Resolved How to secure mail of domain with Lets Encrypt

[peraburek]

Hey, I get my cheap ssl's from: www.namecheap.com
That's the cheapest I ever found.

offtopic but - here are SSL certs even cheaper https://www.ssls.com

 

[UFHH01]

Hi peraburek,

*as_well_offtopic*

Pls. consider to wait another few days, untill the new ( improved! ) Plesk Let's Encrypt Extension is out - it might save you some money for other things, instead of paying for a certificate. ^^

 

[ronv]

Hi,

I've tried adding multiple subdomains to a certificate by following these steps:

Hi Giorgos Kontopoulos,

you could use the not documented command:

plesk bin extension --exec letsencrypt cli.php -d YOUR-DOMAIN.COM -d www.YOUR-DOMAIN.COM -d webmail.YOUR-DOMAIN.COM -d mail.YOUR-DOMAIN.COM -d smtp.YOUR-DOMAIN.COM -d pop3.YOUR-DOMAIN.COM -d imap.YOUR-DOMAIN.COM -d lists.YOUR-DOMAIN.COM --email [email protected] --expand

As you can see, I included all possible subdomains, which are "normally" not setup over the Plesk Control Panel, such as "webmail.", "mail.", "smtp.", "pop3.", "imap." and "lists.". Pls. keep in mind, that there is a maximum of 100 Let's Encrypt SAN - certificate - names.
The "--expand" option at the end should be used, if there has been a previous certificate creation, which you are now able to EXPAND with the additional (sub)domain - names - if you didn't create a previous certificate for the domain, pls. leave out this option.


If you experience issues with the suggestion, pls. consider to include the Let's Encrypt - log and the output from your command line, after you used the command for further investigations.

This is not working, unfortunately. I'll try to give as much details as possible:

• in Plesk, I have created a subdomain dev.extra.kantl.be, and secured that with a LetsEncrypt certificate
• LetsEncrypt version installed: 2.0.2 (release 29)
  
• the vhost.conf file for that dev.extra.kantl.be subdomain has this ServerAlias instruction:

  ServerAlias dev.apps.kantl.be

• I've created working DNS records for both dev.extra.kantl.be and dev.apps.kantl.be subdomains

If I issue this CLI command:

plesk bin extension --exec letsencrypt cli.php -d dev.extra.kantl.be -d dev.apps.kantl.be --email [same_email_as_original_certificate]  --expand

...the program exits without any messages (no errors, either). I do notice that the timestam of the file at /usr/local/psa/var/modules/letsencrypt/etc/live/dev.extra.kantl.be/cert.pem is updated, so I guess the file is being updated.

Yet, when checking the DNS listings in the certificate, the additional domain doesn't seem to have been registered:

cat cert.pem | openssl x509 -text | grep DNS

                 DNS:dev.extra.kantl.be

Unfortunately, (apart from the silent output from the command), I don't see anything logged in /usr/local/psa/var/modules/letsencrypt/logs/letsencrypt.log: the latest entry dates from a month ago. What could be going wrong?

 

[UFHH01]

Hi ronv,

the Plesk Let's Encrypt Extension uses "http-01 - validation" and tries to create a temporary file in the web-root folder ".well-known". In your case, you modifed your DNS entries and the result is, that neither "dev.extra.kantl.be", nor "dev.apps.kantl.be" can be reached: => Status: HTTP/1.1 404 Not Found
Pls. correct this, before you continue.

 

[ronv]

Hi @UFHH01,

the Plesk Let's Encrypt Extension uses "http-01 - validation" and tries to create a temporary file in the web-root folder ".well-known". In your case, you modifed your DNS entries and the result is, that neither "dev.extra.kantl.be", nor "dev.apps.kantl.be" can be reached: => Status: HTTP/1.1 404 Not Found
Pls. correct this, before you continue.

Many thanks for your quick reaction! Sorry if I'm being dense, but it's not entirely clear what you mean. I can confirm that the HTTP addresses for both domains can be reached without problems, so the DNS records are working fine (exact subpaths are needed to see anything, but that's expected). (Those records are set on an external nameserver, but I don't think that's relevant).

