• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Issue certificate for securing mail

Rafael Montes

Rafael Montes

New Pleskian
Hi! yesterday I selected a certificate for securing mail, and now I'm having problems with the emails of all my domains. Is possible to disable a certificate that I've selected? I only can change it, but I want to remove them, and keep it without any certificate, as before. Thanks!
 
Hi! yesterday I selected a certificate for securing mail, and now I'm having problems with the emails of all my domains. Is possible to disable a certificate that I've selected? I only can change it, but I want to remove them, and keep it without any certificate, as before. Thanks!
 
Let me clarify. On default clean Plesk installation initially there is "Unknown" Certificate for securing mail. It is "default certificate" if admin did not change it to another. Therefore you should install "default certificate" if you need to revert all back.
 
I find it very unhelpful that I cannot revert to 'Unknown' (the GUI will not let me, nor is there a CLI command). I have own scripts outside of Plesk which manage the certificates for dovecot, postfix and ProFTPD.

@IgorG You are surely right regarding "default certificate" - BUT the internal mechanism changes:

Dovecot default certificate always used to be at /etc/dovecot/private/ssl-cert-and-key.pem ; as soon as I (mistakenly, or as a trial) select something for "Certificate for securing mail", then Plesk adds a config file /etc/dovecot/conf.d/11-plesk-security-ssl.conf, which refers to /etc/dovecot/private/dovecot.pem. This I could reverse back by a later custom file of my own, e.g. /etc/dovecot/conf.d/50-custom-security.conf

Postfix is a real problem: Plesk generates both main.cf and master.cf, now switching the cert file from postfix_default.pem to postfix.pem. The problem here is, that Postfix does not have any "conf.d" directory, and the only 2 config files it does have are both generated by Plesk. So I see no way to compensate for what Plesk is not allowing me to do (revert to "Unknown").

In any case, I could never delete whatever certificate is assigned in Plesk, because Plesk sees it as being in use. Nor do I feel good with just overwriting the Plesk certs "dovecot.pem" and "postfix.pem" - whenever Plesk regenerates it's config, my .pem files would get overwritten.

What really gets my goat is when a system defines it's own way of doing things and does not give you any opt-out possibility. Look at the choice of word: Not "None" but "Unknown" - implying that Plesk intends to do this - whether I want or not. I find that disrespectful, and an unneccessary straight-jacket.

SO my question: What Database entries do I need to edit to get back to heavenly "unknown"?

Thanks! Tim
 
Now I worked this out for myself:

In Plesk: Tools & Settings | SSL/TLS Certificates | Certificate for securing mail

> If this is NOT "Unknown" then Plesk tries to manage the default certificates for Dovecot and Postfix.

o Once selected, Plesk GUI offers no way back. To get back to "Unknown" delete two records from Plesk DB:

o Tools & Settings | Database Servers | Tools-Icon on far right of MySQL (phpMyAdmin opens in new tab)

o Select Table "ServiceNodeConfiguration"

o Delete the 2 records named "inbound_ssl_cert_id" + "inbound_ssl_cert_id" in section "mailServer"

o At the GUI, we are now back to "Unknown" - but must regenerate the Postfix & Dovecot configs.

# /usr/local/psa/bin/repair --mail (hit Enter to accept "Y")

> That regenerates Postfix's main.cf to use /etc/postfix/postfix_default.pem -
but leaves /etc/dovecot/conf.d/11-plesk-security-ssl.conf unchanged )-:

# plesk sbin sslmng --services=dovecot --certificate --cert=

> That works to get /etc/dovecot/conf.d/11-plesk-security-ssl.conf back to using /etc/dovecot/private/ssl-cert-and-key.pem
 
I too have problems regarding this issue, since i was just rechecking my SSL settings and forgot i should't change the default option on "certificate for securing mail" :(

So now i don't know what is the best option to solve the issue...

@IgorG said that choosing default Plesk certificate is the same as Unknown from what i unserstood - is that right?

or

Should i restore a previous made backup, and if so what is the option i should use just to restore that option? Or if i restore

or

Should i edit the PSA db and delete the records "inbound_ssl_cert_id" and "inbound_ssl" (i believe @TimReeves was refering to these entries, since the two entries on his answer are the same) and then run the commands on SSH to regenerate Postfix & Dovecot configs?
From what i understand, the commands i should run are:
/usr/local/psa/bin/repair --mail
and
plesk sbin sslmng --services=dovecot --certificate --cert=

right? Can someone confirm this fixed the issue?

