Resolved How to secure mail of domain with Lets Encrypt

[Bruce]

I was told several times over the last few days by Plesk support that Let's Encrypt Certificates cannot be used to secure mail.

Is the above still current?

Also, any ideas or inside knowledge on when this will be fixed?

_______________________________________________

PS: This is my first message here on talk.plesk.com

 

[AmaZili Communication]

Hi Giorgos Kontopoulos,

you could use the not documented command:

plesk bin extension --exec letsencrypt cli.php -d YOUR-DOMAIN.COM -d www.YOUR-DOMAIN.COM -d webmail.YOUR-DOMAIN.COM -d mail.YOUR-DOMAIN.COM -d smtp.YOUR-DOMAIN.COM -d pop3.YOUR-DOMAIN.COM -d imap.YOUR-DOMAIN.COM -d lists.YOUR-DOMAIN.COM --email [email protected] --expand

As you can see, I included all possible subdomains, which are "normally" not setup over the Plesk Control Panel, such as "webmail.", "mail.", "smtp.", "pop3.", "imap." and "lists.". Pls. keep in mind, that there is a maximum of 100 Let's Encrypt SAN - certificate - names.
The "--expand" option at the end should be used, if there has been a previous certificate creation, which you are now able to EXPAND with the additional (sub)domain - names - if you didn't create a previous certificate for the domain, pls. leave out this option.


If you experience issues with the suggestion, pls. consider to include the Let's Encrypt - log and the output from your command line, after you used the command for further investigations.

Hi UFHH01,

I tried this command, but when I do

cd /usr/local/psa/var/modules/letsencrypt/etc/live/YOUR-DOMAIN.com

and do

cat cert.pem | openssl x509 -text | grep DNS

I get

 DNS:YOUR-DOMAIN.com, DNS:www.YOUR-DOMAIN.com

and none of the mail, imap,pop3, and other mentioned sub domains.

Can you please explain ?

Thanks

Philippe

 

[UFHH01]

Hi AmaZili Communication,

pls. inspect your corresponding log - file(s) ( => /usr/local/psa/var/modules/letsencrypt/logs ), to be able to investigate issues/errors/problems. Without the log, people willing to help you can only guess what might have gone wrong.

 

[OllieK]

I was told several times over the last few days by Plesk support that Let's Encrypt Certificates cannot be used to secure mail.

Is the above still current?

I am perfectly able to secure my mails with a LE certificate. I created my certificate manually with certbot-auto and added it to Plesk in Tools & Settings -> SSL/TLS Certificates > Add. Then you click on the [Change] link behind "Certificate for securing mail".

 

[AmaZili Communication]

Hi AmaZili Communication,

pls. inspect your corresponding log - file(s) ( => /usr/local/psa/var/modules/letsencrypt/logs ), to be able to investigate issues/errors/problems. Without the log, people willing to help you can only guess what might have gone wrong.

Thanks for your quick reply,

BTW, we are running the test on a Centos 7 plesk Onyx up to date server.

It took me some time to clear the log from references to our test domain, but here is the result in the attachment



Does this help ?

Philippe

 

[UFHH01]

Hi AmaZili Communication,

the main reason, why your certificate hasn't been expanded with the desired subdomains is the error:

PleskAuthError: Site "webmail.YOUR-DOMAIN.com" get failure: Site does not exist

The Let's Encrypt certbot couldn't verify the subdomain with a challenge. Consider to deactivate webmail - usage for that test - domain. Afterwards, create a subdomain over the Plesk Control Panel and retry your previous Let's Encrypt - EXPAND - command. After a successfull certificate creation, pls. delete the manual created "webmail" - subdomain and re-activate the webmail - usage.

( Pls. be informed, that your anonymization attempts are pretty time consuming and useless, due to the fact, that the challenges are only valid for a very short time and they are going to be removed automatically, as you might as well read in your logs. )

 

[AmaZili Communication]

Hi,

I tried to remove subdomains one after one, starting with webmail, but at the and of the day, the only one remaining in the command line were YOU-DOMAIN.com and www.YOUR-DOMAIN.com.

