• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue Issue with Mail Server SSL from Let's Encrypt

A

AdamW1992

New Pleskian
Hi,

For the mail server on our server we are using an SSL for the subdomain mail.domain.com which is issued via Let's Encrypt. However, we ran into an odd issue yesterday.

On Apple devices accounts that are set-up using the hostname mail.domain.com work fine when they are first set up but yesterday a message came up saying the certificate had expired (expired date 12/10/2017). I thought this was odd as I looked on the actual subdomain and the certificate had renewed and the certificate on there said it was valid (in effect from 12/09/2017 to 12/12/2017).

I changed the SSL for the mail server to a different one and then switched it back to the one for mail.domain.com and now it is fine again.

Does this mean there is an issue with the designated Mail Server SSL not changing to the newly renewed certificate on a domain if it is a Let's Encrpyt one, instead staying as which ever certificate it is at the moment you choose it to be the Mail Server certificate?

Thanks in advance.
 
Hi AdamW1992,

you are able to check the current used certificate with for example:

( for imap ):
Code: 
openssl s_client -connect mail.domain.com:143 -servername mail.domain.com -starttls imap -showcerts > /tmp/mail.domain.com < /dev/null
followed by
Code: 
cat /tmp/mail.domain.com | openssl x509 -noout -enddate


or ( for smtp ):
Code: 
openssl s_client -connect mail.domain.com:587 -servername mail.domain.com -starttls smtp -showcerts > /tmp/mail.domain.com < /dev/null
followed by
Code: 
cat /tmp/mail.domain.com | openssl x509 -noout -enddate

If the certificates differ from the ones that are displayed over your Plesk Control Panel, pls. consider to find ( possible ) issues/errors/problems at your "panel.log", as the Plesk Let's Encrypt Extension logs all its actions there.
 
I wonder if this is related to the issue I tried reporting previously: Let’s Encrypt Secured Plesk Not Renewing

In our case, Plesk and mail are secured with a domain's LE certificate. The certificate renewed but Plesk and mail still showed they were using the expired cert. If we toggle or resave the setting it starts working again.
 
stvnthomas said:
I wonder if this is related to the issue I tried reporting previously: Let’s Encrypt Secured Plesk Not Renewing

In our case, Plesk and mail are secured with a domain's LE certificate. The certificate renewed but Plesk and mail still showed they were using the expired cert. If we toggle or resave the setting it starts working again.
Click to expand...
To make it easy to check a certificate I wrote this shell script a while ago.
It in fact does about the same as what @UFHH01 wrote, but it is easier to use and out will give an easy to read report

Check certificate of a server

At the time of writing that script there were some things not clear to me.
The script however I use to this day and has made troubleshooting SSL connections quicker and easier.


certinfo smtp.gmail.com 465
Code: 
Certificate info for host smtp.gmail.com (74.125.128.108) on port 465

       CN: smtp.gmail.com

  Subject:
           C=US
           ST=California
           L=Mountain View
           O=Google Inc
           CN=smtp.gmail.com
   Issuer:
           C=US
           O=Google Inc
           CN=Google Internet Authority G2

 Validity:
           Valid since:  Oct  3 18:12:54 2017 GMT
            Expires on:  Dec 26 17:45:00 2017 GMT

DNS names:
           smtp.gmail.com
 
Last edited:
stvnthomas said:
I wonder if this is related to the issue I tried reporting previously: Let’s Encrypt Secured Plesk Not Renewing

In our case, Plesk and mail are secured with a domain's LE certificate. The certificate renewed but Plesk and mail still showed they were using the expired cert. If we toggle or resave the setting it starts working again.
Click to expand...

This does seem to be the same issue as we are having. The Let's Encrypt certificate for the domain is auto-renewing as intended but plesk isn't updating the mail server to use the renewed certificate, sticking with the old one which then expires... Seems to be a genuine bug that may need addressing in an update. For most devices it seems to be generally fine as they can cope until the certificate gets sorted, but on iOS devices it is terrible as the mail server stops working until we manually fix it.
 
You must log in or register to reply here.

Similar threads

R
Issue SSL/TLS cert for mail server not updating (Lets Encrypt)
Replies
2
Views
888
tessa67
T
D
Question Renewing Let's encrypt automatically
Replies
3
Views
494
Kaspar
K
defcon8
Issue SMTP SSL Certificate Expired
Replies
2
Views
599
defcon8
defcon8
futureweb
Question Issues with SSL Certificate Renewal for Mail Services in Plesk: Seeking Automated Solution via CLI or API
Replies
8
Views
1K
futureweb
futureweb
M
Resolved Lets Encrypt not issuing certs for subdomains
Replies
2
Views
272
mendip_discovery
M
Back
Top