Resolved How to secure mail of domain with Lets Encrypt

[hugosnel]

I am stuck at the beginning.
Rather , it is a thread full of steps, suggestions , it seems to be solved. I am missing a clear and valid conclusion.?

 

[sergiomb]

I am stuck at the beginning.
Rather , it is a thread full of steps, suggestions , it seems to be solved. I am missing a clear and valid conclusion.?

Pls see for example: => #57 , for configure pops/imaps pls. see for example: => #26

 

[sergiomb]

Hi, for when the major update of "Plesk Let's Encrypt Extension" ?

BTW , when setting webmail certificate, on renew the certificate of webmail we need disable webmail again to certbot find webroot of webmail ? or is just for the first certificate ?

Many thanks

I also meant if we have anyway to test an beta version of next "Plesk Let's Encrypt Extension" ?

 

[hugosnel]

Hello , used #57
added dns recoreds
stoped dovecot
plesk bin extension --exec letsencrypt cli.php --cert-name atelea.fr -d atelea.fr -d www.atelea.fr -d webmail.atelea.fr -d mail.atelea.fr -d smtp.atelea.fr -d pop3.atelea.fr -d imap.atelea.fr -d imap.atelea.fr --email [email protected] --expand
[2017-05-09 09:39:09] ERR [extension/letsencrypt] Execution of /usr/local/psa/admin/plib/modules/letsencrypt/scripts/cli.php failed with exit code 1 and the output:
Install certificate failure: Unable to set certificate name :
Execution of /usr/local/psa/admin/plib/modules/letsencrypt/scripts/cli.php failed with exit code 1 and the output:
Install certificate failure: Unable to set certificate name :

exit status 1

 

[UFHH01]

Hi hugosnel,

Install certificate failure: Unable to set certificate name :

Pls. see:

=> Error "Unable to set certificate name :" · plesk/letsencrypt-plesk Wiki · GitHub

or

=> Let's Encrypt is unable to install a certificate: Install certificate failure: Unable to set certificate name​

 

[onycro]

A step by step solution is provided on Page #3, Post #57.

But even though I had to make some changes:
- mistake at the cli ("-d imap.YOUR-DOMAIN.com -d imap.YOUR-DOMAIN.com") - double certificate param for imap subdomain is not necessary or might be wrong
- I had to stop the webmail service for the whole server (haven't been able to stop it at the website config page)

 

[UFHH01]

Hi onycro,

my "original" post ( => #13 ) for the suggested command don't include the double setting for "imap".

- I had to stop the webmail service for the whole server (haven't been able to stop it at the website config page)

Yes, this step has to be done BEFORE you add the subdomain "webmail", to be able to use the provided Let's Encrypt command with the "--expand" definition.

 

[HHawk]

When will the new version be released, which will fix all issues with subdomains for example mail, imap, smtp, etc.
Back in March, UFHH01 mentioned it would be soon? However it's now mid-May and still nothing in sight?

No offence meant, just wondering about this...

 

[UFHH01]

Hi HHawk,

funny that you just posted, even that a NEW version is available:

=> Let's Encrypt - Plesk Extensions

Changes
2.1.0 (18 May 2017)

• [+] It is possible to include webmail to Let's Encrypt certificate request and secure both the domain and webmail with this certificate.
• Let's Encrypt custom settings can be configured via the panel.ini file.
• [-] After a certificate for a subdomain had been issued, it was impossible to renew the certificate for the parent domain. (EXTLETSENC-105)

​

We might not be "at the end of the road" for all wishes, but as you can see, constant improvements are done!

 

[timscha]

I tried the updated extension, but got an error message for all my domains:

Fehler: Fehler bei der Installation des SSL-Zertifikats von Let's Encrypt: Could not obtain directory: Invalid response: <HTML><HEAD><TITLE>Error</TITLE></HEAD><BODY>
An error occurred while processing your request.<p>
Reference #97.57f01202.1495184638.22b42af3
</BODY></HTML>
.
Status: 504.

Edit: An colleague has the same problem on a different server. My server is running with Debian, the other one with CentOS.