Also, I have been able to re-create the initial certificate via the LetsEncrypt Plesk UI, so it seems to be working there... The only .well-known folder I see is at /var/www/vhosts/default/htdocs/.well-known; as far as I'm aware, I haven't touched anything to that folder. If I try specifying this default domain as the webroot on the CLI, I do see the 404, though:

plesk bin extension --exec letsencrypt cli.php -d dev.extra.kantl.be -d dev.apps.kantl.be --email [same_email_as_original_certificate]  --expand --webroot-path "/var/www/vhosts/default/htdocs/"


[2017-04-10 17:42:17] ERR [extension/letsencrypt] Execution of /opt/psa/admin/plib/modules/letsencrypt/scripts/cli.php failed with exit code 1 and the output:
Challenge marked as invalid. Details: Invalid response from http://dev.apps.kantl.be/.well-known/acme-challenge/EAJjmaO3TYqkqNLxAD-CmMIAEC_T6UTawuDO4IyYjpg [91.250.81.157]: 404
Execution of /opt/psa/admin/plib/modules/letsencrypt/scripts/cli.php failed with exit code 1 and the output:
Challenge marked as invalid. Details: Invalid response from http://dev.apps.kantl.be/.well-known/acme-challenge/EAJjmaO3TYqkqNLxAD-CmMIAEC_T6UTawuDO4IyYjpg [91.250.81.157]: 404

Would you mind explaining how to fix this?

 

[UFHH01]

Hi ronv,

I can confirm that the HTTP addresses for both domains can be reached without problems

Sorry, I can't confirm your statement. Pls. check it for yourself with the help of for example: => HTTP / HTTPS Header Check
Both subdomains reply with:

HTTP/1.1 403 Forbidden =>
Date => Mon, 10 Apr 2017 15:47:01 GMT
Server => Apache
Vary => Accept-Encoding
Content-Length => 270
Connection => close
Content-Type => text/html; charset=iso-8859-1

The ( temporary! ) folder ".well-known" will be created when you use the Plesk - Let's Encrypt certbot and it is created to initiate the validation process, where a challenge - file will be placed and requested by Let's Encrypt to verify it's existence. This specific folder is (sub)domain - specific. If you desire to choose another webroot, as within your example, you have to make sure, that the content of the desired webroot path is reachable for the validation process.

In other words ( just to point this out more clearly ):

The certbot places a (temporary! ) file at "/var/www/vhosts/kantl.be/dev.apps.kantl.be/.well-known/acme-challenge" ( => EAJjmaO3TYqkqNLxAD-CmMIAEC_T6UTawuDO4IyYjpg ), which should be reached, when you open the URL => http://dev.apps.kantl.be/.well-known/acme-challenge/EAJjmaO3TYqkqNLxAD-CmMIAEC_T6UTawuDO4IyYjpg . If the certbot is not able to reach the URL => http://dev.apps.kantl.be/.well-known/acme-challenge/EAJjmaO3TYqkqNLxAD-CmMIAEC_T6UTawuDO4IyYjpg the validation process can't continue with the cert - creation.

 

[ronv]

Hi @UFHH01,

The certbot places a (temporary! ) file at "/var/www/vhosts/kantl.be/dev.apps.kantl.be/.well-known/acme-challenge" ( => EAJjmaO3TYqkqNLxAD-CmMIAEC_T6UTawuDO4IyYjpg ), which should be reached, when you open the URL => http://dev.apps.kantl.be/.well-known/acme-challenge/EAJjmaO3TYqkqNLxAD-CmMIAEC_T6UTawuDO4IyYjpg . If the certbot is not able to reach the URL => http://dev.apps.kantl.be/.well-known/acme-challenge/EAJjmaO3TYqkqNLxAD-CmMIAEC_T6UTawuDO4IyYjpg the validation process can't continue with the cert - creation.

Ok, thanks again for quickly pointing me where to look! My vhost.conf file contained an over-eager rewrite rule that wrongly rewrote the requests to e.g. http://dev.apps.kantl.be/.well-known/acme-challenge/EAJjmaO3TYqkqNLxAD-CmMIAEC_T6UTawuDO4IyYjpg to another URL where the named files indeed couldn't be found. I've excluded paths containing /acme-test/ from this rewrite rule, and now it works perfectly (this time with the correct path for --webroot-path as well):

user@server:~#plesk bin extension --exec letsencrypt cli.php -d dev.extra.kantl.be -d dev.apps.kantl.be --email [same_email_as_original_certificate]  --expand --webroot-path "/var/www/vhosts/kantl.be/sites/dev.extra.kantl.be"

user@server:~# cat /opt/psa/var/modules/letsencrypt/etc/live/dev.extra.kantl.be/cert.pem | openssl x509 -text | grep DNS
                DNS:dev.apps.kantl.be, DNS:dev.extra.kantl.be

This is really great, you've made my day!

