Question Let's Encrypt coming from cPanel to Plesk

[Josh_Henry]

Server operating system version

CloudLinux 8

Plesk version and microupdate number

18.0.62

Like the title says.
Due to the overwhelming cost of cPanel we are moving away from it to Plesk. I really like the panel anyways so it's a good move.
However Let's Encrypt is a thorn in my shoe right now.

We have clients that have CDNs,
We have clients that are email only, www is elsewhere.
We have clients that don't have their DNS with us.

Let's Encrypt doesn't like any of these scenarios. With cPanel Let's Encrypt the system would use either DNS or a site file to verify ownership of the domain. This way if the IP isn't pointing to the plesk server (in the case of a CDN) you can still issue an SSL for things like webmail/IMAP/POP/SMTP.
I haven't been able to find a way around this other than temporary bringing the client's site down by changing the A record to the plesk server, waiting, running Let's Encrypt, putting the A record back, then waiting again for the client's site to come back up. This is a TERRIBLE work around, which was actually suggested by support.
Is there a better method to do this or an alternative to Let's Encrypt that works in plesk?

 

[Kaspar@Plesk]

Hi there, Plesk utilizes Let's Encrypt a bit different compared to cPanel, as you already noticed.

There (currently) is no option to validate certificates via DNS only. However webmail is validated separately. As long as there is an DNS record for webmail pointing to the Plesk server, you should be able to issue a certificate for webmail.

For the mail protocols (SMTP/POP/IMAP) the main domain certificate is used (that would be example.com, without any prefixes). That obviously does not work when the DNS is pointing to another servers/service/ip. A common workaround is to use the server hostname for mail connections (as by default the hostname gets secured with mail connections too). Another workaround would be to setup a separate mail. subdomain for use with mail connections.

Some CDN providers (like Cloudflare for example) don't proxy the ACME (site file) validation by default. Which allows users to still issue certificates for their sites even when using Cloudflare as a CDN. Others might allow you to setup proxy rules to allow traffic for ACME (site file) validation to issues certificates.

I hope this answers helps.

 

[Josh_Henry]

Kaspar,
Is this how Let's Encrypt in Plesk is going to work for the future or is there a chance this is going to be overhauled? Even if they did mail/smpt.(domain.com) like webmail is done would be good to help with how this is done. The current layout has too many "work arounds" to get things working smoothly. cPanel's implementation worked perfectly and we didn't have to do any work arounds to make it work.

 

[Kaspar@Plesk]

For now this how Let's Encrypt functions within Plesk. Useing the server host name for (secured) mail connections is the most straight forward alternative and does not require any additional configuration on the server.

However we are currently in the process of researching how we improve the mail management aspects in Plesk. Which includes various topics and features related to email within Plesk. As this is still in the research stage it's unclear what type of feature improvements this will entail in the end and when those will be released.

There is a UserVoice request for a secured mail. sub domain to be implemented, which you can vote for. Popular features more likely to be considered for implementation into Plesk. Add possibility issue Let's Encrypt SSL certificate for mail server when the "A" DNS record for domain is pointing to another server