Resolved How to secure mail of domain with Lets Encrypt

[UFHH01]

Hi octet,

pls. don't forget, that you NEED the ROOT-CA + Intermediate-CA from Let's Encrypt at your certificate file "/etc/postfix/certificates/mail.cherciu.com.certificate.crt" - not only the lonely cert.

Correct certificate order:

1. (sub)domain.crt
2. Let's Encrypt ROOT-CA ( from for example: => https://letsencrypt.org/certs/isrgrootx1.pem )
3. Let's Encrypt Intermediate-CA ( from for example: => https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem )

OR use the "fullchain.pem" from the depending (sub)domain - folder at "/opt/psa/var/modules/letsencrypt/etc/live/", which is a combination of your (sub.)domain - certificate and a CA-bundle from Let's Encrypt. You will find there as well the correct "privkey.pem" - file.


( I will reply to your "DOVECOT" question later... )

 

[octet]

OK, thank you, give me a minute to dig this up, I'll report back shortly.

 

[octet]

Let me just make sure I get this right:

1. /etc/postfix/certificates/mail.cherciu.com.certificate.crt should contain /usr/local/psa/var/modules/letsencrypt/etc/live/mail.cherciu.com/fullchain.pem
2. /etc/postfix/certificates/mail.cherciu.com.private.key should contain /usr/local/psa/var/modules/letsencrypt/etc/live/mail.cherciu.com/privkey.pem

or in other words, the settings in /etc/postfix/master.cf should be:

-o smtpd_tls_key_file=/usr/local/psa/var/modules/letsencrypt/etc/live/mail.cherciu.com/privkey.pem
-o smtpd_tls_cert_file=/usr/local/psa/var/modules/letsencrypt/etc/live/mail.cherciu.com/fullchain.pem

Is this correct?

 

[octet]

So I've done the changes as above and testing with http://www.checktls.com/perl/TestReceiver.pl

Any other ways to test it properly?

Need to adapt the settings / ports etc and try sending some mails again.

 

[UFHH01]

Hi @ ALL Plesk - users,
Hi @ Plesk-Team-Members,

it took me some time, but I found a quite simple solution now for all kind of "webmail.", "mail.*", ... issues. With respect to the Plesk and Plesk-Let's Encrypt-Extension - developers ( and the Plesk - Team in general ), I find it surprising, that they were not able to solve these issues by themselfs and this for a very, very long time now, with lots of forum - threads regarding this issues... but o.k., it's time now to make the Plesk - Users happy again


To start, I assume, that you already installed a Let's Encrypt - certificate over the Plesk Control Panel, which includes at least the domain - name ( either with or without "www." ).
You should now visit

=> https://zerossl.com/free-ssl/#crt ( external link - pls. inform me, when the link goes dead, so that I might provide another working link here! )​

... and insert the very same eMail - address that you already used, when you created your basic Let's Encrypt certificate. Insert your initial domain-name and the desired additional (sub.)domain - names at the provided text-box, accept the TOS and the Let's Encrypt SA and choose the option "DNS", followed by a click onto the NEXT - button. The next steps are fully explained in several languages ( EN | DE | FR | ES | RU ) and contain amongst other things the manual entries of TXT - DNS - entries at your primary nameserver(s) for the added (sub.)domains and after you waited a few minutes for DNS - synchronisation, the authorization will be done and the new certificate for all your desired (sub.)domain - names will be presented to you ( which you are even able to download, if you wish to ).
You are then able to either replace the existent certificate over your Plesk Control Panel, or you choose to manually add it at all necessary places, just like you added other ( self-signed, or brought ) certificates in the past.

Hint: I choosed the option, to replace the existent certificate files at "/opt/psa/var/certificates/" and "/opt/psa/var/modules/letsencrypt/etc/live/YOUR-DOMAIN..COM" ( pls. notice, that these are symlinks here! ), in the hope that the automatic renewal - process will renew not only the previous, first certificate, but the new certificate, with all the additional (sub.)domain - names. I'm pretty sure, that my hope will not be sufficient enough to reach that renewal - goal, but maybe the Plesk / Plesk-Let's Encrypt-Extension - developers find as well a working solution to add the choice for DNS - authorization, or find a way to add additional (sub.)domain - names over the Plesk Control Panel.