One question, though: will this certificate still be automatically be renewed by the LetsEncrypt Plesk extension, with all domain aliases?

 

[UFHH01]

Hi ronv,

the ( current ) Plesk Let's Encrypt Extensions has no issues at all, when it comes to renewing certificates where domains, subdomains or domain-aliases have been created. There is only a tiny little issue, when it comes to subdomains like "webmail", "mail" and "lists" for example, which are not created over the Plesk Control Panel... but the Plesk - Team are still working to solve this issues as well!

 

[ronv]

Hi @UFHH01 ,

Ok, so I guess the same holds for the subdomain in my example: the dev.extra.kantl.be subdomain is created via the Plesk Control Panel, but dev.apps.kantl.be is only defined as a ServerAlias in the vhost.conf file (since it's impossible to create aliases for subdomains via the Plesk Control Panel). Could you elaborate what the issue is, and what will happen when the certificate for dev.kantl.be will be renewed? Would be good to know before I start messing with my live site configurations...

 

[UFHH01]

Hi ronv,

(since it's impossible to create aliases for subdomains via the Plesk Control Panel)

Could you pls. explain, why you don't create a subdomain for "dev.apps.kantl.be" and change the "Document root" in your subdomain - specific hosting settings to equal it with the "Document root" from "dev.extra.kantl.be"?

Could you elaborate what the issue is, and what will happen when the certificate for dev.kantl.be will be renewed? Would be good to know before I start messing with my live site configurations...

Well, you will experience the very same issue as the one before, when you want to create the certificate, due to the fact that each domain, subdomain and alias-domain will be verified by THEIR own challenge within their document root.
But ( as stated before! ), the Plesk-Team works hard to solve this issue and will present a working solution pretty soon. If a solution still would not be present in the next 60 days, you always have the possibility to use the suggestions in this thread.

 

[sergiomb]

And I can enable tools and settings/SSL/TLS Certificates

Certificates currently in use for securing Plesk server

Certificates currently in use for securing Plesk server and mail server
Certificate for securing Plesk
Lets Encrypt XXXXXXXXXXXXXXXXXXXXXXXXXX. [Change]
Certificate for securing mail
Lets Encrypt YOUR-DOMAIN.com from YOUR-DOMAIN.com. [Change]

Thanks AmaZili / UFHH01 , for your solution seems complete , but in certificate for securing mail , I need certificates for 4 domains , dovecot (imap and pop3 service) support use of one certificate per domain ? how we solve this question ?
we have to renew certificates every 3 months , if certificate is not valid for the domain , every 3 months we will get new certificates exceptions , which is worst than use one certificate expired in 2012 .

Thanks,

 

[UFHH01]

HI sergiomb,

I need certificates for 4 domains , dovecot (imap and pop3 service) support use of one certificate per domain ? how we solve this question ?

Pls. see for example: => #26


... but again: pls. note, that these suggestions should be seen as TEMPORARY solutions - these are not longterm work-arounds and I'm sure that Plesk will improve the Plesk Let's Encrypt Extension. Questions as "Do we really have to renew them manually, even if there is an automatic renewal crontab", or any related questions will always have as an answer: Yes!
I know that the suggestions in this thread are not "perfect", but at least, you are able to use FREE certificates, instead of paying for certificates.

 

[HHawk]

Several of our clients got tired of waiting for an update and they have moved to DirectAdmin unfortunately...
...with DirectAdmin it's possible to secure several subdomains (including mail, webmail and such) without any issues at al..

I can hope that Plesk will release an update soon, before more clients move to DirectAdmin...

 

[UFHH01]

Hi @AlL,

just a short information:

since the Plesk Let's Encrypt Extension v2.0.3

Changes

2.0.3 (13 April 2017)

• The extension now logs its communication with the Let's Encrypt servers in the "panel.log". This enables better troubleshooting when there are some issues with requesting a certificate.

Pls. update/upgrade your extensions and afterwards, pls. repeat your steps and investigate possible issues/errors/problems in your "panel.log".

