• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Issue let's encrypt does not update mail certificate

tkalfaoglu

tkalfaoglu

Silver Pleskian
The let's encrypt certificates for web get auto-updated every 3 months, but it does not appear to update dovecot certificate at the same time.
I had to manually select the certificate and click on "secure mail" option for it to update the certificate. Otherwise it would keep using the old certificate.. tested with sslshopper.com
 
PS: I read the Resolved - Updating Let's encrypt certs for mailserver
and on my system there are two certs:
-rw------- 1 root root 8.2K Nov 1 12:46 dovecot.pem
-r-------- 1 root root 2.9K Jul 4 08:06 ssl-cert-and-key.pem

the ssl-cert-and... being the older cert.

The cert file in:

Code: 
# more conf.d/14-plesk-sni-kalfaoglu.net.conf
#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.
local_name kalfaoglu.net {
ssl_cert = </usr/local/psa/var/certificates/scfqwr8AC
ssl_key = </usr/local/psa/var/certificates/scfqwr8AC
}

Code: 
# ls -l /usr/local/psa/var/certificates/scfqwr8AC
-r-------- 1 root root 8351 Oct  7 11:46 /usr/local/psa/var/certificates/scfqwr8AC

is the new one..
My guess is that the plugin updates the file, but does not reload dovecot?
-t
 
FWIW & AFAIK

The /etc/dovecot/private/ssl-cert-and-key.pem file is superfluous now (to the way Plesk is configured by default) and it is no longer referenced / updated.

Only the /etc/dovecot/private/dovecot.pem file is referenced (for Plesk) hence it is updated / shoud be updated, by default.

You can verify that here: /etc/dovecot/conf.d/11-plesk-security-ssl.conf

You've not said, but the file you've taken the extract from is - presumably - the host domain that you have chosen to use for Plesk?
i.e. /etc/dovecot/conf.d/14-plesk-sni-mail.your-domain-name here.conf which also is updated / shoud be updated, by default too.
We use sub-domains for Plesk, but you might not do so / your setup may be different.

The crucial part.. is... the (auto or manual) configuration of ALL of the certificates, within Plesk (for both Plesk itself and all of the domains...) for mail service.

That configuration ^^ is where you might now need to examine closely?
 
learning_curve said:
FWIW & AFAIK

The /etc/dovecot/private/ssl-cert-and-key.pem file is superfluous now (to the way Plesk is configured by default) and it is no longer referenced / updated.

Only the /etc/dovecot/private/dovecot.pem file is referenced (for Plesk) hence it is updated / shoud be updated, by default.

You can verify that here: /etc/dovecot/conf.d/11-plesk-security-ssl.conf

You've not said, but the file you've taken the extract from is - presumably - the host domain that you have chosen to use for Plesk?
i.e. /etc/dovecot/conf.d/14-plesk-sni-mail.your-domain-name here.conf which also is updated / shoud be updated, by default too.
We use sub-domains for Plesk, but you might not do so / your setup may be different.

The crucial part.. is... the (auto or manual) configuration of ALL of the certificates, within Plesk (for both Plesk itself and all of the domains...) for mail service.

That configuration ^^ is where you might now need to examine closely?
Click to expand...
Many thanks - yes the file I mentioned is for the domain of our hosting company. It has a wildcard certificate. Only a few domains are set for auto-renewal. This is one of them.
 
tkalfaoglu said:
....yes the file I mentioned is for the domain of our hosting company. It has a wildcard certificate. Only a few domains are set for auto-renewal. This is one of them.
Click to expand...
Is all of your DNS with Plesk?

If it is, then that ^^ should be fine and you should be able to carry out auto-renewal of your *Wildcard certificate(s) without any problems, when only using Plesk / Plesk Extensions

I ask about DNS, because, IF all of your DNS is external DNS (like all of ours) then pretty sure that you can NOT achieve auto-renewal for *Wildcard Let's Encrypt Certificates, when only using Plesk / Plesk Extensions to do this. Meaning:

External DNS & auto-renewal of normal domain Let's Encrypt Certificates, when only using Plesk / Plesk Extensions to do this? Yes. No problem.

External DNS & auto-renewal of *wildcard / multi-domain / multi-domain c/w *wildcard(s) Let's Encrypt Certificates, when only using Plesk / Plesk Extensions to do this? No. Not Currently.
 
You must log in or register to reply here.

Similar threads

R
Issue SSL/TLS cert for mail server not updating (Lets Encrypt)
Replies
2
Views
560
tessa67
T
M
Question Domain forwarding, no Lets Encrypt?
Replies
15
Views
814
maniacos
M
K
Question Renewing Let's Encrypt with external DNS servers
Replies
5
Views
1K
klowet
K
M
Issue SSL certificate to secure Plesk IP address issue (Not Lets Encrypt)
Replies
5
Views
619
Kaspar@Plesk
Kaspar@Plesk
Azurel
Resolved Mail for "Let`s Encrypt certificates for ***** have been issued/renewed" missing?
Replies
2
Views
598
Azurel
Azurel
Back
Top