 

[UFHH01]

Hi octet,

What should I do for Dovecot?

for dovecot, I use

Example:

###        Configuration for YOUR-DOMAIN.COM START        ###

local mail.YOUR-DOMAIN.COM {
    protocol imap {
        ssl_cert = </etc/dovecot/private/005-imap-YOUR-DOMAIN.COM-CERT
        ssl_key = </etc/dovecot/private/004-imap-YOUR-DOMAIN.COM-KEY
        ssl_ca = </etc/dovecot/private/001-ROOT-CA_and_Intermediate-CA-CERT
        ssl = yes
        }
    protocol pop3 {
        ssl_cert = </etc/dovecot/private/007-pop3-YOUR-DOMAIN.COM-CERT
        ssl_key = </etc/dovecot/private/006-pop3-YOUR-DOMAIN.COM-KEY
        ssl_ca = </etc/dovecot/private/001-ROOT-CA_and_Intermediate-CA-CERT
        ssl = yes
        }
    protocol imaps {
        ssl_cert = </etc/dovecot/private/005-imap-YOUR-DOMAIN.COM-CERT
        ssl_key = </etc/dovecot/private/004-imap-YOUR-DOMAIN.COM-KEY
        ssl_ca = </etc/dovecot/private/001-ROOT-CA_and_Intermediate-CA-CERT
        ssl = yes
        }
    protocol pop3s {
        ssl_cert = </etc/dovecot/private/007-pop3-YOUR-DOMAIN.COM-CERT
        ssl_key = </etc/dovecot/private/006-pop3-YOUR-DOMAIN.COM-KEY
        ssl_ca = </etc/dovecot/private/001-ROOT-CA_and_Intermediate-CA-CERT
        ssl = yes
        }
    }

local imap.YOUR-DOMAIN.COM {
    protocol imap {
        ssl_cert = </etc/dovecot/private/005-imap-YOUR-DOMAIN.COM-CERT
        ssl_key = </etc/dovecot/private/004-imap-YOUR-DOMAIN.COM-KEY
        ssl_ca = </etc/dovecot/private/001-ROOT-CA_and_Intermediate-CA-CERT
        ssl = yes
        }
    protocol pop3 {
        ssl_cert = </etc/dovecot/private/007-pop3-YOUR-DOMAIN.COM-CERT
        ssl_key = </etc/dovecot/private/006-pop3-YOUR-DOMAIN.COM-KEY
        ssl_ca = </etc/dovecot/private/001-ROOT-CA_and_Intermediate-CA-CERT
        ssl = yes
        }
    protocol imaps {
        ssl_cert = </etc/dovecot/private/005-imap-YOUR-DOMAIN.COM-CERT
        ssl_key = </etc/dovecot/private/004-imap-YOUR-DOMAIN.COM-KEY
        ssl_ca = </etc/dovecot/private/001-ROOT-CA_and_Intermediate-CA-CERT
        ssl = yes
        }
    protocol pop3s {
        ssl_cert = </etc/dovecot/private/007-pop3-YOUR-DOMAIN.COM-CERT
        ssl_key = </etc/dovecot/private/006-pop3-YOUR-DOMAIN.COM-KEY
        ssl_ca = </etc/dovecot/private/001-ROOT-CA_and_Intermediate-CA-CERT
        ssl = yes
        }
    }

local pop3.YOUR-DOMAIN.COM {
    protocol imap {
        ssl_cert = </etc/dovecot/private/005-imap-YOUR-DOMAIN.COM-CERT
        ssl_key = </etc/dovecot/private/004-imap-YOUR-DOMAIN.COM-KEY
        ssl_ca = </etc/dovecot/private/001-ROOT-CA_and_Intermediate-CA-CERT
        ssl = yes
        }
    protocol pop3 {
        ssl_cert = </etc/dovecot/private/007-pop3-YOUR-DOMAIN.COM-CERT
        ssl_key = </etc/dovecot/private/006-pop3-YOUR-DOMAIN.COM-KEY
        ssl_ca = </etc/dovecot/private/001-ROOT-CA_and_Intermediate-CA-CERT
        ssl = yes
        }
    protocol imaps {
        ssl_cert = </etc/dovecot/private/005-imap-YOUR-DOMAIN.COM-CERT
        ssl_key = </etc/dovecot/private/004-imap-YOUR-DOMAIN.COM-KEY
        ssl_ca = </etc/dovecot/private/001-ROOT-CA_and_Intermediate-CA-CERT
        ssl = yes
        }
    protocol pop3s {
        ssl_cert = </etc/dovecot/private/007-pop3-YOUR-DOMAIN.COM-CERT
        ssl_key = </etc/dovecot/private/006-pop3-YOUR-DOMAIN.COM-KEY
        ssl_ca = </etc/dovecot/private/001-ROOT-CA_and_Intermediate-CA-CERT
        ssl = yes
        }
    }

