Issue IMAP requires security certificate? Maybe?

[marvin]

Server operating system version

Centos 7

Plesk version and microupdate number

Plesk Obidian 18.0

I'm asking this question again in order to (hopefully) generate more discussion and hopefully resolve my issue.

Late May this year the LetsEncrypt Security certificate on my domain expired and auto-renewed. The resulting chain of events caused a lot of angst and service disruption that I won't go into here, but after reading posts on this forum, checking ports, looking at settings, changing passwords and much faffing about I've arrived at the situation where we have two email accounts with POP and SMTP service on Mac Mail and Thunderbird.

IMAP for webmail and phone service is another matter. We are unable to receive emails on our phones but we can send email.

Logging in to Roundcube webmail on Firefox produces the following error:

Did Not Connect: Potential Security Issue

Firefox detected a potential security threat and did not continue to webmail.mysite.co.nz because this website requires a secure connection.

What can you do about it?

webmail.mysite.co.nz has a security policy called HTTP Strict Transport Security (HSTS), which means that Firefox can only connect to it securely. You can’t add an exception to visit this site.

The issue is most likely with the website, and there is nothing you can do to resolve it. You can notify the website’s administrator about the problem.

Chrome tells me:

Your connection is not private​

Attackers might be trying to steal your information from webmail.mysite.co.nz (for example, passwords, messages or credit cards). Learn more


NET::ERR_CERT_COMMON_NAME_INVALID

Which would seem to point to a Security Certificate Issue (unless this is a generic error message?).

While Safari shows me a Plesk Web Server Default Page (it says in the address bar that this page is not secure).

Keeping in mind that everything was working fine until the expiry of the LetsEncrypt certificate for MySite.co.nz -- and that since the auto-renew I've gone in again and renewed LetsEncrypt certificate manually (including certificates for Mail, Webmail and *Wildcard) -- can anybody shed any light on what''s gone amiss?

What is this ERR_CERT_COMMON_NAME_INVALID of which Plesk speaks?

Note: This only seems to affect ONE domain on my VPS. Other co-hosted domains are functioning normally.

 

[marvin]

I delved a bit deeper and Firefox revealed more info. Definitely looks like a certificate thing. How do I resolve it?

Websites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for webmail.mysite.co.nz. The certificate is only valid for server.mydedicatedvps.co.nz.

Error code: SSL_ERROR_BAD_CERT_DOMAIN

 

[learning_curve]

I delved a bit deeper and Firefox revealed more info. Definitely looks like a certificate thing. How do I resolve it?

Can you post the advanced settings view, for the certificate of the domain you're having issues with? (a sanitized example of one of own in the image below)

 

[marvin]

Hi @learning_curve -- by 'sanitised' I assume you mean 'redacted'??

 

[learning_curve]

Hi @learning_curve -- by 'sanitised' I assume you mean 'redacted'??

Yes, however, not that image that you've posted.

Your image is a screen grab taken from here: *.*/modules/sslit/index.php/index/certificate/id/*.* but, can you post a screen grab image, taken from the advanced settings view, which you can access via the advanced settings button at the top of that same page.

 

[marvin]

@learning_curve -- you mean like this?

 

[learning_curve]

@learning_curve -- you mean like this?

No. I don't think that you've understood what I posted previously.

Your thread started, with you saying "...the LetsEncrypt Security certificate on my domain..." NOT "...the LetsEncrypt Security certificate on my domain - THE ONE THAT I USE FOR HOSTING PLESK..." (although they could be one and the same in fairness...) The latter, is what your image your Post #6 above shows.

My previous posts, refer to looking at the certificate of a specific domain, where you can, via the button that I posted an image of, look at the advance settings for the the certificate of that specific domain. In my previous post #5, I wrote: "...Your image is a screen grab taken from here: *.*/modules/sslit/index.php/index/certificate/id/*.*..." So, first of all, please confirm that (you haven't, yet) then, proceed to the advance settings for that specific domain, using the method described in that same post , finally, take a screen grab of that view. It will look very similar to the image I posted in my post #3 (with a redacted domain name).

Meantime, going back to your post #6 again, what you've shown there, is that despite the fact that you have a Let's Encrypt certificate that's been issued against the specific domain that you are using to host Plesk, you are NOT actually using it, Yet! You're still using the "default certificate" as you can clearly see by the figure 2 (i.e. that's Plesk and Mail) against the default certificate line and the figure 0 against the Let's Encrypt certificate line in the image that you have posted.