Any attempt to add another subdomain failed.

About anonymization, that's my paranoïa )

 

[OllieK]

Hi AmaZili Communication,

the main reason, why your certificate hasn't been expanded with the desired subdomains is the error:

PleskAuthError: Site "webmail.YOUR-DOMAIN.com" get failure: Site does not exist

The Let's Encrypt certbot couldn't verify the subdomain with a challenge. Consider to deactivate webmail - usage for that test - domain. Afterwards, create a subdomain over the Plesk Control Panel and retry your previous Let's Encrypt - EXPAND - command. After a successfull certificate creation, pls. delete the manual created "webmail" - subdomain and re-activate the webmail - usage.

I tried this workaround yesterday and it did not work for me.
What did work is this:

- download official certbot client (https://certbot.eff.org/all-instructions/, I did it for Ubuntu 14.04): wget https://dl.eff.org/certbot-auto
- chmod a+x certbot-auto
- ./certbot-auto to install dependencies
- shut down apache to release port 80: /etc/init.d/apache2 stop
- certbot-auto certonly
- use manual process with temp. webserver

Certificates were successfully created and I could upload it in plesk.

Don't forget to restart apache with /etc/init.d/apache2 start

 

[UFHH01]

Hi AmaZili Communication,

the only one remaining in the command line were YOU-DOMAIN.com and www.YOUR-DOMAIN.com

If you already created a certificate for YOUR-DOMAIN.COM and www.YOUR-DOMAIN.COM, as stated before:

I tried this command, but when I do

cd /usr/local/psa/var/modules/letsencrypt/etc/live/YOUR-DOMAIN.com

and do

cat cert.pem | openssl x509 -text | grep DNS

I get

DNS:YOUR-DOMAIN.com, DNS:www.YOUR-DOMAIN.com

... could you pls. explain, what the point is to remove additional ( possible ) subdomains from the EXPAND command?

Again, each certbot - command will create a log, which you are able to inspect and investigate. Due to the fact that you used different EXPAND - commands, pls. add the corresponding log - file for your command, so that people willing to help you have the chance to investigate possible issues together with you. - Guessing is very time consuming and may not lead to a solution at all.

 

[AmaZili Communication]

Hi UFHH01,

I must have very poorly explained myself...
Please find all the commands typed one after another to explain my previous post.
As you can see all subdomains one after one returns error, and i remove them from command line, leavind at the end only the domain and www.
What I want is to add all those subdomains to my certificate, and it does not work.

Logs at all time give basically the same song about the subdomain does not exist as the one I sent... at each time but those one exist and are used for smtp, mail and imap working services....

I hope I have been clear enough this time

Thanks anyway for your time.

Philippe

 

[AmaZili Communication]

I tried this workaround yesterday and it did not work for me.
What did work is this:

- download official certbot client (https://certbot.eff.org/all-instructions/, I did it for Ubuntu 14.04): wget https://dl.eff.org/certbot-auto
- chmod a+x certbot-auto
- ./certbot-auto to install dependencies
- shut down apache to release port 80: /etc/init.d/apache2 stop
- certbot-auto certonly
- use manual process with temp. webserver

Certificates were successfully created and I could upload it in plesk.

Don't forget to restart apache with /etc/init.d/apache2 start

Thanks Olliek for your help.

But I want to go all the way staying as much as possible with plesk existing tools.
I will try the other way only if all the rest fails.... :-(

Philippe

 

[UFHH01]

Hi AmaZili Communication,

can you confirm, that each ( manual created over the Plesk Control Panel! ) subdomain, as for example:

webmail.YOUR-DOMAIN.COM
mail.YOUR-DOMAIN.COM
smtp.YOUR-DOMAIN.COM
pop3.YOUR-DOMAIN.COM
imap.YOUR-DOMAIN.COM
lists.YOUR-DOMAIN.COM​

... have as well corresponding DNS - entries at your primary nameserver ( the one from your domain - registrar! )? If this is the case, can you as well confirm, that if you open the URL ( example ) http://smtp.YOUR-DOMAIN.COM, that you are able to see the standart Plesk site or/and that you are able to check the very same URL with for example : => web-sniffer.net ?



