Hi, I'd like to buy a certificates for a domain (*gustigiusti*dot it) which is registered with provider (name PROV1)
The nameserver of the domain are connecting the domain to a shared hosting service (SHAREHOST1) for using webmail and other light services - and PLESK panel is used.
In the SHAREHOST1 dns setting I have the A record for the website pointing to a private vps (VPSHOST1) ip address, and that VPS is a Linux box setup with ubuntu 20.04 lts and cyberpanel.
I have no problems with issuing free Let's Encrypt on the VPSHOST1 cyberpanel and the website is secured - no problem there.
I have issues with mail and third level domain as they are on the SHAREHOST1 service, and Let's Encrypt issue fails on SHAREHOST1 as ACME cannot issue SSL for the domain as the toplevel domain is the one of VPSHOST1 service.
Is it possible to configure Let's Encrypt (free or paid?) manually and install the SSL certificates on PLESK service of SHAREHOST1 to protect mail and webmail service even if the top level domain is on the VPSHOST1 service?
Hope all it's clear...Thanks!
PS UPDATE - Auto-renewal would be really nice, too, as I have a few domains to manage, so if paid solutions has auto-renewal I will happily take that into consideration
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Thank you @9peppe for your reply. I got in touch with the shared hosting tech team and they said clearly that this is a Let's Encrypt limitation and it could be done if I buy a paid cert from them.
Maybe I need a wildcard cert for doing what I want, or they are limiting on purpose issuing of certs?
Anyway in plesk (shared hosting) if I select only webmail and issue the cert I receive no error, but you can see from webmail.gustigiusti.it that the cert is not working at all...that is quite strange.
Should I focus on the VPSHOST and cyberpanel issuing LE certs for the shared hosting, or the certs shoud be issued from plesk on SHAREHOST?
Their software "probably" only supports dns-01 and they're too lazy to get a certificate for the actual third level domains because they're just used to wildcards for everything.
This sounds pretty clear to me. You probably have a certificate but you aren't using it because nobody installed it. (I cannot check if you actually have the certificate because of CT delays, it's not on censys nor crtsh)
It wasn't working until a few hours ago...don't know why. I see now it's working, but to be honest I don't know WHY it's working, and where the cert is coming from? It's not the one on the shared hosting plesk panel, and it's not the one on the VPS host, as both are Let's Encrypt and were issued again today.
At least for your webmail domain it is proxied in Cloudflare (your root domain is not)
When you proxy your domain in Cloudflare you use its CDN. The CDN gets a cert on your behalf to manage the incoming HTTPS connections from the client (like a browser). The CDN uses another HTTP(S) connection to your Origin server which also needs a cert if doing HTTPS (and it should).
Cloudflare may get certs from Let's Encrypt or one of several other suppliers. Right now it is using one from Google
No, I have only some generic "cloudflare tools" from the shared hosting company, no direct access to CF control panel.
If I try on plesk to issue (and install) the cert, the error is (translated so bear with me):
Cannot issue a SSL/TLS certificates for gustigiusti.it
Cannot request a certificate SSL/TLS Let's Encrypt for gustigiusti.it.
And it worked for third level domain controlled by plesk (webmail is now working, thanks to all you guys!), but not with pop/imap services certificates, which requires plesk to control the second level domain, too.
I read some docs about the DNS-01 challenge and types, and probably the problem is my current shared hosting that does only offer limited and automatic-only verification method.
Do you mean your webmail.gustigiusti.it domain is not working with those services?
Because it won't with that domain proxied in Cloudflare. Cloudflare's CDN has restrictions on the ports supported and pop/imap are not allowed by default. Their DNS service of course can work but proxy / CDN is limited.
No, I meant (also for 9beppe) that in Plesk, when you choose to issue a LE cert and choose "assign the certificates to mail domain - imap pop, smtp" (translating here, but it should be quite accurate) the top check box "protect domain name" option is selected and greyed out (so it's forced to be selected, it's not possible to unselect it). That is the problem, as far as I can see.
Plesk can issue the cert for imap-pop-smtp only if the same cert is issued and valid for the second level domain, too.