SSL for website

Hello,

I’d like to get a certificate for a domain (domain.com). However my hosting provider doesn’t not provide an out-of-the-box functionality to get certificates from Let’s Encrypt. PHP sites are supported.

In order to obtain a certificate and ensure proper renewal, which option is suggested (using a website, an application or a PHP site)?

In addition, I have a subdomain (subdomain.domain.com) and I use domain forward (domain.gr >> domain.com). Should I specify any subdomain as alternative name? Should I also specifify the domain forward
as alternative name? Should a wildcard (*.domain.com) certificate be used?

Thank you in advance.

You can easily create a certificate with SANs for all of:

  • domain.com
  • *.domain.com
  • domain.gr

without any problems.

The tricky part is figuring out what is the best way to setup and renew the certificate. This depends on what your hosting environment is.

What type of hosting do you have? cPanel or something else? What company/package do you use?

It would also help to know who hosts the DNS for each of your domains.

1 Like

Regarding alternatives/SANs, should I choose that approach or a wildcard certificate?

What do you mean by setup/upgrade approach?
On the client options, I see tools, websites and PHP sites as options for initial setup and renewal, but I don’t know the suggested one :slight_smile:
I also have a NAS (storage) device that supports Let’s Encrypt, so I do have that option also.

My hosting provider is Papaki.com, who uses Plesk (without direct support for Let’s Encrypt) and hosts my domains’ DNS entries.

SANs and wildcard are not mutually exclusive - one of the SANs can be a wildcard. It’s up to you which you want to use. Generally, it’s better to avoid wildcards and just to use normal domain SANs, especially if you only have a few names.

The problem with shared hosting like Plesk, is that unless the Plesk Let’s Encrypt plugin is setup, you are more or less stuck manually issuing and installing the certificate every 60-90 days. It’s much better when you are using web hosting with native support for Let’s Encrypt.

You can use something like ZeroSSL or gethttpsforfree to manually issue a certificate that you can manually install to Plesk. I am not aware of any ACME client that supports integrating with Plesk externally, unfortunately.

On client options, these websites are listed to be offering LE certificates:
gethttpsforfree.com
zerossl.com
sslforfree.com
easy.zhetao.com

Also on client options custom pages are listed that can be hosted, independently of the hosting provider’s platform (Plesk or cPanel). For example some PHP sites are:
LEClient PHP library
le-acme2-php library
stonemax/acme2 PHP client
itr-acme-client PHP library

So, should I use a website, custom pages (PHP or another) or use my Synology NAS Let’s Encrypt certificate functionality for both initial setup and renewal?

The critical parts that are missing from all of those clients:

  • Automatically performing HTTP/DNS challenges against your Plesk service (uploading challenge files to your webroot, setting challenge DNS records)
  • Calling the Plesk API to install the certificate

Yes, there are many ACME clients that you could use, however the crucial part is the above. I don’t know of anything other than the official Plesk Let’s Encrypt plugin that integrates with Plesk like that.

If you have some programming/scripting chops then you could extend those clients to do that, but I doubt any of them can do it out of the box.

When using a website (gethttpsforfree.com, zerossl.com, sslforfree.com or easy.zhetao.com) for LE certificate issuing, what will be the renewal process?
If there isn’t any and if custom/PHP pages are not an easy alternative, the best option seems to be issuing a certificate from my NAS device.

There’s not really any difference between issuing a certificate for the first time and renewing it.

In both cases, you have to perform validation, create the certificate, and then upload it to Plesk.

Unless you can script something using the Plesk XML API, you’d be doing it at least the last part by hand.

Thank you @_az for your knowledge sharing on the thread!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.