• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Question Creating SSL Certificate using Let's Encrypt for mail-only domain

C

Campbell McCracken

New Pleskian
I have a domain on Plesk that's mail only - the web is hosted elsewhere. I want to create a Let's Encrypt certificate for it to protect webmail and IMAP/POP/SMTP. But Let's Encrypt only tries to validate the domain using the web DNS. This obvisouly fails since the web is elsewhere. Is there a way round this problem?
 
Campbell McCracken said:
I have a domain on Plesk that's mail only - the web is hosted elsewhere. I want to create a Let's Encrypt certificate for it to protect webmail and IMAP/POP/SMTP. But Let's Encrypt only tries to validate the domain using the web DNS. This obvisouly fails since the web is elsewhere. Is there a way round this problem?
Click to expand...
I have the case too, but it's more an problem of let's encrypt operation than an plesk problem... let's encrypt need to access to real web hosting to validate an SSL... So the only way, is that we have an FTP option in plugin... and plugin will able to move by FTP file test of let's encrypt to the remote FTP real webhosting, it's not an simple task but sometime plesk team will be able review the possibility of this.
 
On a cPanel server, the free 'AutoSSL' service will try to validate:
domain.tld
www.domain.tld
mail.domain.tld
and will create a certificate for whichever (sub)domains it can validate.

So on a mail-only cPanel account it's happy to only create the certificate for mail.domain.tld (assuming the DNS for mail.domain.tld points to the server of course).

So what's the preferred method of generating certificates to protect webmail and IMAP/POP/SMTP logins for a mail-only Plesk domain?
 
Campbell McCracken said:
On a cPanel server, the free 'AutoSSL' service will try to validate:
domain.tld
www.domain.tld
mail.domain.tld
and will create a certificate for whichever (sub)domains it can validate.

So on a mail-only cPanel account it's happy to only create the certificate for mail.domain.tld (assuming the DNS for mail.domain.tld points to the server of course).

So what's the preferred method of generating certificates to protect webmail and IMAP/POP/SMTP logins for a mail-only Plesk domain?
Click to expand...

if domain.tld don't work and domain.tld/.well-known/acme-challenge don't accesible, you are also able to create SSL on cpanel? If it's the case, I don't know how they do it because the return check from let's encrypt is always on this url... in plesk, in cpanel and in any server included without any panel control.
 
sebgonzes said:
if domain.tld don't work and domain.tld/.well-known/acme-challenge don't accesible, you are also able to create SSL on cpanel? If it's the case, I don't know how they do it because the return check from let's encrypt is always on this url... in plesk, in cpanel and in any server included without any panel control.
Click to expand...
The process seems to be: 1. Identify the domains/subdomains for the cPanel count; 2. Try to validate each of these by placing a file in the /.well-known/ folder; 3. Issue certificates for the validated domains/subdomains. So for a mail-only service, it will identify the domain and the www. and mail. subdomains, but will only be able to validate the mail. subdomain (as the others are on a separate server) and so only issue a certificate for the mail. subdomain. But the point is that is does issue the certificate.
 
Campbell McCracken said:
The process seems to be: 1. Identify the domains/subdomains for the cPanel count; 2. Try to validate each of these by placing a file in the /.well-known/ folder; 3. Issue certificates for the validated domains/subdomains. So for a mail-only service, it will identify the domain and the www. and mail. subdomains, but will only be able to validate the mail. subdomain (as the others are on a separate server) and so only issue a certificate for the mail. subdomain. But the point is that is does issue the certificate.
Click to expand...
Well, you can issue en ssl for mail.domain.com ( certbot -d mail.domain.com ) if you have an webspace for this name, sometime cpanel able to this and this would be the way to do it with plesk ( @IgorG can you review this? )
 
At the moment you can't issue LE certificate for mail services without physical hosting. We have already similar request where you can vote for this feature Use "Let's encrypt" to secure IMAP/POP/SMTP connections
Soon it will be possible to issue LE certificate to the webmail without physical hosting. We are working on it.
No ETA for the initial request.
 