Plesk GUI should have the option to just choose Unknown again so that we can restore the original settings!!
 
Last edited:
Hi Necroman,

Necroman said:
@IgorG said that choosing default Plesk certificate is the same as Unknown from what i unserstood - is that right?
Click to expand...

yes, Necroman, IgorG 's statement is actually still correct and it is a possible work-around to choose the "NONE" - option ( which is actually missing )

Necroman said:
Should i edit the PSA db and delete the records "inbound_ssl_cert_id" and "inbound_ssl" (i believe @TimReeves was refering to these entries, since the two entries on his answer are the same) and then run the commands on SSH to regenerate Postfix & Dovecot configs?
Click to expand...
TimReeves said:
Delete the 2 records named "inbound_ssl_cert_id" + "inbound_ssl_cert_id" in section "mailServer"
Click to expand...
Even that you might notice some kind of "double entries", this doesn't eventually means, that the these two locations and it 's entries define the very same possible option(s) in your PSA - database. Pls. follow the step-by-step description from @TimReeves, as he provided the absolute correct way here, to solve the issue.:)
 
I assume it should work for CentOS too, as we are talking about the database entries - I can't imagine any reason why they would be different. But I don't know for certain as I don't have any server with CentOS. I recommend to just try it - after all, you can easily revert by making a change in the Plesk GUI if it does not work as expected.
 
Well, I try.. and it's work !
But I find only one entry "inbound_ssl_cert_id" in section "mailServer".
(so the second command doesn't work, but i think it's because i have removed only one entry?)
But it's work !
Thanks for all !
 
TimReeves
Hi

I have the same problem - I followed your tutorial to the item
plesk sbin sslmng --services=dovecot --certificate --cert=

The command in my centos 7 says

ERROR: the argument for option '--cert' should follow immediately after the equal sign
Run sslmng --help to view help.
exit status 2


Can you help me ?


TimReeves said:
Now I worked this out for myself:

In Plesk: Tools & Settings | SSL/TLS Certificates | Certificate for securing mail

> If this is NOT "Unknown" then Plesk tries to manage the default certificates for Dovecot and Postfix.

o Once selected, Plesk GUI offers no way back. To get back to "Unknown" delete two records from Plesk DB:

o Tools & Settings | Database Servers | Tools-Icon on far right of MySQL (phpMyAdmin opens in new tab)

o Select Table "ServiceNodeConfiguration"

o Delete the 2 records named "inbound_ssl_cert_id" + "inbound_ssl_cert_id" in section "mailServer"

o At the GUI, we are now back to "Unknown" - but must regenerate the Postfix & Dovecot configs.

# /usr/local/psa/bin/repair --mail (hit Enter to accept "Y")

> That regenerates Postfix's main.cf to use /etc/postfix/postfix_default.pem -
but leaves /etc/dovecot/conf.d/11-plesk-security-ssl.conf unchanged )-:

# plesk sbin sslmng --services=dovecot --certificate --cert=

> That works to get /etc/dovecot/conf.d/11-plesk-security-ssl.conf back to using /etc/dovecot/private/ssl-cert-and-key.pem
Click to expand...
 
I have just found out that Plesk online documentation for sslmng is somewhere between lacking and non-existent. And it's been a while since I had this issue.
All I can suggest is to try naming the certificate explicitly:
# plesk sbin sslmng --services=dovecot --certificate --cert=/etc/dovecot/private/ssl-cert-and-key.pem

But I haven't tried this, so don't blame me :)
I nowadays use the features of the SSLIt! Extension in Plesk, which has obsoleted managing SSL-Certs outside of Plesk for me.
 
You must log in or register to reply here.

Similar threads

D
Issue can only create webmail certificates
Replies
1
Views
354
deepnpisgah
D
S
Question Mail subdomains with wrong TLS certificate (e.g. imap.example.tld)
Replies
1
Views
228
Kaspar
K
Azurel
Resolved Mail for "Let`s Encrypt certificates for ***** have been issued/renewed" missing?
Replies
2
Views
237
Azurel
Azurel
carlsson
Issue Mail on Plesk, web on other provider, how do I create a correct SSL?
Replies
2
Views
133
carlsson
carlsson
C
Issue How to install SSL Lets encrypt only for mail.mydomain.com and webmail.mydomain.com?
Replies
1
Views
983
Peter Debik
P
Back
Top