• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Forwarded to devs ECDSA prohibits using Let's Encrypt certificate to protect mail server

Bitpalast

Bitpalast

Plesk addicted!
Plesk Guru
TITLE:
False mail security SSL certificate applied to .pem files while GUI displays correct selection
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE:
Plesk 17.8, latest patches
CentOS 7.6
PROBLEM DESCRIPTION:
Created a "Let's Encrypt" certificate for the host name. Made it "default" certificate. Then used this certificate to secure the Plesk website and mail service. The certificate files on are updated (verified by timestamp), but no matter what is selected as the certificate to secure the mail server, they always show the Plesk default certificate content.​
STEPS TO REPRODUCE:
Fresh Plesk install.
Create a Lets Encrypt certificate for the server (use the one created during installation).
Secure the server with this Lets Encrypt certificate.

Look at postfix.pem:
[root@... conf.d]# ll /etc/postfix/postfix.pem
-rw------- 1 root root 2888 Jan 26 19:49 /etc/postfix/postfix.pem

Look into certificate:
[root@... conf.d]# openssl x509 -in /etc/postfix/postfix.pem -text -noout | grep -i subject | head -1
Subject: C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/[email protected]

Now use the Lets Encrypt certificate to secure the mail server. Then check file timestamp again:
[root@... conf.d]# ll /etc/postfix/postfix.pem
-rw------- 1 root root 2888 Jan 26 19:58 /etc/postfix/postfix.pem

The timestamp has changed, naturally, because the .pem file needed to be updated. But check content again:
[root@bode conf.d]# openssl x509 -in /etc/postfix/postfix.pem -text -noout | grep -i subject | head -1
Subject: C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/[email protected]

--> The file was changed, but the content is not the expected Lets Encrypt certificate with the correct domain name, but still the Plesk default certificate.​
ACTUAL RESULT:
Wrong .pem certificate content, coming from Plesk default certificate.​
EXPECTED RESULT:
Correct .pem certificate content, coming from Lets Encrypt certificate.​
ANY ADDITIONAL INFORMATION:
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM:
Confirm bug
 

Attachments

  • letsencrypt_error2.jpg
    letsencrypt_error2.jpg
    75.4 KB · Views: 3
Found the bug: The issue is caused by the new ECDSA setting!

When this is used in panel.ini:

[ext-letsencrypt]
key-algorithm = ECDSA
ecdsa-curve-name = prime256v1 ; can be omitted

The certificates will NOT work to secure the mail server.

After I have removed the setting and re-generated the certificates they could be used to secure the mail server.
 
Hi Peter,
It's a known bug already reported as EXTLETSENC-650
 
You must log in or register to reply here.

Similar threads

L
Issue ( authorization token is unavailable ) Could not issue/renew Let`s Encrypt certificates
Replies
7
Views
349
Leta
L
R
Issue SSL/TLS cert for mail server not updating (Lets Encrypt)
Replies
2
Views
890
tessa67
T
Quinten
Resolved Lets Encrypt for mails server problem
Replies
2
Views
471
Quinten
Quinten
M
Resolved Let's encrypt webmail keeps using old certificate
Replies
5
Views
1K
Peter Debik
P
M
Resolved Help request: SSL certificate seems to have trust issues. How to resolve?
Replies
4
Views
853
MHC_1
M
Back
Top