• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Forwarded to devs ECDSA prohibits using Let's Encrypt certificate to protect mail server

Bitpalast

Bitpalast

Plesk addicted!
Plesk Guru
TITLE:
False mail security SSL certificate applied to .pem files while GUI displays correct selection
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE:
Plesk 17.8, latest patches
CentOS 7.6
PROBLEM DESCRIPTION:
Created a "Let's Encrypt" certificate for the host name. Made it "default" certificate. Then used this certificate to secure the Plesk website and mail service. The certificate files on are updated (verified by timestamp), but no matter what is selected as the certificate to secure the mail server, they always show the Plesk default certificate content.​
STEPS TO REPRODUCE:
Fresh Plesk install.
Create a Lets Encrypt certificate for the server (use the one created during installation).
Secure the server with this Lets Encrypt certificate.

Look at postfix.pem:
[root@... conf.d]# ll /etc/postfix/postfix.pem
-rw------- 1 root root 2888 Jan 26 19:49 /etc/postfix/postfix.pem

Look into certificate:
[root@... conf.d]# openssl x509 -in /etc/postfix/postfix.pem -text -noout | grep -i subject | head -1
Subject: C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/[email protected]

Now use the Lets Encrypt certificate to secure the mail server. Then check file timestamp again:
[root@... conf.d]# ll /etc/postfix/postfix.pem
-rw------- 1 root root 2888 Jan 26 19:58 /etc/postfix/postfix.pem

The timestamp has changed, naturally, because the .pem file needed to be updated. But check content again:
[root@bode conf.d]# openssl x509 -in /etc/postfix/postfix.pem -text -noout | grep -i subject | head -1
Subject: C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/[email protected]

--> The file was changed, but the content is not the expected Lets Encrypt certificate with the correct domain name, but still the Plesk default certificate.​
ACTUAL RESULT:
Wrong .pem certificate content, coming from Plesk default certificate.​
EXPECTED RESULT:
Correct .pem certificate content, coming from Lets Encrypt certificate.​
ANY ADDITIONAL INFORMATION:
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM:
Confirm bug
 

Attachments

  • letsencrypt_error2.jpg
    letsencrypt_error2.jpg
    75.4 KB · Views: 3
Found the bug: The issue is caused by the new ECDSA setting!

When this is used in panel.ini:

[ext-letsencrypt]
key-algorithm = ECDSA
ecdsa-curve-name = prime256v1 ; can be omitted

The certificates will NOT work to secure the mail server.

After I have removed the setting and re-generated the certificates they could be used to secure the mail server.
 
Hi Peter,
It's a known bug already reported as EXTLETSENC-650
 
You must log in or register to reply here.

Similar threads

Quinten
Resolved Lets Encrypt for mails server problem
Replies
2
Views
181
Quinten
Quinten
M
Resolved Let's encrypt webmail keeps using old certificate
Replies
5
Views
1K
Peter Debik
P
M
Forwarded to devs Mail certificate is no longer assigned after it gets renewed by Let's Encrypt
Replies
11
Views
5K
Peter Debik
P
P
Issue Check SSL certificates from command line
Replies
7
Views
2K
PeterKi
P
B
Resolved secure Plesk hostname on port 8443 with an SSL certificate Let's Encrypt ERROR
Replies
2
Views
2K
Butcher
B
Back
Top