Wildcard Certificate not working for *one* sub-domain

Help
1

the full domain name of your site (this will be made [public]((https://www.certificate-transparency.org/) upon issuance anyhow)

docherty.nl

the command line you ran

n/a

the output of that command

n/a

name and version of your operating system and your web server

Ubuntu 18.04.6 LTS

what type of hosting provider you are using, if applicable

Amazon Lightsail VPS, domain & DNS with Amazon Route 53

I can login to a root shell on my machine (yes or no, or I don't know):

Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

Yes, Plesk Obsidian v18.0.48

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Plesk Let's Encrypt Extension 3.1.2-823
Plesk SSL It! Extension 1.11.2-1547

Hi all,

I'm definately at the bottom of the learing curve, so I'd like some advice regarding a wildcard certificate that doesn't work for one of my subdomains. Maybe worth adding that this is just a personal site that I'm learning with - nothing at all critical :slight_smile:

I secured my domain with a 'normal' Let's Encrypt domain a while ago (>1 year). I replaced this with a wildcard SSL Cert via LetsEncrypt at the start of December. It's working fine for my main domain, and also for the typical "webmail.domain.tld" subdomains. However, for one particular subdomain it isn't working. Since then I've tried a few things to fix, and then asked Plesk to "Reissue Certificate". This hasn't solved by problem.

What is particularly strange (to me at least) is that when I access my main domain, my browser is showing the dates related to the most recent certificate. That also applies for my other subdomains. But when I look at my problematic subdomain, my browser is retrieving the original (borked) certificate from early December.

Why would this subdomain hang on to the old certificate? Can I force it to be revoked and use the latest certificate? Or am I asking all the wrong questions? :slight_smile:

Thanks in advance!

1 Like
2

Could you please share exactly what is and what isn't working? I.e., provide the working and non-working subdomains and the specific error message(s) where applicable.

Otherwise my compliments for the quality of your post :+1: Not very often we see the questionnaire filled out as it's supposed to be filled out :smiley:

6 Likes
3

Thanks for the quick reply.

So if I go to webmail.docherty.nl, everything looks good. Chrome tells me my connection is secure, and if I look at the certificate viewer in chrome, I see:

Issued On Thursday, January 5, 2023 at 3:51:58 PM
Expires On Wednesday, April 5, 2023 at 4:51:57 PM

However, if I go to my problematic subdomain plesk.docherty.nl (where I want to make plesk accessible, for no reason other than to learn and make things neat :slight_smile: ), I get the error

NET::ERR_CERT_COMMON_NAME_INVALID

Subject: docherty.nl
Issuer: R3
Expires on: Mar 4, 2023
Current date: Jan 7, 2023

If I view with certificate view in chrome, I see:

Issued On Sunday, December 4, 2022 at 3:23:48 PM
Expires On Saturday, March 4, 2023 at 3:23:47 PM

Anything further I can share?

1 Like
4

One, are you sure you want Plesk available to the public internet?

If so, it looks like whatever is handling the HTTPS request is not using the right cert. Your webmail subdomain is configured to use a wildcard cert. But, the plesk domain is using a cert with only your apex domain docherty.nl

Is nginx handling the HTTPS request? If so, check the server block for plesk and ensure it points to the right certificate file name.

You can see what cert is used for any domain with a tool like this:

5 Likes
5

Thanks for this. Nginx is indeed handling the request.

If so, check the server block for plesk and ensure it points to the right certificate file name.

Sorry, can you unpack that a bit?

You can see what cert is used for any domain with a tool like this:

Useful. Using this tool it is clear that the two subdomains are using different certificates.
For the working subdomain in the general information I see:

SANs:	
DNS:*.docherty.nl
DNS:docherty.nl
Total number of SANs: 2

For the borked subdomain I see:

DNS:docherty.nl
Total number of SANs: 1
1 Like
6

Yeah, nginx is configured using server blocks. But, these were probably setup by Plesk for you. I could instruct you how to view / update nginx but that would likely cause problems for Plesk. So, you'll need to review your Plesk config carefully for the SSL and domains to see why they are different.

Maybe another volunteer will have more expertise with Plesk than I do. Or, try a Plesk forum

5 Likes
7

No experience with Plesk here I'm afraid :man_shrugging:t2:

That said, how hard would the TLS configuration for that Plesk server block be?

5 Likes
8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.