Symptoms
-
Emails with subject
Let's Encrypt certificates for John Doe have been issued/renewed
are received daily. -
There is another domain (which was renamed) using another certificate with the same name:
# plesk db “select domains.name as ‘Domain Name’, cert_rep_id, certificates.name as ‘Certificate Name’, certificates.id as ‘Certificate ID’ from domains inner join hosting on domains.id = hosting.dom_id join certificates on certificates.id = hosting.certificate_id where certificates.name like ‘%example.com%’;”
+—————–+————-+————————–+—————-+
| Domain Name | cert_rep_id | Certificate Name | Certificate ID |
+—————–+————-+————————–+—————-+
| example.com | 7 | Lets Encrypt example.com | 15 |
| example.com.bak | 8 | Lets Encrypt example.com | 16 |
+—————–+————-+————————–+—————-+ -
The certificate for example.com has not been renewed:
# i=example.com && echo ” | openssl s_client -connect $i:443 -servername $i 2>/dev/null | openssl x509 -noout -text | grep -A2 “Validity”
Validity
Not Before: Sep 3 11:00:15 2019 GMT
Not After : Dec 2 11:00:15 2019 GMT
Cause
Let’s Encrypt extension attempts to renew the certificate for the renamed domain, but the new certificate is not renewed because Let’s Encrypt extension refers to the certificate name rather than to domain name.
The bug #EXTLETSENC-725 has been created to improve the extension in future releases.
Resolution
- Log into Plesk
- Go to the renamed domain in Domains > example.com.bak > Hosting Settings
- In the Certificate drop-down menu, select Not Selected or select a proper certificate