Facebook
Twitter- Server operating system version
- Ubuntu 22.04.4 LTS
- Plesk version and microupdate number
- Version 18.0.61 Update #5
We have a new server on Plesk Obsidian 18.
In this there is SSL it! Which we have used for a number of domains on the server . However one domain is showing persistent inconsistencies with the certificate and we are unable to resolve this.
The website domain works fine, and presents no issues but email connection to the domain presents that the certificate is invalid.
Result from TLSCheck online web checker.
Checking domain.co.uk from www12-do.checktls.com(V03.74.00) at 2024-07-01T10:46:07Z:
This only appears to happen on this domain, but we can't see what's different from any other domain. DN records are turned off and DNSSEC is turned off for this domain. There appears to be an issue with some sort of caching somewhere of an older Certificate , we have repeatedly reissued certificates from "SSL it!" for the domain.
I am much more comfortable using WHM and have other SNI domains on WHM which using the same tool -- CheckTLS.com -- come up correctly. Also other domains on the same server also come up correctly, But this one doesn't but we have nothing of difference on the DNS settings on this domain.
How do we resolve this?
Thanks
In this there is SSL it! Which we have used for a number of domains on the server . However one domain is showing persistent inconsistencies with the certificate and we are unable to resolve this.
The website domain works fine, and presents no issues but email connection to the domain presents that the certificate is invalid.
Result from TLSCheck online web checker.
Checking domain.co.uk from www12-do.checktls.com(V03.74.00) at 2024-07-01T10:46:07Z:
| seconds | lookup | result | |
|---|---|---|---|
| [000.000] | DNS LOOKUPS | ||
| [000.008] | SEARCHLIST | 104.131.118.216,134.209.169.224,1.1.1.1,8.8.8.8,67.207.67.3 | |
| [000.167] | MX-->domain.co.uk | (0) domain.co.uk | |
| [000.245] | MX:A-->domain.co.uk | 123.456.678.789 |
| seconds | test stage and result | |
|---|---|---|
| [000.000] | Trying TLS on domain.co.uk[123.456.678.789:25] (0) | |
| [000.075] | Server answered | |
| [000.170] | <‑‑ | 220 server.co.uk ESMTP Postfix |
| [000.171] | We are allowed to connect | |
| [000.171] | ‑‑> | EHLO www12-do.checktls.com |
| [000.246] | <‑‑ | 250-server.co.uk 250-PIPELINING 250-SIZE 10240000 250-ETRN 250-STARTTLS 250-AUTH DIGEST-MD5 CRAM-MD5 PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING |
| [000.246] | We can use this server | |
| [000.246] | TLS is an option on this server | |
| [000.247] | ‑‑> | STARTTLS |
| [000.321] | <‑‑ | 220 2.0.0 Ready to start TLS |
| [000.321] | STARTTLS command works on this server | |
| [000.414] | Connection converted to SSL | |
| SSLVersion in use: TLSv1_3 | ||
| Cipher in use: TLS_AES_256_GCM_SHA384 | ||
| Perfect Forward Secrecy: yes | ||
| Session Algorithm in use: Curve X25519 DHE(253 bits) | ||
| Certificate #1 of 3 (sent by MX): | ||
| Cert VALIDATED: ok | ||
| Cert Hostname DOES NOT VERIFY (domain.co.uk != server.co.uk | DNS:server.co.uk) | ||
| So email is encrypted but the host is not verified | ||
| Not Valid Before: Jun 16 12:50:41 2024 GMT | ||
| Not Valid After: Sep 14 12:50:40 2024 GMT | ||
| subject: /CN=server.co.uk | ||
| issuer: /C=US/O=Let's Encrypt/CN=R11 | ||
| Certificate #2 of 3 (sent by MX): | ||
| Cert VALIDATED: ok | ||
| Not Valid Before: Mar 13 00:00:00 2024 GMT | ||
| Not Valid After: Mar 12 23:59:59 2027 GMT | ||
| subject: /C=US/O=Let's Encrypt/CN=R11 | ||
| issuer: /C=US/O=Internet Security Research Group/CN=ISRG Root X1 | ||
| Certificate #3 of 3 (added from CA Root Store): | ||
| Cert VALIDATED: ok | ||
| Not Valid Before: Jun 4 11:04:38 2015 GMT | ||
| Not Valid After: Jun 4 11:04:38 2035 GMT | ||
| subject: /C=US/O=Internet Security Research Group/CN=ISRG Root X1 | ||
| issuer: /C=US/O=Internet Security Research Group/CN=ISRG Root X1 | ||
| [000.522] | ~~> | EHLO www12-do.checktls.com |
| [000.598] | <~~ | 250-server.co.uk 250-PIPELINING 250-SIZE 10240000 250-ETRN 250-AUTH DIGEST-MD5 CRAM-MD5 PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING |
| [000.598] | TLS successfully started on this server | |
| [000.598] | ~~> | MAIL FROM:<[email protected]> |
| [000.680] | <~~ | 250 2.1.0 Ok |
| [000.681] | Sender is OK | |
| [000.681] | ~~> | QUIT |
| [000.756] | <~~ | 221 2.0.0 Bye |
This only appears to happen on this domain, but we can't see what's different from any other domain. DN records are turned off and DNSSEC is turned off for this domain. There appears to be an issue with some sort of caching somewhere of an older Certificate , we have repeatedly reissued certificates from "SSL it!" for the domain.
I am much more comfortable using WHM and have other SNI domains on WHM which using the same tool -- CheckTLS.com -- come up correctly. Also other domains on the same server also come up correctly, But this one doesn't but we have nothing of difference on the DNS settings on this domain.
How do we resolve this?
Thanks
