Issue Let's encrypt for only webmail/subdomain

[Pascal Gordebeke]

Hi,

We have the follow situation:
We have a customer with only mail hosting, so not for the website.
The DNS is on a other provider.

Is het possible to use Let's encrypt for webmail.domain.tld and mail.domain.tld (multiple domains)?

The DNS settings for webmail.domain.tld are correct by the other provider buth let's encrypt are failed with te error:

Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/WtaKJBAd9hcCZCnOSpgv8MVUAeUtBl5QiRvu8LBXNKw.
Details:
Type: urn:acme:error:unauthorized
Status: 403
Detail: Invalid response from domain.tld/.well-known/acme-challenge/WHDwMSxfTahjemUONjYiDSNhVrOoJdfA3dMF2YTdpaU: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

So:
We have only the mail function for this customer in our Plesk VPS.

I hope that somebody have a fix for this.

 

[Rob Taylor]

This is the question I came to ask Pascal - did you find a solution?

 

[Hex]

We all waiting this, if you're using Windows you can but if Linux not yet.

Is there SNI support for MailEnable shipped with Plesk?

How to assign separate SSL certificates for different domains on a local mail server in Plesk?

 

[Ales]

It's not just a question of SNI in Postfix or Qmail, it's also a question of webmail's Let's Encrypt protection.

A client can have DNS and web page hosting (for let's say example.com) on a 3rd party server and both mail hosting and webmail access on a Plesk server, as in OP's case.

The address webmail.example.com will work just fine, but the way Plesk generates Let's Encrypt requests makes it impossible to successfully create a Let's Encrypt certificate just for the webmail.example.com, if example.com is hosted elsewhere.

Strictly speaking, a proper solution would be to have both web page hosting and webmail on the same 3rd party server. Webmail shouldn't be seen as a part of the mail hosting... but try explaining that to customers, they generally expect the two to be provided together.

OP's additional problem is that the DNS for the example.com isn't under his control, or a short manual (or even scripted) intervention every three months would be all it takes to get the cert issued and renewed, with a minimal web page "under maintenance" appearance. An ugly hack, but could be acceptable in some cases.

As Plesk functions now, I'm not aware of a clean solution for this issue. Well, except for using a different domain name just for webmail, of course. As long as example2.com would be hosted on the same Plesk server, webmail.example2.com could have a Let's Encrypt certificate and be used for accessing example.com's mailboxes just fine...

 

[TomBoB]

Is it possible to secure only webmail without binding the main domain?
For example, abc.com uses paid certificate, webmail use Let's encrypt certificate with auto renewing.

Unfortunately, for now, no
We have such a feature in our plans, and definitely, someday it will be available.

You can assign a certificate to webmail manually.

Hi,
those quotes from April 2018 in this thread. We've been waiting for this for quite a while. Lets hope it gets done soon.
Cheers,
Tom