• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question Creating SSL Certificate using Let's Encrypt for mail-only domain

Campbell McCracken

New Pleskian
I have a domain on Plesk that's mail only - the web is hosted elsewhere. I want to create a Let's Encrypt certificate for it to protect webmail and IMAP/POP/SMTP. But Let's Encrypt only tries to validate the domain using the web DNS. This obvisouly fails since the web is elsewhere. Is there a way round this problem?
 
I have a domain on Plesk that's mail only - the web is hosted elsewhere. I want to create a Let's Encrypt certificate for it to protect webmail and IMAP/POP/SMTP. But Let's Encrypt only tries to validate the domain using the web DNS. This obvisouly fails since the web is elsewhere. Is there a way round this problem?
I have the case too, but it's more an problem of let's encrypt operation than an plesk problem... let's encrypt need to access to real web hosting to validate an SSL... So the only way, is that we have an FTP option in plugin... and plugin will able to move by FTP file test of let's encrypt to the remote FTP real webhosting, it's not an simple task but sometime plesk team will be able review the possibility of this.
 
On a cPanel server, the free 'AutoSSL' service will try to validate:
domain.tld
www.domain.tld
mail.domain.tld
and will create a certificate for whichever (sub)domains it can validate.

So on a mail-only cPanel account it's happy to only create the certificate for mail.domain.tld (assuming the DNS for mail.domain.tld points to the server of course).

So what's the preferred method of generating certificates to protect webmail and IMAP/POP/SMTP logins for a mail-only Plesk domain?
 
On a cPanel server, the free 'AutoSSL' service will try to validate:
domain.tld
www.domain.tld
mail.domain.tld
and will create a certificate for whichever (sub)domains it can validate.

So on a mail-only cPanel account it's happy to only create the certificate for mail.domain.tld (assuming the DNS for mail.domain.tld points to the server of course).

So what's the preferred method of generating certificates to protect webmail and IMAP/POP/SMTP logins for a mail-only Plesk domain?

if domain.tld don't work and domain.tld/.well-known/acme-challenge don't accesible, you are also able to create SSL on cpanel? If it's the case, I don't know how they do it because the return check from let's encrypt is always on this url... in plesk, in cpanel and in any server included without any panel control.
 
if domain.tld don't work and domain.tld/.well-known/acme-challenge don't accesible, you are also able to create SSL on cpanel? If it's the case, I don't know how they do it because the return check from let's encrypt is always on this url... in plesk, in cpanel and in any server included without any panel control.
The process seems to be: 1. Identify the domains/subdomains for the cPanel count; 2. Try to validate each of these by placing a file in the /.well-known/ folder; 3. Issue certificates for the validated domains/subdomains. So for a mail-only service, it will identify the domain and the www. and mail. subdomains, but will only be able to validate the mail. subdomain (as the others are on a separate server) and so only issue a certificate for the mail. subdomain. But the point is that is does issue the certificate.
 
The process seems to be: 1. Identify the domains/subdomains for the cPanel count; 2. Try to validate each of these by placing a file in the /.well-known/ folder; 3. Issue certificates for the validated domains/subdomains. So for a mail-only service, it will identify the domain and the www. and mail. subdomains, but will only be able to validate the mail. subdomain (as the others are on a separate server) and so only issue a certificate for the mail. subdomain. But the point is that is does issue the certificate.
Well, you can issue en ssl for mail.domain.com ( certbot -d mail.domain.com ) if you have an webspace for this name, sometime cpanel able to this and this would be the way to do it with plesk ( @IgorG can you review this? )
 
At the moment you can't issue LE certificate for mail services without physical hosting. We have already similar request where you can vote for this feature Use "Let's encrypt" to secure IMAP/POP/SMTP connections
Soon it will be possible to issue LE certificate to the webmail without physical hosting. We are working on it.
No ETA for the initial request.
 
At the moment you can't issue LE certificate for mail services without physical hosting. We have already similar request where you can vote for this feature Use "Let's encrypt" to secure IMAP/POP/SMTP connections
Soon it will be possible to issue LE certificate to the webmail without physical hosting. We are working on it.
No ETA for the initial request.
But you can issue an ssl for mail.domain.tld, supposing you make an alias to an webhosting to this subdomain to create necesarry files check?
 
But you can issue an ssl for mail.domain.tld, supposing you make an alias to an webhosting to this subdomain to create necesarry files check?
Yes, you can do so. But it is better to use not mail.domain.tld, but domain.tld for mail, then there will be fewer problems.
 
Yes, you can do so. But it is better to use not mail.domain.tld, but domain.tld for mail, then there will be fewer problems.

Ok and any way to put FTP parameter options in plugin to connect to real domain.tld hosting and can get correct SSL? or directly obtain fullchain & key from other server? sometime is other good way
 
We also have clients that only have email service with us.
A good workaround was PLESK add webmail.customerdomain.tld as a server name indication (SNI). Is this possible?
 
We started to use acme.sh for issuing wildcard certificates in such cases

If DNS for the domain runs on your Plesk server or any of the ~150 supported DNS servers (see dnsapi · acmesh-official/acme.sh Wiki) the creation and renewal of the certificate will work fully automated and does require no future intervention after the initial setup.

So, for example if your Plesk server is also the DNS for this domain, it would work like this:

1) install acme.sh on your server (email address is where LetsEncrypt will send notify mails in case renewal fails)
Code:
curl https://get.acme.sh | sh -s [email protected]

2) specify Plesk XML-API credentials (if you successfully issue a certificate once, these credentials are stored in a config file and you can skip this step in the future)
Code:
export pleskxml_uri="https://your.plesk-server.name:8443/enterprise/control/agent.php"
export pleskxml_user="plesk_user"
export pleskxml_pass="plesk_pass"

3) issue wildcard certificate for your domain (just replace example.com with your own domain and you can simply copy & paste everything else below in step 3-5)
Code:
DOMAIN=example.com
~/.acme.sh/acme.sh --issue --dns dns_pleskxml --server letsencrypt --preferred-chain "ISRG Root X1" -d $DOMAIN -d *.$DOMAIN --renew-hook "/usr/sbin/plesk bin certificate -u acme.sh_wildcard -domain $DOMAIN -key-file ~/.acme.sh/$DOMAIN/$DOMAIN.key -cert-file ~/.acme.sh/$DOMAIN/$DOMAIN.cer -cacert-file ~/.acme.sh/$DOMAIN/ca.cer"

4) importing certificate into Plesk
Code:
/usr/sbin/plesk bin certificate -c acme.sh_wildcard -domain $DOMAIN -key-file ~/.acme.sh/$DOMAIN/$DOMAIN.key -cert-file ~/.acme.sh/$DOMAIN/$DOMAIN.cer -cacert-file ~/.acme.sh/$DOMAIN/ca.cer

5) assigning certificate to mail services of domain (you can also easily do that in the Plesk webinterface)
Code:
/usr/sbin/plesk bin subscription_settings --update $DOMAIN -webmail_certificate acme.sh_wildcard
/usr/sbin/plesk bin subscription_settings --update $DOMAIN -mail_certificate acme.sh_wildcard


CAVEAT!
While acme.sh automatically renews the certificate every 60 days and also updates it within Plesk (this is what the --renewal-hook parameter is for), Plesk itself does only automatically reload the nginx/apache2 webserver when this happens, but not Postfix or Dovecot.
So the mail services may not use the new certificates for a couple hours. (till Postfix/Dovecot service gets reloaded due to other circumstances)
But as far as I know, this does also apply for Plesks own certificates that are used for mail services...
 
Back
Top