• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Issue Issue with Mail Server SSL from Let's Encrypt

AdamW1992

New Pleskian
Hi,

For the mail server on our server we are using an SSL for the subdomain mail.domain.com which is issued via Let's Encrypt. However, we ran into an odd issue yesterday.

On Apple devices accounts that are set-up using the hostname mail.domain.com work fine when they are first set up but yesterday a message came up saying the certificate had expired (expired date 12/10/2017). I thought this was odd as I looked on the actual subdomain and the certificate had renewed and the certificate on there said it was valid (in effect from 12/09/2017 to 12/12/2017).

I changed the SSL for the mail server to a different one and then switched it back to the one for mail.domain.com and now it is fine again.

Does this mean there is an issue with the designated Mail Server SSL not changing to the newly renewed certificate on a domain if it is a Let's Encrpyt one, instead staying as which ever certificate it is at the moment you choose it to be the Mail Server certificate?

Thanks in advance.
 
Hi AdamW1992,

you are able to check the current used certificate with for example:

( for imap ):
Code:
openssl s_client -connect mail.domain.com:143 -servername mail.domain.com -starttls imap -showcerts > /tmp/mail.domain.com < /dev/null
followed by
Code:
cat /tmp/mail.domain.com | openssl x509 -noout -enddate


or ( for smtp ):
Code:
openssl s_client -connect mail.domain.com:587 -servername mail.domain.com -starttls smtp -showcerts > /tmp/mail.domain.com < /dev/null
followed by
Code:
cat /tmp/mail.domain.com | openssl x509 -noout -enddate

If the certificates differ from the ones that are displayed over your Plesk Control Panel, pls. consider to find ( possible ) issues/errors/problems at your "panel.log", as the Plesk Let's Encrypt Extension logs all its actions there.
 
I wonder if this is related to the issue I tried reporting previously: Let’s Encrypt Secured Plesk Not Renewing

In our case, Plesk and mail are secured with a domain's LE certificate. The certificate renewed but Plesk and mail still showed they were using the expired cert. If we toggle or resave the setting it starts working again.
 
I wonder if this is related to the issue I tried reporting previously: Let’s Encrypt Secured Plesk Not Renewing

In our case, Plesk and mail are secured with a domain's LE certificate. The certificate renewed but Plesk and mail still showed they were using the expired cert. If we toggle or resave the setting it starts working again.
To make it easy to check a certificate I wrote this shell script a while ago.
It in fact does about the same as what @UFHH01 wrote, but it is easier to use and out will give an easy to read report

Check certificate of a server

At the time of writing that script there were some things not clear to me.
The script however I use to this day and has made troubleshooting SSL connections quicker and easier.


certinfo smtp.gmail.com 465
Code:
Certificate info for host smtp.gmail.com (74.125.128.108) on port 465

       CN: smtp.gmail.com

  Subject:
           C=US
           ST=California
           L=Mountain View
           O=Google Inc
           CN=smtp.gmail.com
   Issuer:
           C=US
           O=Google Inc
           CN=Google Internet Authority G2

 Validity:
           Valid since:  Oct  3 18:12:54 2017 GMT
            Expires on:  Dec 26 17:45:00 2017 GMT

DNS names:
           smtp.gmail.com
 
Last edited:
I wonder if this is related to the issue I tried reporting previously: Let’s Encrypt Secured Plesk Not Renewing

In our case, Plesk and mail are secured with a domain's LE certificate. The certificate renewed but Plesk and mail still showed they were using the expired cert. If we toggle or resave the setting it starts working again.

This does seem to be the same issue as we are having. The Let's Encrypt certificate for the domain is auto-renewing as intended but plesk isn't updating the mail server to use the renewed certificate, sticking with the old one which then expires... Seems to be a genuine bug that may need addressing in an update. For most devices it seems to be generally fine as they can cope until the certificate gets sorted, but on iOS devices it is terrible as the mail server stops working until we manually fix it.
 
Back
Top