Question Issues with SSL Certificate Renewal for Mail Services in Plesk: Seeking Automated Solution via CLI or API

[futureweb]

Server operating system version

AlmaLinux release 8.9 (Midnight Oncilla)

Plesk version and microupdate number

Plesk Obsidian Version 18.0.59 Update #2

Hello,

we are experiencing the following issue with our Mail Only Hostings on Plesk. "dom.tld"/"www.dom.tld" point to a different server, "mail.dom.tld" points to Plesk.
Email addresses are set up under dom.tld - for example: [email protected].
In order to obtain an SSL certificate for the mail services, the sub-domain mail.dom.tld is set up, the Let’s Encrypt certificate is ordered via SSL it!, and then manually assigned to the mail services of the main domain dom.tld.
So, the mail services of dom.tld run with the mail.dom.tld certificate.

Now, with dozens of these configurations, there is an issue where sometimes the end devices do not accept the certificate after a renewal of the SSL cert and throw a certificate error.

At the moment, this can only be resolved by removing the certificate from dom.tld. Reissuing the mail.dom.tld cert, and then reassigning it to the mail services of dom.tld. (For whatever reason?!?)
However, this whole process involves significant manual work that we would like to avoid...

Is there any way to perform this workflow via CLI or API? I haven't found a way to remove and renew the certificate from the mail services using "plesk ext sslit" or "plesk bin certificate". I can only manage the reassignment with these commands?

Maybe someone has an idea regarding this?

Thank you very much,
Regards from Austria
Andreas

 

[learning_curve]

~~~
At the moment, this can only be resolved by removing the certificate from dom.tld. Reissuing the mail.dom.tld cert, and then reassigning it to the mail services of dom.tld. (For whatever reason?!?) However, this whole process involves significant manual work that we would like to avoid...

Is there any way to perform this workflow via CLI or API? I haven't found a way to remove and renew the certificate from the mail services using "plesk ext sslit" or "plesk bin certificate". I can only manage the reassignment with these commands?
~~~

We're on Ubuntu NOT AlamaLinux (caveat) but, assuming, that you're referring to Let's Encrypt SSL Certificates:

Is the Let's Encrypt SSL Certificate that covers dom.tld a TLD only Certificate, NOT a Wildcard or SAN Certificate that also fully covers the sub-domain mail.dom.tld and/or any other sub-domains of the dom.tld? If yes, have you not considered using Wildcard or SAN Certificates instead? You've stated that the dom.tld and mail.dom.tld are on different servers (different IP addresses?) but that's irrelevant for your SSL Certificate(s), it's FQDN's that's relevant here.

FWIW, because we do use Wildcard Certificates & SAN Certificates, we could (if we wanted to...) completely remove and/or add and/or replace any Wildcard Certificate / SAN Certificate at either the TLD Level or the Sub-Domain Level via the Advance Settings link, which is shown on the SSL/TLS Certificates page of both & which is of course, "plesk ext sslit". We could then (if we wanted to...) use any of those Wildcard or SAN Certificates, to easily and quickly secure the TLD and/or any Sub-Domain of that TLD, plus the Mail and/or Webmail of that TLD and/or any Sub-Domain of that TLD, via the Plesk Panel itself or CLI if preferred.

Re; API, Yes, you can renew all of your Let's Encrypt SSL Certificates (Non-Wildcard Certificates / Wildcard Certificates / SAN Certificates etc) via API for all of those types of Certificates, by using acme.sh which works perfectly every time (for us, when we do this). You can set these up to run as repeat cron tasks too.

 

[futureweb]

Hi @learning_curve,

I appreciate your response. Unfortunately, wildcard certificates aren't feasible on our Plesk servers due to centralized DNS management, which isn't handled by Plesk itself. However, I've come across a potential solution using the CLI: Issue - Postfix SNI TLS-Certs not auto-updated

The issue lies in the renewal process where the updated certificate isn't automatically deployed to Postfix (`tls_server_sni_maps = hash:/var/spool/postfix/plesk/certs`).
Instead, the expired certificate of mail.dom.tld persists in `/var/spool/postfix/plesk/certs.db` for dom.tld until it's manually reassigned to `dom.tld` again ...

To rectify this, running the following commands should resolve the issue:

plesk bin certificate --update 'domain.com certificate' -domain domain.com
plesk bin subscription_settings --update domain.com -mail_certificate 'domain.com certificate'

Currently, I'm in the process of scripting a helper script to automate this task for all our `mail.dom.tld` hostings.