###        Configuration for YOUR-DOMAIN.COM END        ###

... which is configured with the domains of the depending main - domain for each IPv4 on the server. It

Unfortunately, there is no option, like the postfix solution for each domain at the "master.cf" - configuration file.

 

[PHPBandit]

Hi Giorgos Kontopoulos,

you could use the not documented command:

plesk bin extension --exec letsencrypt cli.php -d YOUR-DOMAIN.COM -d www.YOUR-DOMAIN.COM -d webmail.YOUR-DOMAIN.COM -d mail.YOUR-DOMAIN.COM -d smtp.YOUR-DOMAIN.COM -d pop3.YOUR-DOMAIN.COM -d imap.YOUR-DOMAIN.COM -d lists.YOUR-DOMAIN.COM --email [email protected] --expand

As you can see, I included all possible subdomains, which are "normally" not setup over the Plesk Control Panel, such as "webmail.", "mail.", "smtp.", "pop3.", "imap." and "lists.". Pls. keep in mind, that there is a maximum of 100 Let's Encrypt SAN - certificate - names.
The "--expand" option at the end should be used, if there has been a previous certificate creation, which you are now able to EXPAND with the additional (sub)domain - names - if you didn't create a previous certificate for the domain, pls. leave out this option.


If you experience issues with the suggestion, pls. consider to include the Let's Encrypt - log and the output from your command line, after you used the command for further investigations.

Quick question: can multiple domains rather than subdomains be used to create a certificate this way? Is that creating like a wildcard certificate or do actual certificates get generated for each domain/subdomain?

 

[UFHH01]

Hi PHPBandit,

pls. use the "Let's Encrypt" documentation to answer your questions ( => https://letsencrypt.org/docs/faq/ / => https://letsencrypt.org/docs/ ), or ask your specific question for "Plesk plugin for Let's Encrypt client" at GitHub ( => https://github.com/plesk/letsencrypt-plesk ) and pls. keep in mind, that the used "Plesk plugin for Let's Encrypt client" from the Plesk-Let's Enrypt - extension might differ from the original "certbot". Possible command options can be listed with for example:

/opt/psa/var/modules/letsencrypt/venv/bin/letsencrypt --help all

 

[pascalV]

Hello do you know, when let's encrypt was ready to renew automaticly the certificats of imap subdomain ?

 

[duvide]

The next steps are fully explained in several languages ( EN | DE | FR | ES | RU ) and contain amongst other things the manual entries of TXT - DNS - entries at your primary nameserver(s) for the added (sub.)domains and after you waited a few minutes for DNS - synchronisation, the authorization will be done and the new certificate for all your desired (sub.)domain -

I have been trying for many times now to ssl my horde webmail with ssl and I tried this approach as well but when I get to to this point at the "free ssl certificate" stuff:
"Verification
To verify domain ownership using DNS verification, you will need to create DNS records of TXT type as shown below. Please remember that it takes some time for new DNS records to become "visible", so you may need to wait for 15-20 minutes before clicking "Next". You can check whether your records became visible with the following command: "nslookup -q=TXT XXX", where XXX is one of the records as shown below."
I don't find anything in my plesk 12.5 about DNS and I cannot do changes like this at my domain registrar.
Will this ever be possible to ssl webmail in straightforward way?

 

[UFHH01]

Hi duvide,

Will this ever be possible to ssl webmail in straightforward way?

this is a TEMPORARY solution/work-around, which might be obsolete, as soon as Plesk updates/upgrades the Plesk extension "Let's Encrypt". An answer to "when", "will that be implemented", can't be given at all, because we all just know that there will be an update/upgrade - nothing more.

I don't find anything in my plesk 12.5 about DNS and I cannot do changes like this at my domain registrar.

You domain registrar provides the options to ADD/CHANGE/MODIFY DNS - entries over their own control panel. If you need further help here, pls. NAME the domain - registrar, so that we could find FAQs and documentations from YOUR domain - registrar for you.

