• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Forwarded to devs ECDSA prohibits using Let's Encrypt certificate to protect mail server

Bitpalast

Bitpalast

Plesk addicted!
Plesk Guru
TITLE:
False mail security SSL certificate applied to .pem files while GUI displays correct selection
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE:
Plesk 17.8, latest patches
CentOS 7.6
PROBLEM DESCRIPTION:
Created a "Let's Encrypt" certificate for the host name. Made it "default" certificate. Then used this certificate to secure the Plesk website and mail service. The certificate files on are updated (verified by timestamp), but no matter what is selected as the certificate to secure the mail server, they always show the Plesk default certificate content.​
STEPS TO REPRODUCE:
Fresh Plesk install.
Create a Lets Encrypt certificate for the server (use the one created during installation).
Secure the server with this Lets Encrypt certificate.

Look at postfix.pem:
[root@... conf.d]# ll /etc/postfix/postfix.pem
-rw------- 1 root root 2888 Jan 26 19:49 /etc/postfix/postfix.pem

Look into certificate:
[root@... conf.d]# openssl x509 -in /etc/postfix/postfix.pem -text -noout | grep -i subject | head -1
Subject: C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/[email protected]

Now use the Lets Encrypt certificate to secure the mail server. Then check file timestamp again:
[root@... conf.d]# ll /etc/postfix/postfix.pem
-rw------- 1 root root 2888 Jan 26 19:58 /etc/postfix/postfix.pem

The timestamp has changed, naturally, because the .pem file needed to be updated. But check content again:
[root@bode conf.d]# openssl x509 -in /etc/postfix/postfix.pem -text -noout | grep -i subject | head -1
Subject: C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/[email protected]

--> The file was changed, but the content is not the expected Lets Encrypt certificate with the correct domain name, but still the Plesk default certificate.​
ACTUAL RESULT:
Wrong .pem certificate content, coming from Plesk default certificate.​
EXPECTED RESULT:
Correct .pem certificate content, coming from Lets Encrypt certificate.​
ANY ADDITIONAL INFORMATION:
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM:
Confirm bug
 

Attachments

  • letsencrypt_error2.jpg
    letsencrypt_error2.jpg
    75.4 KB · Views: 3
Found the bug: The issue is caused by the new ECDSA setting!

When this is used in panel.ini:

[ext-letsencrypt]
key-algorithm = ECDSA
ecdsa-curve-name = prime256v1 ; can be omitted

The certificates will NOT work to secure the mail server.

After I have removed the setting and re-generated the certificates they could be used to secure the mail server.
 
Hi Peter,
It's a known bug already reported as EXTLETSENC-650
 
You must log in or register to reply here.

Similar threads

H
Resolved Problem with install Let's Encrypt SSL/TLS certificate
Replies
6
Views
2K
HungLuu
H
W
Question Wanted: Best practice for certificates (Lets Encrypt) two separate Plesk servers for www and mail
2
Replies
20
Views
2K
W4ru
W
L
Issue ( authorization token is unavailable ) Could not issue/renew Let`s Encrypt certificates
Replies
7
Views
2K
Leta
L
flederwiesel
Question `SSLVerifyClient require` -> AH10158: cannot perform post-handshake authentication
Replies
0
Views
670
flederwiesel
flederwiesel
defcon8
Issue SMTP SSL Certificate Expired
Replies
2
Views
1K
defcon8
defcon8
Back
Top