• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Resolved Certificate Invalid

A

aliknox

New Pleskian
Hi All, I've been going round in circles with this, and there seems to be a lot of individuals having the same problem. But I can't work out the solution from the other posts.

Using Plesk Obsidian 18.0.32.

Basically the Lets Encrypt certificate expired and all devices whether they're Outlook on a laptop, or a mail app on Samsung and IOS stopped working saying the certificate is invalid. I have renewed the Certificate and still experience the same problem.

The main certificate setup on the server is the same, as is the Certificate for securing mail, and the certificates on the domain.

Is anyone able to help with this issue?

Thanks,

Ali
 
aliknox said:
The main certificate setup on the server is the same, as is the Certificate for securing mail, and the certificates on the domain.
Click to expand...
The certificate of the server cannot be the same like the certificate of a domain unless you choose that the domain shall be protected by the default server certificate. I have also not before heard of "many people" having the same issue. Actually, at least for me I encounter this description for the first time. Could you please be more specific and provide some more insight into your setup, e.g.

- a screenshot of the actual host certificate setup (Tools & Settings > Security > SSL/TLS certificates)
- Please click on the certificate name from "... from server pool" at the "Certificate for securing Plesk" and "Certificate for securing mail" and please provide a screenshot from the result, too. Does the certificate domain name match the host's main domain name? That is the domain you also use when logging in to Plesk on port 8443.
- From the browser that in your case should show a broken padlock, please check the details of what is displayed there as the certificate, especially the expiration date, screenshot preferred.
- Are your mail clients connecting to the host using the correct host name? Or are they using a domain name, subdomain name or anything else that is not actually covered by the host's cert that is configured on the Tools Settings > Security > SSL/TLS certificates page?
- When you renew the host's certificate, does it renew without showing errors?
 
Hi Peter,

Apologies - I meant that a number of individuals are experiencing the same certificate issue when trying to access via Outlook etc.

Below are the SSL certs from Tools & Settings

1609277525210.png

I logon to the Plesk server at tradeplanthire.co.uk:8443

The website certificate is fine and is working with a locked padlock, and the webmail.tradeplanthire.co.uk is also working, its jut when I use a device it says invalid certificate as per below.

1609278007967.png

The email clients are connecting using the domain name as above using the secure ports.

When I try and connect using Outlook on a laptop it just says theres been a problem, but in Android, IOS and Mac mail its says theres an issue with the certificate. What I don't understand is that the system has been working for three months until it expired. Thats whats confused me.

Thank you for any help.

Ali
 
Please go to Tools & Settings > General Settings > Server Settings and check the field content of "Full host name". Is it "tradeplanthire.co.uk"?

Normally, for "Certificate for securing mail" the "Let's Encrypt certificate from server pool" should be selected just as it has been selected for "... securing Plesk". The clients should connect to the host name that is set in "Full host name" of "Server settings". In that constellation, no certificate error should appear.
 
Thanks, the tradeplanthire.co.uk is the Server Setting, and I've changed the securing mail to the "Let's Encrypt certificate from server pool" and still no joy.
Not sure where to go next
 
Are the mail clients using the exact name "tradeplanthire.co.uk" as incoming and outgoing mail server? It must be the exact same name, not some subdomain like "pop3.tradeplanthire.co.uk" or "imap. ..." or "smtp. ...", but the domain name only, nothing added.

Here is an article that provides some methods how to verify if or what certificate is being used:
support.plesk.com

How to verify that SSL for IMAP/POP3/SMTP works and a proper SSL certificate is in use

Applicable to: Plesk for Linux Question How to verify that SSL for IMAP/POP3/SMTP works and a proper certificate is installed? Answer Using online checkers Check SSL using online tools: SSL C...
support.plesk.com support.plesk.com
 
It all seems OK other than I was expecting
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=PLAIN IDLE ACL ACL2=UNION] Courier-IMAP ready. Copyright 1998-2004 Double Precision, Inc. See COPYING for distribution information.

But I got this instead, does this mean webmail only?


OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH= PLAIN AUTH=LOGIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5] Dovecot ready.
 
Hey Peter, do you have any thoughts? everything seems to be working ok, but we can't connect any devices.

