Renew certificate and use the old one


#1

Hello,

I use a Plesk Server with letsencryp Extension. This Extension renew the certificate each month instead of 90 days.

I also have a CDN on maxcdn where I have the possibility to add the certificate manually.

When my server renew the certificate, do I have immidiatly renew the certificate on my cdn or is it possible to have more certificates for one domain.

In short:

Can I have multiple certificates for the same domain and they’ll all remain valid as long as they haven’t expired or been revoked?

Thank you


#2

Hi @labu13

can you let us know what your domain name is this allows us to confirm that the behaviour you are describing is correct.

Ideally your CDN should cache whatever certificate your server is using. I am not aware of maxcdn but do you have to configure the SSL certificates? If so you should have a hook on the client you are using to upload the latest version.

The only issue I see with this particular setup is HTTP key pinning. If you have multiple certificates (one for CDN and for servers) you may lock clients out of your server (i.e. cdn delivers contents but web servers don’t, vice versa)

It’s probably worthwhile asking Plesk if you can change the behavior to 90 or 80 days.


#3

Hi,

thank you very much for your quick reply.

I am not aware of maxcdn but do you have to configure the SSL certificates? If so you should have a hook on the client you are using to upload the latest version.

I cant configure. I have the possibilty to add the certificate in a textarea. Maxcdn extract the expire Date and send a notification on that date. No more.

What I do is, I have a look at the cronjob from Plesk. Each Month on the 19th at 0 oclock the cronjob renew all certificates. On the next morning my PC send me a reminder to renew the certificate on maxcdn. I open winscp, go to /opt/psa/var/modules/letsencrypt/logs , open the logfiles, scroll to the bottom and copy and paste the Private Key, the cert and ca to maxcdn.

This is very complicated and when I can do this each 60 days instead of each 30 days its a big time improovment for me.

Do you see a faster way?

It would be great, when Plesk keep the 1 Month period and I change the certificate on maxcdn every 60 days. With this way, I have 2 certificates for the cdn Domain but aslong they both a valid its ok.

It’s probably worthwhile asking Plesk if you can change the behavior to 90 or 80 days

I already asked but its not recommend.

The only issue I see with this particular setup is HTTP key pinning. If you have multiple certificates (one for CDN and for servers) you may lock clients out of your server (i.e. cdn delivers contents but web servers don’t, vice versa)

Can you explain this for dummies again? Thank you very much.

can you let us know what your domain name is this allows us to confirm that the behaviour you are describing is correct.

I dont want to make my domain public. Sorry. I hope this is not a problem. Thanks for understanding.

Kind regards


#4

Unless you ask for them to be revoked, or some external cause results in Let’s Encrypt revoking them against your will (e.g. some bad guy posts your private keys saying “look what I stole” which forces Let’s Encrypt to revoke) the certificates can still be used despite a newer one already existing for the same name. Some people do this intentionally all the time for various reasons.


#5

What do you mean with “the same name”. Each certificate has a own name?

Thank you


#6

this is what i understand from the maxcdn site

https://www.maxcdn.com/features/ssl/

Unfortunately without domains I can’t assist further (i.e. confirm behaviours etc) so it’s up to you to troubleshoot :smiley:

Andrei


#7

looking at this further: https://www.maxcdn.com/one/tutorial/ssl-options/

is this the process you are using: https://www.maxcdn.com/one/tutorial/setup-sni/?

If so I notice MAXCDN have an API so potentially you can write a script to upload the latest version of the certificate to MAXCDN to ensure the certs on your web server and the certs on your CDN are the same

I see they have a SSL API https://docs.maxcdn.com/#ssl-certificate-api

The script to run would be -

Download current cert from MAXCDN
Compare Current Cert in MAXCDN to web server cert
If they are the same do nothing
If they are not the same upload new LetEncrypt Cert to Max CDN

The fact that plesk renews every 30 days works in your favour

As long as both certs are valid date wise you should not have any issues

I am not sure if the Plesk extension allows you to run hooks after wards

Andrei


#8

The certificate is for one or more Fully Qualified Domain Names, such as www.example.com and images.example.com. A certificate is basically a signed document saying that the Issuer (here Let’s Encrypt) promises that the Subject (e.g. www.example.com) has a private key which corresponds to the particular public key listed. The existence of two such documents at the same time doesn’t invalidate either of them.

So what you want to do is fine and should work, if it doesn’t you may need to share more information.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.