can you let us know what your domain name is this allows us to confirm that the behaviour you are describing is correct.
Ideally your CDN should cache whatever certificate your server is using. I am not aware of maxcdn but do you have to configure the SSL certificates? If so you should have a hook on the client you are using to upload the latest version.
The only issue I see with this particular setup is HTTP key pinning. If you have multiple certificates (one for CDN and for servers) you may lock clients out of your server (i.e. cdn delivers contents but web servers don’t, vice versa)
It’s probably worthwhile asking Plesk if you can change the behavior to 90 or 80 days.
I am not aware of maxcdn but do you have to configure the SSL certificates? If so you should have a hook on the client you are using to upload the latest version.
I cant configure. I have the possibilty to add the certificate in a textarea. Maxcdn extract the expire Date and send a notification on that date. No more.
What I do is, I have a look at the cronjob from Plesk. Each Month on the 19th at 0 oclock the cronjob renew all certificates. On the next morning my PC send me a reminder to renew the certificate on maxcdn. I open winscp, go to /opt/psa/var/modules/letsencrypt/logs , open the logfiles, scroll to the bottom and copy and paste the Private Key, the cert and ca to maxcdn.
This is very complicated and when I can do this each 60 days instead of each 30 days its a big time improovment for me.
Do you see a faster way?
It would be great, when Plesk keep the 1 Month period and I change the certificate on maxcdn every 60 days. With this way, I have 2 certificates for the cdn Domain but aslong they both a valid its ok.
It's probably worthwhile asking Plesk if you can change the behavior to 90 or 80 days
I already asked but its not recommend.
The only issue I see with this particular setup is HTTP key pinning. If you have multiple certificates (one for CDN and for servers) you may lock clients out of your server (i.e. cdn delivers contents but web servers don't, vice versa)
Can you explain this for dummies again? Thank you very much.
can you let us know what your domain name is this allows us to confirm that the behaviour you are describing is correct.
I dont want to make my domain public. Sorry. I hope this is not a problem. Thanks for understanding.
Unless you ask for them to be revoked, or some external cause results in Let’s Encrypt revoking them against your will (e.g. some bad guy posts your private keys saying “look what I stole” which forces Let’s Encrypt to revoke) the certificates can still be used despite a newer one already existing for the same name. Some people do this intentionally all the time for various reasons.
If so I notice MAXCDN have an API so potentially you can write a script to upload the latest version of the certificate to MAXCDN to ensure the certs on your web server and the certs on your CDN are the same
Download current cert from MAXCDN Compare Current Cert in MAXCDN to web server cert If they are the same do nothing If they are not the same upload new LetEncrypt Cert to Max CDN
The fact that plesk renews every 30 days works in your favour
As long as both certs are valid date wise you should not have any issues
I am not sure if the Plesk extension allows you to run hooks after wards
The certificate is for one or more Fully Qualified Domain Names, such as www.example.com and images.example.com. A certificate is basically a signed document saying that the Issuer (here Let's Encrypt) promises that the Subject (e.g. www.example.com) has a private key which corresponds to the particular public key listed. The existence of two such documents at the same time doesn't invalidate either of them.
So what you want to do is fine and should work, if it doesn't you may need to share more information.