You can double check this (if you want to) by going to Tools & Settings *.*/admin/server/tools/ then IP addresses *.*/cp/ip-address then click on your IP address and you'll see clearly which certificate is currently enabled for Plesk (i.e. Hosting Plesk on a domain on that IP address). To rectify this (and assuming that the Let's Encrypt certificate is indeed current and valid) go back to the where you took that screenshot; Tools & Settings *.*/admin/server/tools/ then SSL/TLS Certificates *.*/admin/ssl-certificate/list and ensure that the Let's Encrypt certificate is selected for both Plesk and Mail (Mail is still showing the wrong selection in the upper part of yuor screen grab... ) then... using the 'Make Default' button and the checkbox on the left hand side of the Let's Encrypt Certificate line (you can see all this clearly in your screen grab) switch over from using the default certificate to the Let's Encrypt Certificate. Now go and double check (if you want to) via the same IP addresses method posted previously. You can even use the Reread button too whilst your'e there there. if you're still in any doubt.

As may have been posted previously, there's nothing wrong with Plesk and/or the certificates. It's your own Plesk admin and config that's causing the errors.

 

[marvin]

Hi @learning_curve

I'll need to print out what you said there to process it... but thanks for the feedback.

Just in case this has a bearing on what you said:

• My Plesk-enabled VPS hosts a number of client websites, including my own. Some of these websites have mail accounts associated with them.
• Each hosted site has a LetsEncrypt certificated associated with it.
• This problem (cannot log in on IMAP) only seems to affect my domain.

The settings I have shown are for the VPS as a whole. If I change anything here I'm assuming it will affect ALL mail services (not just services associated with my domain).

 

[marvin]

It's the co-hosting situation that bothers me. If I change from 'default' to the domain certificate (mydomain.co.nz) with that upset the other websites on the VPS that have their own certificates assigned?

 

[marvin]

Think I'm there now. Looking at settoing for my own domain. Looks correct to me. Webmail still doesn't like it...

 

[marvin]

Looked at the instructions in the second paragraph of screenshot and setting there are correct too. Mail and Webmail are set to use certificate for www.mysite.co.nz.

To confirm. POP3 and SMTP are using this certificate. IMAP is not.

 

[learning_curve]

~ Just in case this has a bearing on what you said:

• My Plesk-enabled VPS hosts a number of client websites, including my own. Some of these websites have mail accounts associated with them.
• Each hosted site has a LetsEncrypt certificated associated with it.
• This problem (cannot log in on IMAP) only seems to affect my domain.

The settings I have shown are for the VPS as a whole. If I change anything here I'm assuming it will affect ALL mail services (not just services associated with my domain).

Can't comment on a VPS setup sorry. Have never used it.

However, what still is relevant regardless, is that depending on the config / setup of your Plesk mail services, initially from here: *.*/cp/server/mail/settings and then, from within each domain and/or account that you provide, currently, all of those 'other' domains that you are hosting (including your own) will be subject to any demands / limitations / requirements provided by those config / setups, which, will may well include the Plesk Mail service, which you currently have setup using the 'default certificate' by choice. (This is a little bit like "how long is a piece of string" at this point, as there's so much config info that you've not had chance or needed to post so far). Just out of interest, is your plesk hosting domain, a different domain than the one that you're now having mail issues with?

Moving on, have you tested the e-mail config / responses of both your own and all of your hosted domains? You can test both To & From from right here: Secure Email This can include (as we always do here) tests on IPv4 IPv6 Cert Sigs OCSP DANE etc Then there's the default / usual server tests here: SSL Server Test (Powered by Qualys SSL Labs) then, many more, far more specific test too - ALL done outside of Plesk. Okay we're on Cloud Servers not VPS, but FWIW all of our mail, on all of our hosted domains is fault free (see forum sig for very brief details of our setup)

The cannot login to IMAP can only be a config / setup issue. It can't be anything else. It's not a fault with Plesk etc as it works elsewhere without any issues.

 

[learning_curve]

It's the co-hosting situation that bothers me. If I change from 'default' to the domain certificate (mydomain.co.nz) with that upset the other websites on the VPS that have their own certificates assigned?

See previous post above. This all depends on your own, chosen config / setup.

 

[learning_curve]

Think I'm there now. Looking at settoing for my own domain. Looks correct to me. Webmail still doesn't like it...
~~

Yes. That ^ domain's current config / setup for the Let's Encrypt Certificate itself looks fine (in isolation...)
However, settings at the level above this (Server / Plesk Mail etc) are also a major factor.
Assuming that you're using Roundcube for Webmail, that iss IMAP based, hence your collateral damage type issues of not being logged into IMAP - yet!