 

[MisterX]

Hello @UFHH01,

can't solved the problem with a symlink?

Firstly:
I disable Webmail in the e-mail settings of "xyz.de":

Webmail = without
SSL / TLS certificate for webmail = not selected

Secondly:
I create the subdomain "webmail.xyz.de" and activate Let's Encrypt over the extension.

And finally:
I create a symlink to Roundcube.

Or doesn't it work?

 

[UFHH01]

Hi MisterX,

can't solved the problem with a symlink?

Or doesn't it work?

Feel free to use as many options that you like and IF you find another working solution on your server, the Plesk Community will be glad to read it your step-by-step - guide.

 

[Boas Simon]

Hi,

you could use the not documented command:

plesk bin extension --exec letsencrypt cli.php -d YOUR-DOMAIN.COM -d www.YOUR-DOMAIN.COM -d webmail.YOUR-DOMAIN.COM -d mail.YOUR-DOMAIN.COM -d smtp.YOUR-DOMAIN.COM -d pop3.YOUR-DOMAIN.COM -d imap.YOUR-DOMAIN.COM -d lists.YOUR-DOMAIN.COM --email [email protected] --expand

As you can see, I included all possible subdomains, which are "normally" not setup over the Plesk Control Panel, such as "webmail.", "mail.", "smtp.", "pop3.", "imap." and "lists.". Pls. keep in mind, that there is a maximum of 100 Let's Encrypt SAN - certificate - names.
The "--expand" option at the end should be used, if there has been a previous certificate creation, which you are now able to EXPAND with the additional (sub)domain - names - if you didn't create a previous certificate for the domain, pls. leave out this option.


If you experience issues with the suggestion, pls. consider to include the Let's Encrypt - log and the output from your command line, after you used the command for further investigations.

This looks pretty good, but does not work with me Script says:

Site "webmail.MYDOMAIN.COM" get failure: Site does not exist
Executing /opt/psa/admin/plib/modules/letsencrypt/scripts/cli.php failed:
exit status 1

I assume this is since there is no "/.well-known/acme-challenge/" in my webmail (this is horde).

What can I do?

Thanks!
Boas

 

[UFHH01]

Hi Boas Simon,

Site "webmail.MYDOMAIN.COM" get failure: Site does not exist

... indicates, that you forgot an A - entry on your nameserver for the subdomain "webmail.MYDOMAIN.COM". Pls. be aware, that your Plesk server is mostly NOT the initial nameserver, it is mostly the one from your domain registrar! Pls. check your DNS - settings for example at: => https://www.dnswatch.info

 

[Boas Simon]

Hi UFHH1,
unfortunately not.





What am I doing wrong?

Thanks!
Boas

 

[UFHH01]

Hi Boas Simon,

when using the Plesk Let's Encrypt extension, pls. be aware that the Let's encrypt client uses a "http" - verification in the doc-root of the depending (sub)domains. At the moment, this will not work, when you try to extend the current certificate for "webmail.domain.com" while you activated "webmail - support" and didn't create a subdomain "webmail" manually. In such a case, you have to use the solution, provided at => #25 , or wait untill the second quarter of 2017, where Plesk announced a major update/upgrade for the Plesk Let's Encrypt extension.

 

[Boas Simon]

Hi UFHH01,

thanks again! It still does not work. zerossl.com says:


Which is "couldn't find ressource directory"

??
Thanks again,
Boas

 

[UFHH01]

Hi Boas Simon,

well, when you paste an incorrect CERTIFICATE REQUEST ( CSR ) into the DOMAINS field, instead of your domains, what do you expect? Consider to READ the FAQs from "zerossl.com", if you are unsure, what you should insert ( => https://zerossl.com/free-ssl/#howtocrt ) into the fields. Your correct translation for "Konnte Ressourcenverzeichnis nicht abrufen" would be "Could not get resource directory", which leads directly to your incorrect inserts.

 

[Boas Simon]

Hi UFHH01,

the key and the CSR were pasted by the Website into the fields .. so I thought the "domain" field was the one above (where I did paste the domains and then the CSR git created).

I found another solution that may work for a while - disabling the webmailer, creating a subdoamin "webmail.domain.de", creating the cert, enable the webmailer again and then use that cert. It is explained in detail in other threads. In addition I'll wait for that major update, so manually update the certs two times may be OK for me.

Thanks for the support!
Boas