SSL for plesk shared domain with site on private VPS (cyberpanel)

Hi, I'd like to buy a certificates for a domain (*gustigiusti*dot it) which is registered with provider (name PROV1)
The nameserver of the domain are connecting the domain to a shared hosting service (SHAREHOST1) for using webmail and other light services - and PLESK panel is used.
In the SHAREHOST1 dns setting I have the A record for the website pointing to a private vps (VPSHOST1) ip address, and that VPS is a Linux box setup with ubuntu 20.04 lts and cyberpanel.

I have no problems with issuing free Let's Encrypt on the VPSHOST1 cyberpanel and the website is secured - no problem there.
I have issues with mail and third level domain as they are on the SHAREHOST1 service, and Let's Encrypt issue fails on SHAREHOST1 as ACME cannot issue SSL for the domain as the toplevel domain is the one of VPSHOST1 service.

Is it possible to configure Let's Encrypt (free or paid?) manually and install the SSL certificates on PLESK service of SHAREHOST1 to protect mail and webmail service even if the top level domain is on the VPSHOST1 service?

Hope all it's clear...Thanks!

PS UPDATE - Auto-renewal would be really nice, too, as I have a few domains to manage, so if paid solutions has auto-renewal I will happily take that into consideration

1 Like

Hello @rbmusica, welcome to the Let's Encrypt community. :slightly_smiling_face:

Please read Certificates for localhost - Let's Encrypt

Also there is the DNS-01 challenge of the Challenge Types - Let's Encrypt.

Let’s Encrypt offers Domain Validation (DV) certificates.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Thank you for assisting us in helping YOU!


Just to clarify:

LE certs are free.


This makes no sense. Any level domain can get a certificate, independent of whatever the second level might do.

This is not a Let's Encrypt limitation.


Thank you @rg305! Don't know why, but I assumed LE certs were also available in paid version, so I meant I was happy to buy one of the paid SSL cert, if it would solve my problem


Thank you @9peppe for your reply. I got in touch with the shared hosting tech team and they said clearly that this is a Let's Encrypt limitation and it could be done if I buy a paid cert from them.

Maybe I need a wildcard cert for doing what I want, or they are limiting on purpose issuing of certs?

Anyway in plesk (shared hosting) if I select only webmail and issue the cert I receive no error, but you can see from that the cert is not working at all...that is quite strange.

Should I focus on the VPSHOST and cyberpanel issuing LE certs for the shared hosting, or the certs shoud be issued from plesk on SHAREHOST?

Ahahahahah. Che cazzari.

Their software "probably" only supports dns-01 and they're too lazy to get a certificate for the actual third level domains because they're just used to wildcards for everything.

This sounds pretty clear to me. You probably have a certificate but you aren't using it because nobody installed it. (I cannot check if you actually have the certificate because of CT delays, it's not on censys nor crtsh)

(Plesk might be horrible but it usually works)


It looks fine to me apart from it being from Google Trust Services and not Let's Encrypt

EDIT: The webmail domain is proxied at Cloudflare so using its CDN. The root domain is not proxied. This may explain some difference


Oh, come on. This registrar doesn't even come with whois privacy.

@rbmusica do you have access to the cloudflare control panel for your domain?

I see no reason why you shouldn't be able to issue the certificates you want. If your shared hosting complains, just use cloudflare origin certificates. (And look for another provider)


It wasn't working until a few hours ago...don't know why. I see now it's working, but to be honest I don't know WHY it's working, and where the cert is coming from? It's not the one on the shared hosting plesk panel, and it's not the one on the VPS host, as both are Let's Encrypt and were issued again today.

At least for your webmail domain it is proxied in Cloudflare (your root domain is not)

When you proxy your domain in Cloudflare you use its CDN. The CDN gets a cert on your behalf to manage the incoming HTTPS connections from the client (like a browser). The CDN uses another HTTP(S) connection to your Origin server which also needs a cert if doing HTTPS (and it should).

Cloudflare may get certs from Let's Encrypt or one of several other suppliers. Right now it is using one from Google

openssl s_client -connect

subject=CN =
issuer=C = US, O = Google Trust Services LLC, CN = GTS CA 1P5
notBefore=Aug 28 13:39:56 2023 GMT
notAfter=Nov 26 13:39:55 2023 GMT


No, I have only some generic "cloudflare tools" from the shared hosting company, no direct access to CF control panel.

If I try on plesk to issue (and install) the cert, the error is (translated so bear with me):
Cannot issue a SSL/TLS certificates for
Cannot request a certificate SSL/TLS Let's Encrypt for

Go to a http://gustigiusti.t/.well-known/acme-challenge/18s7LLoXMgdqoYbCJBcmutlLx-*************
and check if the authorization token is available.
The plesk domain is hosted at IP: 185...*** , but the DNS challenge used another IP: 35...*** .

That's expected. Plesk isn't controlling your VPS. Any other plesk-controlled subdomain should work.

(We know that IP address, no need to censor it. It's in your DNS.)


And it worked for third level domain controlled by plesk (webmail is now working, thanks to all you guys!), but not with pop/imap services certificates, which requires plesk to control the second level domain, too.
I read some docs about the DNS-01 challenge and types, and probably the problem is my current shared hosting that does only offer limited and automatic-only verification method.

They don't. They require just

❯ dig mx

; <<>> DiG 9.16.41 <<>> mx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63543
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 512
;                        IN      MX

;; ANSWER SECTION:         120     IN      MX      10

;; Query time: 46 msec
;; WHEN: Thu Sep 07 12:59:24 CEST 2023
;; MSG SIZE  rcvd: 64

(Strictly speaking, incoming SMTP needs that. Outgoing SMTP, Pop/IMAP usually go together)


Do you mean your domain is not working with those services?

Because it won't with that domain proxied in Cloudflare. Cloudflare's CDN has restrictions on the ports supported and pop/imap are not allowed by default. Their DNS service of course can work but proxy / CDN is limited.


No, I meant (also for 9beppe) that in Plesk, when you choose to issue a LE cert and choose "assign the certificates to mail domain - imap pop, smtp" (translating here, but it should be quite accurate) the top check box "protect domain name" option is selected and greyed out (so it's forced to be selected, it's not possible to unselect it). That is the problem, as far as I can see.

Plesk can issue the cert for imap-pop-smtp only if the same cert is issued and valid for the second level domain, too.

1 Like

sometimes a pic is worth a thousand word

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.