• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:
    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue let's encrypt does not update mail certificate

tkalfaoglu

tkalfaoglu

Silver Pleskian
The let's encrypt certificates for web get auto-updated every 3 months, but it does not appear to update dovecot certificate at the same time.
I had to manually select the certificate and click on "secure mail" option for it to update the certificate. Otherwise it would keep using the old certificate.. tested with sslshopper.com
 
PS: I read the Resolved - Updating Let's encrypt certs for mailserver
and on my system there are two certs:
-rw------- 1 root root 8.2K Nov 1 12:46 dovecot.pem
-r-------- 1 root root 2.9K Jul 4 08:06 ssl-cert-and-key.pem

the ssl-cert-and... being the older cert.

The cert file in:

Code: 
# more conf.d/14-plesk-sni-kalfaoglu.net.conf
#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.
local_name kalfaoglu.net {
ssl_cert = </usr/local/psa/var/certificates/scfqwr8AC
ssl_key = </usr/local/psa/var/certificates/scfqwr8AC
}

Code: 
# ls -l /usr/local/psa/var/certificates/scfqwr8AC
-r-------- 1 root root 8351 Oct  7 11:46 /usr/local/psa/var/certificates/scfqwr8AC

is the new one..
My guess is that the plugin updates the file, but does not reload dovecot?
-t
 
FWIW & AFAIK

The /etc/dovecot/private/ssl-cert-and-key.pem file is superfluous now (to the way Plesk is configured by default) and it is no longer referenced / updated.

Only the /etc/dovecot/private/dovecot.pem file is referenced (for Plesk) hence it is updated / shoud be updated, by default.

You can verify that here: /etc/dovecot/conf.d/11-plesk-security-ssl.conf

You've not said, but the file you've taken the extract from is - presumably - the host domain that you have chosen to use for Plesk?
i.e. /etc/dovecot/conf.d/14-plesk-sni-mail.your-domain-name here.conf which also is updated / shoud be updated, by default too.
We use sub-domains for Plesk, but you might not do so / your setup may be different.

The crucial part.. is... the (auto or manual) configuration of ALL of the certificates, within Plesk (for both Plesk itself and all of the domains...) for mail service.

That configuration ^^ is where you might now need to examine closely?
 
learning_curve said:
FWIW & AFAIK

The /etc/dovecot/private/ssl-cert-and-key.pem file is superfluous now (to the way Plesk is configured by default) and it is no longer referenced / updated.

Only the /etc/dovecot/private/dovecot.pem file is referenced (for Plesk) hence it is updated / shoud be updated, by default.

You can verify that here: /etc/dovecot/conf.d/11-plesk-security-ssl.conf

You've not said, but the file you've taken the extract from is - presumably - the host domain that you have chosen to use for Plesk?
i.e. /etc/dovecot/conf.d/14-plesk-sni-mail.your-domain-name here.conf which also is updated / shoud be updated, by default too.
We use sub-domains for Plesk, but you might not do so / your setup may be different.

The crucial part.. is... the (auto or manual) configuration of ALL of the certificates, within Plesk (for both Plesk itself and all of the domains...) for mail service.

That configuration ^^ is where you might now need to examine closely?
Click to expand...
Many thanks - yes the file I mentioned is for the domain of our hosting company. It has a wildcard certificate. Only a few domains are set for auto-renewal. This is one of them.
 
tkalfaoglu said:
....yes the file I mentioned is for the domain of our hosting company. It has a wildcard certificate. Only a few domains are set for auto-renewal. This is one of them.
Click to expand...
Is all of your DNS with Plesk?

If it is, then that ^^ should be fine and you should be able to carry out auto-renewal of your *Wildcard certificate(s) without any problems, when only using Plesk / Plesk Extensions

I ask about DNS, because, IF all of your DNS is external DNS (like all of ours) then pretty sure that you can NOT achieve auto-renewal for *Wildcard Let's Encrypt Certificates, when only using Plesk / Plesk Extensions to do this. Meaning:

External DNS & auto-renewal of normal domain Let's Encrypt Certificates, when only using Plesk / Plesk Extensions to do this? Yes. No problem.

External DNS & auto-renewal of *wildcard / multi-domain / multi-domain c/w *wildcard(s) Let's Encrypt Certificates, when only using Plesk / Plesk Extensions to do this? No. Not Currently.
 
You must log in or register to reply here.

Similar threads

jradzuweit
Resolved How to update Let'S Encrypt certificate with SSL It!
Replies
4
Views
374
jradzuweit
jradzuweit
micneon
Issue Problems to del certificate with cli
Replies
0
Views
167
micneon
micneon
R
Issue SSL/TLS cert for mail server not updating (Lets Encrypt)
Replies
2
Views
986
tessa67
T
M
Question Domain forwarding, no Lets Encrypt?
Replies
15
Views
977
maniacos
M
K
Question Renewing Let's Encrypt with external DNS servers
Replies
5
Views
1K
klowet
K
Back
Top