Issue Let's Encrypt Extension (Using features added with version 2.5.0 December 7, 2017)

[Walter]

I was very pleased a while back with the ability to secure webmail and now understand that this new version allows for so much more including mail, cname, subdomains etc... However, I don't know how to use this new feature to add the additional cname/A/subdomains such as ftp, mail, ns records... How do I append the additional alternative domains so Let's Encrypt will add them to the certificate?

Let's Encrypt extension can now automatically keep all subscription's websites secured. It finds subscription's add-on domains, subdomains, aliases, www, or webmail domains without a certificate, or with a self-signed or expired certificate, and secures them with a free Let's Encrypt certificate. To enable this feature, open the hosting plan or subscription settings, "Additional Services" tab, and select "Keep websites secured with free SSL Certificate" in the list next to "Let's Encrypt". The check runs each hour by default, which can be configured in Tools & Settings > Scheduled Tasks > "Extension letsencrypt" task.

I added let's encrypt to my subscription settings and you can see 9 domains added.



I went to scheduled tasks and clicked run now and it completed successfully. It is already set to run hourly though.


Notice I have additional CNAME, A records in DNS to include "mail" not shown here.



The alternative names only shows webmail and www.



How do I append the additional alternative domains so Let's Encrypt will add them to the certificate?

 

[mr-wolf]

Hi Walter...
You're assuming that LetsEncrypt is looking at your DNS-records, but it's not....
It's looking at the webserver's aliases and subdomains.
The webmail is a preconfigured alias.

The communication with LetsEncrypt is done using the webserver.
LetsEncrypt makes contact with your webserver if a request is made. The webserver needs to be configured for that subdomain.

 

[Graphicom]

HELL mr-wolf,
You wrote "The webserver needs to be configured for that subdomain". Could you help explaining how we can automatically redirect a http://webmail.domain.tld to https://webmail.domain.tld ?
That would be really great. It is easy with www directly in plesk, it would be really interesting that it could be done for subdomains too.
Thanks
Kris

 

[OverWolf]

Hi Walter...
You're assuming that LetsEncrypt is looking at your DNS-records, but it's not....
It's looking at the webserver's aliases and subdomains.
The webmail is a preconfigured alias.

The communication with LetsEncrypt is done using the webserver.
LetsEncrypt makes contact with your webserver if a request is made. The webserver needs to be configured for that subdomain.

Hi mr-wolf,

and how I can tell the webserver to use cname and A records for a specific domain, so letsEncrypt can secure those sub domain too ?

Thank you

 

[mr-wolf]

Hi mr-wolf,

and how I can tell the webserver to use cname and A records for a specific domain, so letsEncrypt can secure those sub domain too ?

Thank you

By creating a subdomain or alias

 

[OverWolf]

By creating a subdomain or alias

So, should I create a subdomain (or alias) for every entry in my DNS ? For every domains ? Is this the only method for secure * wildcard using letsencrypt ?

 

[mr-wolf]

So, should I create a subdomain (or alias) for every entry in my DNS ? For every domains ? Is this the only method for secure * wildcard using letsencrypt ?

Yes....

But for what do you need these letsencrypt certificates for?
Normal usage is that you need them for an alias or subdomain that's hosted on that server.

If you need a certificate for a site that's hosted elsewhere than you will run into other problems as the domain needs to be pointed to an actual website on the server.

I have for instance a few clients that are only running mail on our servers. Their websites are hosted elsewhere. I don't even have the possibility to generate a webmail.client.com.

That is in fact an oversight of Plesk, but illustrative...

So tell me your practical usage!
Why do you need these certificates if you're not configuring subdomains on the Plesk server?


BTW...
I have written a how-to on this forum if you want a letsencrypt certificate for a site for which the server is only proxying a foreign website instead of hosting it....

 

[OverWolf]

So tell me your practical usage!
Why do you need these certificates if you're not configuring subdomains on the Plesk server?

BTW...
I have written a how-to on this forum if you want a letsencrypt certificate for a site for which the server is only proxying a foreign website instead of hosting it....

Hi,

the first pratical usage it's mail subdomain that it's used to connect to the mail server. I would like to use an SSL certificate for this specific DNS entry to use for every client domain, because I've seen that when LetsEncrypt have renewed the plesk mail server certificate, iOS users have had a lot of problem with the new certificate (don't respond to their domain and other varius things)... So, primary I must create a subdomain (not alias) for mail entry. Is this right ?

Can you link the post that you have written ?