 

[learning_curve]

Looked at the instructions in the second paragraph of screenshot and setting there are correct too. Mail and Webmail are set to use certificate for www.mysite.co.nz.

To confirm. POP3 and SMTP are using this certificate. IMAP is not.

If you've completed those checks, that's all good, but that's not specifically relevant to you not being logged in to IMAP (yet) on that domain.

There ^ you're ensuring that on that specific domain, you are going to use a chosen, specific certificate for both Mail and Webmail (this is also confirmed by the figure 3 (i.e. used for: Domain / Mail / Webmail = 3) that's shown against the Let's Encrypt certificate / redacted domain name image in your post #10 above.

 

[learning_curve]

@marvin One fairly basic check is that you have actually got IMAP ports open (for service by Plesk etc)

Ports Used by Plesk

For Plesk and its services to work correctly, certain ports must not be blocked.

docs.plesk.com

Pretty sure that you have (if your other hosted domains are already successfully using IMAP mail, but if they are all on POP...)
It's worth a quick double check, even more so if you are able / have already chosen, specific port access by individual domain not by hosting server domain

 

[marvin]

Thanks @learning_curve — all I can really say is after a month of frustration it’s looking like a bloody long piece of string…

I’ll check the links you sent for testing tools. Thanks for your feedback — watch this space!

 

[marvin]

I did a test for mail.mydomain.co.nz. For some reason the test queried my VPS...

Certificate #1: RSA 2048 bits (SHA256withRSA)

Server Key and Certificate #1
Subject	server1235.myvps.co.nz Fingerprint SHA256: 46153b92749e0f1c0f2c760a52684cb3ee1c0d53568015c9055ebb3fc77c7e5c Pin SHA256: i4WK4/c5jRQ5+ld1H7oZurL3wC/HG3P/Xa8iQWmS3fQ=
Common names	server1235.myvps.co.nz
Alternative names	server1235.myvps.co.nz MISMATCH
Serial Number	0374726a2647eca5ccddee073d725d3e76df
Valid from	Fri, 12 May 2023 20:02:33 UTC
Valid until	Thu, 10 Aug 2023 20:02:32 UTC (expires in 1 month and 3 days)
Key	RSA 2048 bits (e 65537)
Weak key (Debian)	No
Issuer	R3 AIA: http://r3.i.lencr.org/
Signature algorithm	SHA256withRSA
Extended Validation	No
Certificate Transparency	Yes (certificate)
OCSP Must Staple	No
Revocation information	OCSP OCSP: http://r3.o.lencr.org
Revocation status	Good (not revoked)
DNS CAA	No (more info)
Trusted	No NOT TRUSTED (Why?) Mozilla Apple Android Java Windows

 

[marvin]

This is the actual certificate for mydomain.co.nz (I can tell by the expiry date:

Additional Certificates (if supplied)
Certificates provided	3 (4026 bytes)
Chain issues	None
#2
Subject	R3 Fingerprint SHA256: 67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd Pin SHA256: jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0=
Valid until	Mon, 15 Sep 2025 16:00:00 UTC (expires in 2 years and 2 months)
Key	RSA 2048 bits (e 65537)
Issuer	ISRG Root X1
Signature algorithm	SHA256withRSA
#3
Subject	ISRG Root X1 Fingerprint SHA256: 6d99fb265eb1c5b3744765fcbc648f3cd8e1bffafdc4c2f99b9d47cf7ff1c24f Pin SHA256: C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M=
Valid until	Mon, 30 Sep 2024 18:14:03 UTC (expires in 1 year and 2 months)
Key	RSA 4096 bits (e 65537)
Issuer	DST Root CA X3
Signature algorithm	SHA256withRSA

 

[marvin]

I take it this was the actual query:

HTTP Requests

1 https://mail.mydomain.co.nz/ (HTTP/1.1 303 See Other)

2 https://mail.mydomain.co.nz/login.php (HTTP/1.1 303 See Other)

3 https://mail.mydomain.co.nz/login_up.php (HTTP/1.1 200 OK)

Miscellaneous
Test date	Fri, 07 Jul 2023 05:18:28 UTC
Test duration	226.463 seconds
HTTP status code	200
HTTP server signature	sw-cp-server
Server hostname	server1235.myvps.co.nz