• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Forwarded to devs Certificate not assigned to mailserver (mail.) over ipv6

Lexz

Lexz

Basic Pleskian
Username: Lexz

TITLE

Certificate not assigned to mailserver (mail.) over ipv6

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

Plesk Obsidian on Centos7

PROBLEM DESCRIPTION

Good afternoon,

We are experiencing a big issue on all our servers.
Customers who are using mail.<domainname>.com as there mailserver don't have a valid certificate on ipv6 in their mailclients (port 993 / 465).

We use the Plesk DNS with wildcard certificates from Lets Encrypt.
On ipv4 everything seems to work fine.

Hope someone can help us with this issue.
Thank you in advance.

STEPS TO REPRODUCE

Sign a domain with a Let's Encrypt wildcard domain and assign the certificate to the mailserver of the client.

ACTUAL RESULT

On Validation of the certificate on mail.<domain>.com with port 993 / 465 over ipv6, the server returns the certificate of the serverhostname instead of the wildcard. It seems to work over ipv4.

EXPECTED RESULT

The wildcard domain should be assigned to the mailserver mail.<domain>.com over ipv4 and ipv6

ANY ADDITIONAL INFORMATION



YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug
 
hello @Lexz,

Thank you for your report. Unfortunately i couldn't reproduce issue on test server.
I created domain assigned on IPv6 address only. Then i issued a wildcard Let's Encrypt certificate and assigned it to mail domain.mailwild.png

Next i checked certificate using two variants:
- script
PHP: 
<?php
        $stream = stream_context_create([
            "ssl" => [
                "verify_peer" => false,
                "verify_peer_name" => false,
                "capture_peer_cert" => true,
            ],
        ]);
        $timeout = 30.0;
        $idnAddress = "your-domain-name";
        $port = 993;
        $protocol = 'ssl';
        $socketAddress = "{$protocol}://{$idnAddress}:{$port}";
        $client = @stream_socket_client($socketAddress, $errNo, $errStr, $timeout, STREAM_CLIENT_CONNECT, $stream);
        if ($client === false) {
            throw new \Atf_Exception("Failed to open '{$socketAddress}': {$errStr}", $errNo);
        }
        $cont = stream_context_get_params($client);
        $certInfo = openssl_x509_parse($cont["options"]["ssl"]["peer_certificate"]);
        var_dump($certInfo);

- console command
Bash: 
echo | openssl s_client -showcerts -servername testdomain.tld -connect testdomain.tld:993 2>/dev/null | openssl x509 -inform pem -noout -text

Seems like you should contact with our support team Plesk Help Center to investigate this issue more detailed.
 
Last edited:
You must log in or register to reply here.

Similar threads

Hangover2
Forwarded to devs SSL It! breaks renewal and usage of Let's Encrypt wildcard certificates when subdomains are involved
2
Replies
28
Views
6K
marcoherzog
M
D
Issue Lets Encrypt Not Successful over port 80
Replies
8
Views
368
Daiv
D
T
Resolved Lets Encrypt renewal - wildcard seems to want to use http challenge
Replies
2
Views
1K
TomBoB
T
Azurel
Resolved Mail for "Let`s Encrypt certificates for ***** have been issued/renewed" missing?
Replies
2
Views
270
Azurel
Azurel
D
Issue Automatic renewal via SSLit doesn't work for wildcard certificates
Replies
0
Views
498
D3nnis3n
D
Back
Top