 

[futureweb]

First untested script draft:

# Loop through mail.dom.tld domains
for domain in $(plesk bin domain --list | grep '^mail\.\|^[^.]*$'); do
    # Trim "mail." prefix if it exists
    domain_without_prefix="${domain#mail.}"

    # Get the SSL/TLS certificate for mail for the current domain
    mail_certificate=$(plesk bin subscription_settings --info $domain_without_prefix | grep -oP 'SSL/TLS certificate for mail:\s*\K.*')

    # Print the mail certificate
    #echo "Mail certificate: $mail_certificate"

    if [[ "$mail_certificate" == "Lets Encrypt $domain" ]]; then
        echo "Renew & Update Cert for $domain_without_prefix Mail Services with Cert: $mail_certificate"
        plesk bin certificate --update "$mail_certificate" -domain $domain
        plesk bin subscription_settings --update $domain_without_prefix -mail_certificate "mail_certificate"
    else
        echo "Mail certificate is not 'Lets Encrypt for $domain_without_prefix'"
    fi
done

Ideas & (Improvement) suggestions welcome.

 

[futureweb]

as the Forum won't let me edit my posts after 4 Minutes anymore I've made a GitHub for the Script: GitHub - futureweb/Plesk-Postfix-SNI-TLS-Cert-Fixer: SNI-TLS Cert Fixer for mail.dom.tld LE Certs when dom.tld is not pointing to Plesk Server itself. More Information here: https://talk.plesk.com/threads/issues-with-ssl-certificate-renewal-for-mail-services-in-plesk-seeking-automated-solution-via-cli-or-api.374148/

 

[learning_curve]

~~ Unfortunately, wildcard certificates aren't feasible on our Plesk servers due to centralized DNS management, which isn't handled by Plesk itself~~

@futureweb FWIW All of our DNS, is exactly the same as you've described above. Creation, removal and renewal of Wildcard and/or SAN SSL Certificates work perfectly as described in our previous post (if you make the correct configurations) regardless of their DNS being exclusive to Plesk and, whilst their domains are hosted on Plesk. Feel free to investigate, but that ^ is the setup we've used for over 4 years now, with no problems with Plesk or any 3rd Parties.

 

[futureweb]

@futureweb FWIW All of our DNS, is exactly the same as you've described above. Creation, removal and renewal of Wildcard and/or SAN SSL Certificates work perfectly as described in our previous post (if you make the correct configurations) regardless of their DNS being exclusive to Plesk and, whilst their domains are hosted on Plesk. Feel free to investigate, but that ^ is the setup we've used for over 4 years now, with no problems with Plesk or any 3rd Parties.

DNS Services are completely disabled on those Plesk Servers, so unfortunately not really working ...
Do you have DNS Mgmt active in Plesk and replicate to the external DNS Servers?
Or have you integrated your DNS Servers somehow into the Plesk SSL Requests?

 

[learning_curve]

DNS Services are completely disabled on those Plesk Servers, so unfortunately not really working ...

As previously stated: ALL of our DNS is external to Plesk, but works perfectly with Plesk

Do you have DNS Mgmt active in Plesk and replicate to the external DNS Servers?

No. See above

Or have you integrated your DNS Servers somehow into the Plesk SSL Requests?

Thinking that you actually mean; Let's Encrypt SSL Requests, that are generated through "Plesk SSL It" Is that right? Assuming that it is, then please see post #2 specifically; Our use of Domains (and Sub-Domains) that are Cloud Server hosted, but managed via by Plesk. Our use of 3rd party acme.sh via API and cron and NOT "Plesk SSL It" to request / renew / remove Let's Encrypt Non-Wildcard/Wildcard/SAN SSL Certificates. NB acme.sh is totally separate to Plesk, but works perfectly with Plesk & our external DNS, which FWIW, included TLSA/DANE & MTS-STS a long time ago (on all our Plesk managed Domains / Sub-Domains).

The caveat in post #2 was that we're on Ubuntu NOT AlamaLinux.
Almalinux is NOT shown in the link above, but it IS shown as acme.sh test passing HERE
So in theory, your OS being different to ours, shoudn't matter, IF, you decide to try acme.sh when looking for a solution.

 

[futureweb]

Ah, it seems I overlooked the mention of acme.sh .
Thank you for sharing that information; it does indeed seem intriguing and worth considering down the line!
Regarding the current Plesk Servers Setup, everything seems to be functioning as intended now with the fixer script I've crafted. ("LE" / "Plesk SSL It" based)
Appreciate your assistance