In addition, pls. double-check as well your used commands, because in your logs, you have for example:

[root@norbert ~]# plesk bin extension --exec letsencrypt cli.php --cert-name YOUR-DOMAIN.com -d YOUR-DOMAIN.com -d www.YOUR-DOMAIN.com ...

... where the part "--cert-name YOUR-DOMAIN.com -d YOUR-DOMAIN.com" should be only "--cert-name -d YOUR-DOMAIN.com" It's not very serious, but you should use correct command strings, to avoid issues.

 

[jradzuweit]

Hi Giorgos Kontopoulos,

you could use the not documented command:

plesk bin extension --exec letsencrypt cli.php -d YOUR-DOMAIN.COM -d www.YOUR-DOMAIN.COM -d webmail.YOUR-DOMAIN.COM -d mail.YOUR-DOMAIN.COM -d smtp.YOUR-DOMAIN.COM -d pop3.YOUR-DOMAIN.COM -d imap.YOUR-DOMAIN.COM -d lists.YOUR-DOMAIN.COM --email [email protected] --expand

As you can see, I included all possible subdomains, which are "normally" not setup over the Plesk Control Panel, such as "webmail.", "mail.", "smtp.", "pop3.", "imap." and "lists.". Pls. keep in mind, that there is a maximum of 100 Let's Encrypt SAN - certificate - names.
The "--expand" option at the end should be used, if there has been a previous certificate creation, which you are now able to EXPAND with the additional (sub)domain - names - if you didn't create a previous certificate for the domain, pls. leave out this option.


If you experience issues with the suggestion, pls. consider to include the Let's Encrypt - log and the output from your command line, after you used the command for further investigations.

Hi,
if I try to use it I get the following out

root@vega:~# plesk bin extension --exec letsencrypt cli.php -d radzuweit.eu -d webmail.radzuweit.eu --expand
[2017-03-03 12:28:07] ERR [extension/letsencrypt] Execution of /opt/psa/admin/plib/modules/letsencrypt/scripts/cli.php failed with exit code 1 and the output:
Saving debug log to /opt/psa/var/modules/letsencrypt/logs/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for radzuweit.eu
http-01 challenge for webmail.radzuweit.eu
Starting new HTTPS connection (1): 127.0.0.1
Starting new HTTPS connection (1): 127.0.0.1
Cleaning up challenges
Site "webmail.radzuweit.eu" get failure: Site does not exist
Execution of /opt/psa/admin/plib/modules/letsencrypt/scripts/cli.php failed with exit code 1 and the output:
Saving debug log to /opt/psa/var/modules/letsencrypt/logs/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for radzuweit.eu
http-01 challenge for webmail.radzuweit.eu
Starting new HTTPS connection (1): 127.0.0.1
Starting new HTTPS connection (1): 127.0.0.1
Cleaning up challenges
Site "webmail.radzuweit.eu" get failure: Site does not exist

so it seems that it does not work. If I try the above with the alread working www.radzuweit.eu domain, than it works.

 

[AmaZili Communication]

Hi AmaZili Communication,

can you confirm, that each ( manual created over the Plesk Control Panel! ) subdomain, as for example:

webmail.YOUR-DOMAIN.COM
mail.YOUR-DOMAIN.COM
smtp.YOUR-DOMAIN.COM
pop3.YOUR-DOMAIN.COM
imap.YOUR-DOMAIN.COM
lists.YOUR-DOMAIN.COM​

... have as well corresponding DNS - entries at your primary nameserver ( the one from your domain - registrar! )? If this is the case, can you as well confirm, that if you open the URL ( example ) http://smtp.YOUR-DOMAIN.COM, that you are able to see the standart Plesk site or/and that you are able to check the very same URL with for example : => web-sniffer.net ?