IgorG said:
At the moment you can't issue LE certificate for mail services without physical hosting. We have already similar request where you can vote for this feature Use "Let's encrypt" to secure IMAP/POP/SMTP connections
Soon it will be possible to issue LE certificate to the webmail without physical hosting. We are working on it.
No ETA for the initial request.
Click to expand...
But you can issue an ssl for mail.domain.tld, supposing you make an alias to an webhosting to this subdomain to create necesarry files check?
 
sebgonzes said:
But you can issue an ssl for mail.domain.tld, supposing you make an alias to an webhosting to this subdomain to create necesarry files check?
Click to expand...
Yes, you can do so. But it is better to use not mail.domain.tld, but domain.tld for mail, then there will be fewer problems.
 
IgorG said:
Yes, you can do so. But it is better to use not mail.domain.tld, but domain.tld for mail, then there will be fewer problems.
Click to expand...

Ok and any way to put FTP parameter options in plugin to connect to real domain.tld hosting and can get correct SSL? or directly obtain fullchain & key from other server? sometime is other good way
 
We also have clients that only have email service with us.
A good workaround was PLESK add webmail.customerdomain.tld as a server name indication (SNI). Is this possible?
 
We started to use acme.sh for issuing wildcard certificates in such cases

If DNS for the domain runs on your Plesk server or any of the ~150 supported DNS servers (see dnsapi · acmesh-official/acme.sh Wiki) the creation and renewal of the certificate will work fully automated and does require no future intervention after the initial setup.

So, for example if your Plesk server is also the DNS for this domain, it would work like this:

1) install acme.sh on your server (email address is where LetsEncrypt will send notify mails in case renewal fails)
Code: 
curl https://get.acme.sh | sh -s [email protected]

2) specify Plesk XML-API credentials (if you successfully issue a certificate once, these credentials are stored in a config file and you can skip this step in the future)
Code: 
export pleskxml_uri="https://your.plesk-server.name:8443/enterprise/control/agent.php"
export pleskxml_user="plesk_user"
export pleskxml_pass="plesk_pass"

3) issue wildcard certificate for your domain (just replace example.com with your own domain and you can simply copy & paste everything else below in step 3-5)
Code: 
DOMAIN=example.com
~/.acme.sh/acme.sh --issue --dns dns_pleskxml --server letsencrypt --preferred-chain "ISRG Root X1" -d $DOMAIN -d *.$DOMAIN --renew-hook "/usr/sbin/plesk bin certificate -u acme.sh_wildcard -domain $DOMAIN -key-file ~/.acme.sh/$DOMAIN/$DOMAIN.key -cert-file ~/.acme.sh/$DOMAIN/$DOMAIN.cer -cacert-file ~/.acme.sh/$DOMAIN/ca.cer"

4) importing certificate into Plesk
Code: 
/usr/sbin/plesk bin certificate -c acme.sh_wildcard -domain $DOMAIN -key-file ~/.acme.sh/$DOMAIN/$DOMAIN.key -cert-file ~/.acme.sh/$DOMAIN/$DOMAIN.cer -cacert-file ~/.acme.sh/$DOMAIN/ca.cer

5) assigning certificate to mail services of domain (you can also easily do that in the Plesk webinterface)
Code: 
/usr/sbin/plesk bin subscription_settings --update $DOMAIN -webmail_certificate acme.sh_wildcard
/usr/sbin/plesk bin subscription_settings --update $DOMAIN -mail_certificate acme.sh_wildcard


CAVEAT!
While acme.sh automatically renews the certificate every 60 days and also updates it within Plesk (this is what the --renewal-hook parameter is for), Plesk itself does only automatically reload the nginx/apache2 webserver when this happens, but not Postfix or Dovecot.
So the mail services may not use the new certificates for a couple hours. (till Postfix/Dovecot service gets reloaded due to other circumstances)
But as far as I know, this does also apply for Plesks own certificates that are used for mail services...
 
You must log in or register to reply here.

Similar threads

carlsson
Issue Mail on Plesk, web on other provider, how do I create a correct SSL?
Replies
2
Views
169
carlsson
carlsson
Quinten
Resolved Lets Encrypt for mails server problem
Replies
2
Views
140
Quinten
Quinten
D
Issue can only create webmail certificates
Replies
1
Views
398
deepnpisgah
D
Azurel
Resolved Mail for "Let`s Encrypt certificates for ***** have been issued/renewed" missing?
Replies
2
Views
291
Azurel
Azurel
futureweb
Question Issues with SSL Certificate Renewal for Mail Services in Plesk: Seeking Automated Solution via CLI or API
Replies
8
Views
295
futureweb
futureweb
Back
Top