 

[mr-wolf]

Another misunderstanding there....

multiple certificates only works for http in Plesk 17.5.3
You can of course get that certificate for mail.domain.com, but it would only be used for the webserver, not the mail server.

You need to know more about the concept of certificates.
That we can nowadays host more than 1 domain on 1 IP address with https is already an achievement.

For mail this is all relatively new and is only supported by modern mail-clients.
Plesk 17.5.x does not support this yet (multiple certificates on 1 IP).

I use a wildcard domain, so each client can still have its personalized address....
It will need to match the wildcard certificate, so it will not be on his TLD.

 

[mr-wolf]

HELL mr-wolf,
You wrote "The webserver needs to be configured for that subdomain". Could you help explaining how we can automatically redirect a http://webmail.domain.tld to https://webmail.domain.tld ?

There is a howto written here: How to redirect webmail HTTP to HTTPS?

You need to take care though...
This is server wide....
So you need to make sure that each and every domain has a webmail certificate.

This is webmail-specific.

As I have a few mail-only clients I can't create a LetsEncrypt certificate with Plesk as the interface does not allow it.
But you probably don't have this problem.

That would be really great. It is easy with www directly in plesk, it would be really interesting that it could be done for subdomains too.
Thanks
Kris

There's no need to do this seperately for subdomains.
If that checkbox is ticked it will do that for subdomains too.

I checked this in the Nginx config for the subdomain staging.xx.com

server {
        listen 82.24.241.242:80;

        server_name staging.xx.com;
        server_name www.staging.xx.com;
        server_name ipv4.staging.xx.com;

        client_max_body_size 128m;

        return 301 https://$host$request_uri;
}

 

[OverWolf]

Another misunderstanding there....

multiple certificates only works for http in Plesk 17.5.3
You can of course get that certificate for mail.domain.com, but it would only be used for the webserver, not the mail server.

You need to know more about the concept of certificates.
That we can nowadays host more than 1 domain on 1 IP address with https is already an achievement.

For mail this is all relatively new and is only supported by modern mail-clients.
Plesk 17.5.x does not support this yet (multiple certificates on 1 IP).

I use a wildcard domain, so each client can still have its personalized address....
It will need to match the wildcard certificate, so it will not be on his TLD.

Hi,
thank you, but now I have a little problem... After the new version of this extension I have had a problem with mail certificate. After the renew of this certificate I had to accept with pc email client, the new certificate as it's was a new one, and from mobile I have had some trouble and I had to configure NO SSL connection.
Why ?

 

[mr-wolf]

In short....
One will keep on running into problems if you don't have a matching certificate...

Some clients, like Apple, can make an exception if you have a mismatch of the hostname and the certificate.
But whenever you renew your certificate, even if it is for the same hostname, that exception will at some point (funny enough not immediate) become invalid.

So, don't rely on those exceptions on your client. They are not only ugly, but also unreliable.
You're better off with a self-signed certificate that's valid for 10 years than a non-matching letsencrypt certificate that's only valid for 3 months.

As multiple certificates are not yet possible this will leave you the solution I have.
1 wildcard-certificate that you can match with your client....

Certificate:
*.wolf.com

Clients
overwolf-com.wolf.com CNAME mail.overwolf.com
graphicom-com.wolf.com CNAME mail.graphicom.com

 

[OverWolf]

Hi mr-wolf,

thank you very much for your explanation. I have another doubt: I have set (in dns client) a cname with : mail.client.com to cert.myserver.com, but iPhone client continue to give me this error : The identity "mail.client.com cannot be verified by Mail. Review the certificate details to continue.
If I look at details I can see that cert.myserver.com is declare as not trusted even if it's encrypted by LetsEncrypt. So, I think that I'm doing something wrong about your suggestion. Is it ?

 

[mr-wolf]

Giving examples using fictional names like myserver.com will not clarify anything especially if you don't know exactly what you're doing.

Well let's say you have 3 clients with the following domain names.

graphicom.com.
acme.com
better-bananas.gr​

Let's say you have 2 Plesk servers with the following IP's:

200.10.10.1
200.10.10.2
​

The 3 companies will have a subdomain like this

mail.graphicom.com. 200.10.10.1
mail.acme.com 200.10.10.1
mail.better-bananas.gr 200.10.10.2
​

Now you need to have a wildcard certificate *.overwolf.com and install these on your 2 (all) Plesk servers and use them also for mail.