Edit: Let's Encrypt status update: Let's Encrypt Status

 

[UFHH01]

Hi timscha,

there are things which Plesk can control, and things, which are impossible for Plesk to control. If the Let's Encrypt service itself throws out errors/issues/problems, there is absolutely no way to "fix" that with Plesk or manually on your server... you have to be patient, untill they solve THEIR issues and repeat your steps afterwards.

 

[ssaki]

We might not be "at the end of the road" for all wishes, but as you can see, constant improvements are done!

Thanks for solving this!

One more thing is still missing tough - enabling the "Permanent SEO-safe 301 redirect from HTTP to HTTPS" option has no effect on the webmail.example.com subdomain and it seems that there is no equivalent option (e.g. in "Mail settings").
I'd personally be happy if this just gets enforced upon installing a certificate, but perhaps having an option in mail setting will be more appropriate with respect to the entire user base.

Cheers

 

[mr-wolf]

Hi HHawk,

funny that you just posted, even that a NEW version is available:

You're right about the timing.... But...
The update failed as ALL updates to the component LetsEncrypt failed in the past on ALL of my Plesk servers.
I can remove the component LetsEncrypt and re-install it, but it is not that elegant...

It also feels risky as I don't know beforehand that I will be able to install it again after removing it.
If I'm not able to install the LetsEncrypt component after removing it this becomes a very serious problem!!!!

Please recognize this dillemma Plesk is posing their customers!!!
This should not be treated as a minor anomaly.
The bug is known by Plesk and I've seen others on this forum mentioning it as well.
No software is bug free and this kind of stuff is not easy to make, but this behaviour has been there from the beginning and upgrade after upgrade it's the same (even on fresh installs).


I also would like to have an optional automatic redirect from http to https so it's not necessary to inform all clients of this great upgrade.....

 

[sergiomb]

You're right about the timing.... But...
The update failed as ALL updates to the component LetsEncrypt failed in the past on ALL of my Plesk servers.
I can remove the component LetsEncrypt and re-install it, but it is not that elegant...

It also feels risky as I don't know beforehand that I will be able to install it again after removing it.
If I'm not able to install the LetsEncrypt component after removing it this becomes a very serious problem!!!!

Please recognize this dillemma Plesk is posing their customers!!!
This should not be treated as a minor anomaly.
The bug is known by Plesk and I've seen others on this forum mentioning it as well.
No software is bug free and this kind of stuff is not easy to make, but this behaviour has been there from the beginning and upgrade after upgrade it's the same (even on fresh installs).


I also would like to have an optional automatic redirect from http to https so it's not necessary to inform all clients of this great upgrade.....

TLDR , is the risk of earlier access ... ,

 

[UFHH01]

Hi mr-wolf,

The update failed as ALL updates to the component LetsEncrypt failed in the past on ALL of my Plesk servers.

If ( for wathever reason, you experience issues / errors/ problems with the Plesk Let's Encrypt version, pls. consider to open a decent bug - report at "Home > Forum > Plesk Discussion > Reports", if you can't find any solution with the help of the Plesk Community and it's users.


In addition, I can't see any reason at all, why a thread with the title "How to secure mail of domain with Lets Encrypt" should be used for complete different ( possible ) issues and I don't feel very comfortable to discuss/reply to your... let me call it: "complaints" / If you desire to give a feedback to Plesk and it's employees, pls. open a thread at for example: => Home > Forum > Plesk Discussion > Plesk Suggestions and Feedback
I will leave this single answer to you, as it is without further comments.


Another addition: Pls. feel free to submit feature requests at => Feature Suggestions: Top (1474 ideas) – Your Ideas for Plesk , describing your needs and wishes ( ... and pls. keep in mind to explain as well the buisiness case, as this is standart for Plesk feature requests ), because this thread is definetely the wrong place for such requests.

 

[UFHH01]

Hi ssaki,

pls. feel free to submit feature requests at => Feature Suggestions: Top (1474 ideas) – Your Ideas for Plesk , describing your needs and wishes ( ... and pls. keep in mind to explain as well the buisiness case, as this is standart for Plesk feature requests ), as this thread here depends on "How to secure mail of domain with Lets Encrypt" and it's investigations/suggestions to solve them ( in the past - before the latest updates/upgrades/patches for this Plesk Let's Encrypt Extension.

