussion.


#11

I am unable to reference the files from within Plesk Nginx Additional Directives… If I stop the nginx service and attempt to restart, it won’t allow the restart due to permissions error. If I comment out the entry with the directory location, then nginx service will restart without error.

Here are the permissions assigned to the certificates… very broad???

-rw-r–r--. 1 psaadm psaadm 423 Apr 6 10:36 README
lrwxrwxrwx. 1 psaadm psaadm 42 Apr 6 10:36 privkey.pem -> …/…/archive/domain.tld/privkey1.pem
lrwxrwxrwx. 1 psaadm psaadm 44 Apr 6 10:36 fullchain.pem -> …/…/archive/domain.tld/fullchain1.pem
lrwxrwxrwx. 1 psaadm psaadm 40 Apr 6 10:36 chain.pem -> …/…/archive/domain.tld/chain1.pem
lrwxrwxrwx. 1 psaadm psaadm 39 Apr 6 10:36 cert.pem -> …/…/archive/domain.tld/cert1.pem

Here is an example error in the log:

2017/04/06 11:16:24 [emerg] 9790#0: SSL_CTX_load_verify_locations("/usr/local/psa/var/modules/letsencrypt/etc/live/mydomain.tld/chain.pem") failed (SSL: error:0200100D:system library:fopen:Permission denied:fopen(’/usr/local/psa/var/modules/letsencrypt/etc/live/mydomain.tld/chain.pem’,‘r’) error:2006D002:BI O routines:BIO_new_file:system lib error:0B084002:x509 certificate routines:X509 _load_cert_crl_file:system lib)

Commands I added under nginx additional directives:

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /usr/local/psa/var/modules/letsencrypt/etc/live/baptisthosting.net/chain.pem;


#12

Those are symlinks, which are always displayed as lrwxrwxrwx. The underlying permissions would be the permissions on the files they link to (in archive).


#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.