Now you need to create 3 CNAMEs in your overwolf.com account.
(these CNAMEs are created automatically on my Plesk system)

graphicom-com.overwolf.com => mail.graphicom.com
acme-com.overwolf.com => mail.acme.com
better-bananas-gr.overwolf.com => mail.better-bananas.gr
​

Then tell your clients to start using the following hostname in their mail clients:

graphicom-com.overwolf.com
acme-com.overwolf.com
better-bananas-gr.overwolf.com​

All these hostnames will match the certificate *.overwolf.com.
When you move acme.com to the other Plesk server @ 200.10.10.2 the client's configuration does NOT need to change.

I also have an autodiscovery system that will configure Outlook clients and Thunderbird clients to automatically use these settings without any individual configuration.

 

[OverWolf]

Hi mr-wolf,
I think my problem is different. Before the extension update, I've created a subdomain that was like the name of the server, but I haven't associated any SSL certificate. I knew that certificate for Plesk and for Mail server was different from web (my sub domain) so I didn't worry about that. But after the update, and after the renew of certificate for my server, the problem is occurred.
I think that something about certificate of plesk (and mail server) and my subdomain that is the same name of server is happened . Now, I have certificate problem also on ftp access, that before the upgrade of the extension and the renew I didn't have any problems.

So, now, what can I do ? I have already delete the sub domain, but it seems that nothing has changed.

 

[mr-wolf]

I can understand that people don't want to publish the real domains on a forum, especially if you have to admit you have a problem with it.

But this kind of stuff is too hard to troubleshoot with fake data. If you need help you should give examples the way I did using an overwolf.com domain (which I just assume you don't actually have) on top of that you could pm me the REAL domains.

Then it's not the whole world that knows the domain, but just me.

I can then maybe answer you using the fake domain names...

 

[OverWolf]

Hi mr-wolf,

thank you for your support/cooperation and thank you to understand my privacy.
I'll try to be as exhaustive as I can.
This is my situation of domains (all on the same server with 1 IP)

overwolf.com
teenwolf.com
jackwolf.com
​

My server have this name :

plesk.overwolf.com
​

Let's encrypt is active on these domains :

overwolf.com (www, webmail)
teenwolf.com (www, webmail)
​

Then, I've activated LetsEncrypt for plesk and mail server, so there are two new certificate for :

plesk.overwolf.com:8443
plesk.overwolf.com:993/995

​

After this, I have create a domain with the same name of my server :

plesk.overwolf.com
​

but I haven't associated any certificate. (even because the LetsEncrypt extension 2.4 cannot permit to add other subdomain than www and webmail to the certificate)


In this situation I could access FTP or mail (both with SSL) for every domains without any issue. :

overwolf.com:20 (that it has own certificate from LetsEncrypt)

teenwolf.com:20 (that it has own certificate from LetsEncrypt)
mail.teenwolf.com:995 (that it has own certificate from LetsEncrypt)

mail.jackwolf.com:993 (that it hasn't any certificate active)
​

I could use all these services without any "prompt" of insecure certificate or other messagge from iPhone of Filezilla or any other software.



After 7 December, my extension was updated and about 10 December my certificate of server plesk.overwolf.com was renews (even if it wasn't expired), and since this renew my problems is became.

Now, these are my problems:

• Prompt for untrusted certificate for mail :

• mail.teenwolf.com:995
• mail.jackwolf.com:993

• Prompt for wrong certificate for FTP :

• teenwolf.com:20

For every services, I have a prompt message that tell me that SSL connection for mail or ftp has an issue with certificate, because it doesn't correspond to the owner. In fact the owner is plesk.overwolf.com, but why ? Why before this upgrade I haven't had any issue ? Why, now, the owner of ftp for teenwolf.com is my plesk server ?


I hope that this can help you to identify the problem.

Thanks

​

 

[mr-wolf]

Please pm me with real domains so I can troubleshoot how it's setup now...

 

[OverWolf]

HI mr-wolf,
ok, I'll write you as soon as possible. I have found a strange thing about domains: now if I try to view an https domain that haven't any certificate, I'll be redirect to plesk default page, while before this extension upgrade I could see the website after accept the insecure connection. That's strange

 

[OverWolf]

Hi mr-wolf,

I've made some other test, and I found that the problem it's the new extension. In fact, I've uninstalled LetsEncrypt and then I've reinstall it. So, in Plesk I've 2.4 version. I've re-generate the certificate for the server and then for my domain and "voila" the FTP work again as before, iPhone can connect to the server without any messagge.
Tonight, I've update the extension, and today iPhone show error message that the certificate is untrusted.

So, what can I do ? Remain to 2.4 version ?