Using the Article you provided I've checked the certs, everything apart from the above seems OK?

Not sure where to go next.

Thanks for your support.

Ali
 
I've tried to connect to your host using a mail software. This reports that the maximum number of connections to your host was exceeded. Maybe the error is not the SSL but something else, e.g. the number of concurrent connections to the mail server which is limited on your server?
 
Thanks, Peter, yes I've checked that, and it's set to 1024, yet we only have 6 users with a max of 3 devices each.

It's driving me insane :)
 
When I try to verify the certificate from here, it returns

Code: 
# openssl s_client -showcerts -connect tradeplanthire.co.uk:993 -servername tradeplanthire.co.uk
CONNECTED(00000003)
140618950907792:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 318 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1609337064
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

The same test for port 995 fails. It seems that there is no POP3 service running on the host behind tradeplanthire.co.uk or the port is being blocked. Why is that port unavailable?

This is very unusual. It means that there is no certificate set in your mail server. It's not a wrong certificate, it's none. Are you sure that tradeplanthire.co.uk is pointing to the correct IP address of your host?

A test with port 465 (SMTP) works fine.

On a default Plesk installation, tests against all three ports 993, 995 and 465 must succeed and must return the same certificate.
 
If you cannot solve the issue, I suggest contacting Plesk support. Maybe they can look into your machine and solve the issue on the machine.
support.plesk.com

How to get support directly from Plesk?

Question How to get support directly from Plesk? Answer Lease-type Plesk licenses purchased directly from Plesk running on supported Plesk version include full free support. Perpetual-type license...
support.plesk.com support.plesk.com
 
Thanks Peter, just to confirm are you talking about the ports on the host environment where plesk is installed.

1609337747667.png
 
Yes, these ports. So port 995 is missing, meaning that one cannot connect to POP3 from the outside (ports not listed with "allow" are leading to rejects in the firewall). That explains why the test against port 995 fails. It does not explain why a test against port 993 delivers an empty certificate.

I have an idea though: Is tradeplanthire.co.uk not only used as the host domain, but also a website (subscription or domain) on the server? Could it be possible that you have activated SNI and have not yet configured the SSL certificate in the email configuration of that subscription? That could explain why port 993 does not have a certificate, and that again could explain why your clients are getting the certificate error.

Mail Settings of the domain must have the certificate selected. If you have "not selected" there, change it to your domain's certificate.

mailsettings01.jpg
 
Thanks Peter, yes the selected are is using the Lets Encrypt Certificate. To answer your other question:

I have an idea though: Is tradeplanthire.co.uk not only used as the host domain, but also a website (subscription or domain) on the server?
[ali] Yes they are both using tradeplanthire.co.uk

Could it be possible that you have activated SNI and have not yet configured the SSL certificate in the email configuration of that subscription?
[ali] I don't believe this has been activated, but I don't know how too.

That could explain why port 993 does not have a certificate, and that again could explain why your clients are getting the certificate error.
 
I'd also want to add, that in this case your certificate that is used in your domain (not the host certificate), needs mail protection enable. For example when you issue a Let's Encrypt certificiate with the SSLit-extension, you need to check the
"Assign the certificate to mail domain"
checkbox. So just to be sure, click "Reissue" for your certificate, check the box, click "Get it free", then select that certificate from the general mail settings of the subscription, store it, then test again against port 993.
 
You must log in or register to reply here.

Similar threads

Nextgen-Networks
Issue Lets Encrypt - error in certificate renew process
2
Replies
21
Views
2K
Peter Debik
P
D
Issue Automatic renewal via SSLit doesn't work for wildcard certificates
Replies
0
Views
520
D3nnis3n
D
Hangover2
Forwarded to devs SSL It! breaks renewal and usage of Let's Encrypt wildcard certificates when subdomains are involved
2
Replies
28
Views
6K
marcoherzog
M
N
Issue The certificate of the server is invalid
Replies
0
Views
791
NeoTrafy
N
Rendor9
Resolved I can't renew my plesk onyx interface SSL certificate.
Replies
4
Views
1K
Rendor9
Rendor9
Back
Top