 

[ronv]

Hi @UFHH01 ,

Sorry for the delay, busy days...

Could you pls. explain, why you don't create a subdomain for "dev.apps.kantl.be" and change the "Document root" in your subdomain - specific hosting settings to equal it with the "Document root" from "dev.extra.kantl.be"?

Because so far (without certificate) it worked and did so quite flexibly. There are quite a number of (historical) server aliases, and promoting all of them to "real" subdomains in Plesk (all pointing to the same document root) would be quite a hassle.

Well, you will experience the very same issue as the one before, when you want to create the certificate, due to the fact that each domain, subdomain and alias-domain will be verified by THEIR own challenge within their document root.

Ok, just to check if I'm not misunderstanding (since my original issue was caused by an unrelated Apache rewrite rule): I have been able to create an "extended" certificate with the manual CLI command I posted in my previous post, which just specified the webroot of the "main" subdomain of the existing certificate: /var/www/vhosts/kantl.be/sites/dev.extra.kantl.be. Although this folder is existing and reachable, this still won't work for the automatic renewal script? From your last remark, I gather that instead of using the document root for the "main" subdomain of the certificate, the automatic renewal script will try to look up document roots for all alias domains in the certificate via the document root settings for the sudomains administered in Plesk. If it does not find any document root in the Plesk db, it will try to construct one, which will probably not work since it doesn't exist?

Would that mean that upon renewal time (with my current setup), I would have to:

1. manually delete the existing certificate (with all aliases)
2. create a new certificate in Plesk for just the "main" subdomain and
3. manually extend that again to all alias subdomains

?

 

[UFHH01]

Hi ronv,

Although this folder is existing and reachable, this still won't work for the automatic renewal script? From your last remark, I gather that instead of using the document root for the "main" subdomain of the certificate, the automatic renewal script will try to look up document roots for all alias domains in the certificate via the document root settings for the sudomains administered in Plesk. If it does not find any document root in the Plesk db, it will try to construct one, which will probably not work since it doesn't exist?

Correct... your ( manual ) command includes your desired webroot, but the certbot will only verify existing main-domain, alias-domain and subdomain - webroots within the renewal process.

Would that mean that upon renewal time (with my current setup), I would have to:

1. manually delete the existing certificate (with all aliases)
2. create a new certificate in Plesk for just the "main" subdomain and
3. manually extend that again to all alias subdomains

As stated above, the certbot can't guess which webroot - verification you used with your ( manual ) expand - command. Just consider to use the standart main-domain, alias-domain and subdomain - usage, to avoid issues/errors/problems. Consider to invest the needed time to create alias-domains and don't see this as a "hassle". The Plesk Let's Encrypt Extensions has just not been invented to be as flexible as you desire it to be.

 

[ronv]

Hi @UFHH01 ,

Ok, that's clear. If that is what it takes to make life easier, it's well worth considering indeed. Once again, many thanks for your clarifications and kind guidance (and most of all your patience ).

Best,

Ron

 

[sergiomb]

Hi @AlL,

just a short information:

since the Plesk Let's Encrypt Extension v2.0.3

Pls. update/upgrade your extensions and afterwards, pls. repeat your steps and investigate possible issues/errors/problems in your "panel.log".

Hi, for when the major update of "Plesk Let's Encrypt Extension" ? IIRC you have wrote that plesk is preparing a big update that address almost all these manual tasks.

BTW , when setting webmail certificate, on renew the certificate of webmail we need disable webmail again to certbot find webroot of webmail ? or is just for the first certificate ?

Many thanks

 

[hugosnel]

there no way of using different SSL certificate for different domain, eg:

mail.domain1.com - SSL 1
mail.domain2.com - SSL 2
mail.domain3.com - SSL 3

rather than asking all the domain holders to use mail.domain.com for incoming and outgoing and getting host name mismatch when going SSL in mail clients?

I have tried understanding all issues addressed in this thread but it it still not clear to me if the original problem at the origin of this thread has been resolved.
At least for me, I cannot find a tree in this forest of words and suggestions.
Can someone help me out of the woods?

 

[UFHH01]

Hi hugosnel,

Can someone help me out of the woods?

Pls. help us to understand, WHERE you are stuck and WHAT issues/errors/problems you have, after you followed WHICH STEPS?


I hope that you don't want us to type all possible suggestions again and again ?