In addition, pls. double-check as well your used commands, because in your logs, you have for example:

[root@norbert ~]# plesk bin extension --exec letsencrypt cli.php --cert-name YOUR-DOMAIN.com -d YOUR-DOMAIN.com -d www.YOUR-DOMAIN.com ...

... where the part "--cert-name YOUR-DOMAIN.com -d YOUR-DOMAIN.com" should be only "--cert-name -d YOUR-DOMAIN.com" It's not very serious, but you should use correct command strings, to avoid issues.

Hi,

Thnaks again for your time.

I did not get that I had to manually create the subdomains first.....
I did so, then tried again the

plesk bin extension --exec letsencrypt cli.php --cert-name YOUR-DOMAIN.com -d www.YOUR-DOMAIN.com -d webmail.YOUR-DOMAIN.com -d mail.YOUR-DOMAIN.com -d smtp.YOUR-DOMAIN.com -d pop3.YOUR-DOMAIN.com -d imap.YOUR-DOMAIN.com --email [email protected] --expand

It works but for webmail and www subdomains.

I did tried again a few times, but ran out of number of retries on the LE certificate, guess I well have to wait for next week to handle the rest...

I'll let you know if I succeed.

Talk to you later

Philippe

 

[UFHH01]

Hi AmaZili Communication,
hi jradzuweit,

It works but for webmail and www subdomains.

You already HAD YOUR-DOMAIN.com and www.YOUR-DOMAIN.com included, as stated before by you and your log - files state clear, that both ( domain and subdomain ) had been validated and the corresponding certificate had been created. Try not to irritate yourself by mixing up the Let's Encrypt - process over the Plesk Control Panel, with the EXPAND - command, provided in my post.


For both of you again: It is ESSENTIAL, that you switch off the webmail - service for that domain and afterwards you have to create a webmail - subdomain MANUALLY over the Plesk Control Panel ( it will now display the standart Plesk site instead of the webmail - login - page, if you successfull created webmail.YOUR-DOMAIN.com ). If these requirements are met, you are then able to successfully use the EXPAND command, provided by me in this thread. You would only delete the manual created webmail - subdomain and switch on the webmail - support for that domain again, after you successfully created the extended Let's Encrypt certificate.

 

[io777]

I also tryed

plesk bin extension --exec letsencrypt cli.php --cert-name YOUR-DOMAIN.com -d www.YOUR-DOMAIN.com -d webmail.YOUR-DOMAIN.com -d mail.YOUR-DOMAIN.com -d smtp.YOUR-DOMAIN.com -d pop3.YOUR-DOMAIN.com -d imap.YOUR-DOMAIN.com --email [email protected] --expand

in my server (centos 6.8 with plesk onyx and let's encrypt) but I get: Site "webmail.myserver.tld" get failure: Site does not exist
if I remove -d webmail.YOUR-DOMAIN.com from the command I get I get: Site "mail.myserver.tld" get failure: Site does not exist and so on...

Can you help me?

Thank you in advance

 

[AmaZili Communication]

You already HAD YOUR-DOMAIN.com and www.YOUR-DOMAIN.com included, as stated before by you and your log - files state clear, that both ( domain and subdomain ) had been validated and the corresponding certificate had been created. Try not to irritate yourself by mixing up the Let's Encrypt - process over the Plesk Control Panel, with the EXPAND - command, provided in my post.


For both of you again: It is ESSENTIAL, that you switch off the webmail - service for that domain and afterwards you have to create a webmail - subdomain MANUALLY over the Plesk Control Panel ( it will now display the standart Plesk site instead of the webmail - login - page, if you successfull created webmail.YOUR-DOMAIN.com ). If these requirements are met, you are then able to successfully use the EXPAND command, provided by me in this thread. You would only delete the manual created webmail - subdomain and switch on the webmail - support for that domain again, after you successfully created the extended Let's Encrypt certificate.