 

[Walter]

Hi Giorgos Kontopoulos,

you could use the not documented command:

plesk bin extension --exec letsencrypt cli.php -d YOUR-DOMAIN.COM -d www.YOUR-DOMAIN.COM -d webmail.YOUR-DOMAIN.COM -d mail.YOUR-DOMAIN.COM -d smtp.YOUR-DOMAIN.COM -d pop3.YOUR-DOMAIN.COM -d imap.YOUR-DOMAIN.COM -d lists.YOUR-DOMAIN.COM --email [email protected] --expand

As you can see, I included all possible subdomains, which are "normally" not setup over the Plesk Control Panel, such as "webmail.", "mail.", "smtp.", "pop3.", "imap." and "lists.". Pls. keep in mind, that there is a maximum of 100 Let's Encrypt SAN - certificate - names.
The "--expand" option at the end should be used, if there has been a previous certificate creation, which you are now able to EXPAND with the additional (sub)domain - names - if you didn't create a previous certificate for the domain, pls. leave out this option.


If you experience issues with the suggestion, pls. consider to include the Let's Encrypt - log and the output from your command line, after you used the command for further investigations.

If I created a domain alias called mail.yourdomain.tld and then created the LE certificate. Then deleted the alias and re-added the mail "A" record to yourdomain.tld. Will LE continue to renew the domain? Thank you for your time...

 

[HHawk]

Hi HHawk,

funny that you just posted, even that a NEW version is available:

=> Let's Encrypt - Plesk Extensions

View attachment 12813​

We might not be "at the end of the road" for all wishes, but as you can see, constant improvements are done!

Webmail is the same as normal email? As in mail.domain.com.
I don't use webmail, but I do use my mailservers. Thought this was going to be released as well?

Because currently it's a pain to use Let's Encrypt with mail-servers (as in mail.domain.com) especially with renewing.
With DirectAdmin this was already possible from almost the first day.

I am really considering moving my (personal) domains to a DirectAdmin server, just because of this feauture....

 

[mr-wolf]

Webmail is the same as normal email? As in mail.domain.com.
I don't use webmail, but I do use my mailservers. Thought this was going to be released as well?

You're asking for troubles when going to that path to put LetsEncrypt on your mail.
Multiple certificates on mail is only supported by some modern mail clients.
Most mail clients don't offer the mailserver the information to offer the correct certificate.
I'm not saying it's not working.... It just won't work for all your clients probably.

A few weeks ago I told someone to really stop using Outlook 2003. I haven't seen Outlook Express for a while though.. (did see a Pegasus).


With relying on LetsEncrypt and all these scripted procedures that could go wrong at the time you most need it, this is even more hazardous... I'm not going down that path.
If you do and get bitten. Do have the courage to come back and told me I was right.

I have a wildcard certificate on my mail services.
Each client has their own hostname to connect.. all matching that wildcard.

 

[HHawk]

You're asking for troubles when going to that path to put LetsEncrypt on your mail.
Multiple certificates on mail is only supported by some modern mail clients.
Most mail clients don't offer the mailserver the information to offer the correct certificate.
I'm not saying it's not working.... It just won't work for all your clients probably.

A few weeks ago I told someone to really stop using Outlook 2003. I haven't seen Outlook Express for a while though.. (did see a Pegasus).


With relying on LetsEncrypt and all these scripted procedures that could go wrong at the time you most need it, this is even more hazardous... I'm not going down that path.
If you do and get bitten. Do have the courage to come back and told me I was right.

I have a wildcard certificate on my mail services.
Each client has their own hostname to connect.. all matching that wildcard.

Ofcourse a wildcard might be a solution for my own personal domains (about 14 wildcards * $$$), however I cannot force all of our 50k customers to buy a Wildcard as well.
I also cannot force all of those customers to drop their Outlook 20xx versions, just because of this.

The funny thing is, is that this is possible with DirectAdmin in combination with Let's Encrypt. We already moved about 15% of our customers over to DirectAdmin who wanted this, but didn't want to pay for a certificate (I can't blame them). As a result of this we already terminated 22 Plesk licenses. And I can see terminating more, if customers keep having problems... Oh well....