letsencrypt-plesk SAN support

As we have a few subdomain (irc.domain.com, mail.domain.com etc) it would be neat to implement adding those subdomains to a normal domain's certificate.

Dec 05 '15 16:12 COhsrt

It would be useful to have a webroot option or enable the manual option on the CLI to allow automatic certification for non-standard subdomains or domains. (In particular Horde with a non standard webroot and manual certificate entry in the the config file on webmail.domain.tld)

Dec 08 '15 13:12 DavidAkroyd

I think you want a multiple SAN cert. Those are possible with a current limit of 100 subdomains per cert. The Plesk client might support this using the cmd line client like this, I haven't tried it, though.

Version 1.1 of the plugin added a checkbox for adding the www-subdomain to the main cert. Maybe it should be allowed to also add all existing subdomains to the cert.

Dec 08 '15 14:12 dakira

This would be very useful. Especially the webmail-Subdomain needs encryption support by default.

Dec 18 '15 09:12 EarMaster

A real saver would be the postfix, courier, dovecot ssl. Its a bummer with self signed certs.

Dec 26 '15 15:12 flipme

:+1: Would love to see this implemented! :smile:

Jan 01 '16 19:01 RamonSmit

Please include this if it is possible. Including the postfix courier and webmail.

Jan 12 '16 20:01 SolidRhino

+1 for securing webmail subdomain and the plesk panel itself.

Jan 12 '16 22:01 n4uti

@n4uti you already can create a certificate for Plesk panel

Jan 13 '16 11:01 SolidRhino

Setting up SSL for postfix/dovecot/courier isn’t handled well at all inside of Plesk. It’s quite funky that the feature is missing. If your extension would be able to fix that it would be just awesome.

On 13/01/2016, at 12:59, Solid Rhino [email protected] wrote:

@n4uti https://github.com/n4uti you already can create a certificate for Plesk panel

— Reply to this email directly or view it on GitHub https://github.com/plesk/letsencrypt-plesk/issues/19#issuecomment-171268367.

Jan 13 '16 12:01 flipme

+1

----- Ursprüngliche Mail -----

Von: "flipme" [email protected] An: "plesk/letsencrypt-plesk" [email protected] Gesendet: Mittwoch, 13. Januar 2016 13:06:22 Betreff: Re: [letsencrypt-plesk] SAN support (#19)

Setting up SSL for postfix/dovecot/courier isn’t handled well at all inside of Plesk. It’s quite funky that the feature is missing. If your extension would be able to fix that it would be just awesome.

On 13/01/2016, at 12:59, Solid Rhino [email protected] wrote:

@n4uti https://github.com/n4uti you already can create a certificate for Plesk panel

— Reply to this email directly or view it on GitHub https://github.com/plesk/letsencrypt-plesk/issues/19#issuecomment-171268367.

— Reply to this email directly or view it on GitHub .

Jan 13 '16 12:01 Svenna71

Please lets keep the discussion to the issue: SAN support. Using other letsencrypt/acme clients you can create one cert for multiple (sub-)domains.

I think this interface should at least allow for adding subdomains to the cert. Handling mail and webmail certs is a different issue.

Jan 13 '16 13:01 dakira

How do you expect an arbitrary subdomain to be validated? We should know where the http request points to the file system. Since a domain name or a subdomain name is registered in Plesk, its document root is known, it is written in apache/nginx configuration by Plesk. An alias has the same document root. Webmail subdomain points to the horde/roundcube root - it is also known. I have no idea where to put validation file for unknown mail.domain.tld or irc.domain.tld... I guess some other challenges (dns or tls) should be used for it. Any ideas?

Jan 14 '16 16:01 xgin

So the original LetsEncrypt command line allows for the manual setting of a WebRoot which allows you to set a web-accessible root - this may be an option - however you would need to set a directory for every domain?

Jan 14 '16 17:01 DavidAkroyd

@DavidAkroyd yep, every alternative name should be validated. For example, you want a certificate for example.com, sub.example.com, alternative.com The certificate request is created and is sent to Lets Encrypt CA It asks to create a validation file abcdef with content qwerty After the file is created it should be available on every URL: http://example.com/.well-known/acme-challenge/abcdef http://sub.example.com/.well-known/acme-challenge/abcdef http://alternative.com/.well-known/acme-challenge/abcdef

Jan 14 '16 17:01 xgin

My expected use case would look like this:

open Plesk-Letsencrypt-client for a domain within a certain webspace
If other (sub-)domains have been created inside the same webspace (meaning their webroots are known) ask if the certificate should include these subdomains as well.

The rest (securing dovecot and postfix with those certs) can easily be done with a script.

Jan 14 '16 20:01 dakira

@dakira Any reason that you would use a SAN for multiple domain/sub-domains like these as opposed to just using a certificate per domain/sub-domain? I think the main reason that people want it for the webmail/mail server, and hence why there have been so many +1s for the feature, is because the default configuration for Plesk uses 1 SSL certificate per IP address, regardless of domains, hence the ONLY way to solve it is to use a SAN in a certificate

@xgin I think that I was expecting the ability to specify a manual Webroot for any domain that Plesk itself is not aware of the webroot for, and then a custom DNS entry in Plesk for the domains that do not have a webroot (Though LetsEncrypt have not yet implemented this feature) - though this would presume Plesk is controlling DNS for the domain. I presume though, TLS/DVSNI would be a lot harder to implement than DNS as an alternative?

This would probably have to be a separate menu since you may be trying to generate a certificate ONLY for a sub-domain that Plesk is not aware of.

Jan 14 '16 22:01 DavidAkroyd

@DavidAkroyd Yes. For one, it's just one cronjob for renewal instead of 50+.

Jan 14 '16 22:01 dakira

@xgin Afaik (sub)domains which are not registered in plesk but where the dns points to the pleskserver (e.g. mail domain) the webroot is /var/www/vhosts/default/htdocs and the challenge file could be placed there

Jan 15 '16 16:01 grunsch

@grunsch Good point. In general the order of virtual hosts that could respond to the request is the following:

exact subdomain name sub.domain.tld and its aliases
wildcard subdomain *.domain.tld
default website for IP address (set in Tools&Settings > IP Addresses)
default webserver page (/var/www/vhosts/default/htdocs) All of them should be checked for existence and could be used for verification. Am I missing something?

Jan 15 '16 17:01 xgin

@xgin from my point of view these are all valid possibilities right Now. I'd love to see it in Next Version!

Jan 19 '16 07:01 grunsch

+1

The integration for a certificate for subdomains like https://webmail.yourdomain.tld would be such a great addition to the service.

Jan 30 '16 20:01 Dieblich

+1

Feb 10 '16 18:02 AmaZili

+1. I was expecting it to work exactly as @dakira described here https://github.com/plesk/letsencrypt-plesk/issues/19#issuecomment-171778076

Feb 10 '16 21:02 dzedward

+1 right now if you have say a wp multisite with more than 4 subdomains, you have to issue 5 cert requests (1 for the main domain and 4 for each sub-domain) and then wait another week for more cert requests due to the LE limitations. Since they all go to the main domain, LE will limit those at a certain point (max # of certs per domain...). Using the CLI is not a viable alternative, since you lose the auto-renew feature... so actually this is a +100 from me...