Hi,

Finally made it !

In order for other to be able to attend the same result, let me summarize :

One domain : YOUR-DOMAIN.com

Already issued a certificate with YOUR-DOMAIN+ www subdomain using the plesk LE addon.

Created all needed subdomain using the plesk subdomain interface, in my case :
smtp.YOUR-DOMAIN.com
imap.YOUR-DOMAIN.com
pop3.YOUR-DOMAIN.com
mail.YOUR-DOMAIN.com
webmail.YOUR-DOMAIN.com

Disabled the webmail in tools and settings/webmail

on the command line execute the command :

#plesk bin extension --exec letsencrypt cli.php --cert-name YOUR-DOMAIN.com -d YOUR-DOMAIN.com -d www.YOUR-DOMAIN.com  -d webmail.YOUR-DOMAIN.com -d mail.YOUR-DOMAIN.com -d smtp.YOUR-DOMAIN.com -d pop3.YOUR-DOMAIN.com -d imap.YOUR-DOMAIN.com --email [email protected] --expand

works fine, get :

Saving debug log to /usr/local/psa/var/modules/letsencrypt/logs/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for YOUR-DOMAIN.com
http-01 challenge for www.YOUR-DOMAIN.com
http-01 challenge for webmail.YOUR-DOMAIN.com
http-01 challenge for mail.YOUR-DOMAIN.com
http-01 challenge for smtp.YOUR-DOMAIN.com
http-01 challenge for pop3.YOUR-DOMAIN.com
http-01 challenge for imap.YOUR-DOMAIN.com
Starting new HTTPS connection (1): 127.0.0.1
Starting new HTTPS connection (1): 127.0.0.1
Starting new HTTPS connection (1): 127.0.0.1
Starting new HTTPS connection (1): 127.0.0.1
Starting new HTTPS connection (1): 127.0.0.1
Starting new HTTPS connection (1): 127.0.0.1
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /usr/local/psa/var/modules/letsencrypt/etc/keys/0017_key-certbot.pem
Creating CSR: /usr/local/psa/var/modules/letsencrypt/etc/csr/0017_csr-certbot.pem
Starting new HTTPS connection (1): 127.0.0.1
Starting new HTTPS connection (1): 127.0.0.1
Starting new HTTPS connection (1): 127.0.0.1
Starting new HTTPS connection (1): 127.0.0.1
Starting new HTTPS connection (1): 127.0.0.1
Starting new HTTPS connection (1): 127.0.0.1
Starting new HTTPS connection (1): 127.0.0.1
Starting new HTTPS connection (1): 127.0.0.1
Starting new HTTPS connection (1): 127.0.0.1
Starting new HTTPS connection (1): 127.0.0.1
Starting new HTTPS connection (1): 127.0.0.1
Starting new HTTPS connection (1): 127.0.0.1
Starting new HTTPS connection (1): 127.0.0.1
Starting new HTTPS connection (1): 127.0.0.1
Starting new HTTPS connection (1): 127.0.0.1
Starting new HTTPS connection (1): 127.0.0.1
Starting new HTTPS connection (1): 127.0.0.1
Starting new HTTPS connection (1): 127.0.0.1
Starting new HTTPS connection (1): 127.0.0.1
Starting new HTTPS connection (1): 127.0.0.1
Starting new HTTPS connection (1): 127.0.0.1
Starting new HTTPS connection (1): 127.0.0.1
Starting new HTTPS connection (1): 127.0.0.1
Starting new HTTPS connection (1): 127.0.0.1

-------------------------------------------------------------------------------
Your existing certificate has been successfully renewed, and the new certificate
has been installed.

The new certificate covers the following domains: https://YOUR-DOMAIN.com,
https://www.YOUR-DOMAIN.com, https://webmail.YOUR-DOMAIN.com, https://mail.YOUR-DOMAIN.com,
https://smtp.YOUR-DOMAIN.com, https://pop3.YOUR-DOMAIN.com, and https://imap.YOUR-DOMAIN.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=YOUR-DOMAIN.com
https://www.ssllabs.com/ssltest/analyze.html?d=www.YOUR-DOMAIN.com
https://www.ssllabs.com/ssltest/analyze.html?d=webmail.YOUR-DOMAIN.com
https://www.ssllabs.com/ssltest/analyze.html?d=mail.YOUR-DOMAIN.com
https://www.ssllabs.com/ssltest/analyze.html?d=smtp.YOUR-DOMAIN.com
https://www.ssllabs.com/ssltest/analyze.html?d=pop3.YOUR-DOMAIN.com
https://www.ssllabs.com/ssltest/analyze.html?d=imap.YOUR-DOMAIN.com
-------------------------------------------------------------------------------
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /usr/local/psa/var/modules/letsencrypt/etc/live/YOUR-DOMAIN.com/fullchain.pem.
   Your cert will expire on 2017-06-07. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Return to plesk interface
Enabled the webmail in tools and settings/webmail

I needed to restart apache in order to get back the webmail page.

But now, I get in the command line :

# cd /usr/local/psa/var/modules/letsencrypt/etc/live/YOUR-DOMAIN.com
# ls
cert.pem  chain.pem  fullchain.pem  privkey.pem
# openssl x509 -text -noout -in cert.pem | grep DNS
                DNS:YOUR-DOMAIN.com, DNS:imap.YOUR-DOMAIN.com, DNS:mail.YOUR-DOMAIN.com, DNS:pop3.YOUR-DOMAIN.com, DNS:smtp.YOUR-DOMAIN.com, DNS:www.YOUR-DOMAIN.com

And I can enable tools and settings/SSL/TLS Certificates

Certificates currently in use for securing Plesk server

Certificates currently in use for securing Plesk server and mail server
Certificate for securing Plesk
Lets Encrypt XXXXXXXXXXXXXXXXXXXXXXXXXX. [Change]
Certificate for securing mail
Lets Encrypt YOUR-DOMAIN.com from YOUR-DOMAIN.com. [Change]

A big thank you to @UFHH01

Philippe

[2017 July 18th]
Corrected to remove the typo (double typing of -d imap.YOUR-DOMAIN.com) in the previous command :

#plesk bin extension --exec letsencrypt cli.php --cert-name YOUR-DOMAIN.com -d YOUR-DOMAIN.com -d www.YOUR-DOMAIN.com  -d webmail.YOUR-DOMAIN.com -d mail.YOUR-DOMAIN.com -d smtp.YOUR-DOMAIN.com -d pop3.YOUR-DOMAIN.com -d imap.YOUR-DOMAIN.com --email [email protected] --expand

 

[Tempest]

using it for magento and possibly drupal cms with multiple domains on a plesk server
and probably under mail.domain.com for multiple domains again

what is "not expensive" for you might not apply to everyone
send me an "inexpensive" link to see

Hey, I get my cheap ssl's from: www.namecheap.com
That's the cheapest I ever found.

 

[Curtis1]

Aloha !

So, I am reading over several of these posts. Here is my question.
From what i read, letsencrypt.org has the ability to be fully automated ?
I am assuming this means, we should be able to create domain in plesk, click some button someplace that says "install SSL" and boom, we are done. letsencrypt would be installed as the SSL, nothing else to do.

Is this correct and if so when is this expected and will this only be for Onyx or will this work on 12.x ? and on a Windows Server, and with SmareterMail as the mail server ?

 

[UFHH01]

Hi Curtis1,

"in general" your expectation about the process is correct, but you might be interested in a closer look of the thread itself, the possible issues/problems and their corresponding suggestions to solve them.
In addition, Plesk works hard to release a more "powerfull" Plesk Let's Encrypt Extension pretty soon ( as announced by Plesk-Team-Members ) and this version should be able to handle the possible issues/problems in this thread.