• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue Let's encrypt for only webmail/subdomain

Pascal Gordebeke

New Pleskian
Hi,

We have the follow situation:
We have a customer with only mail hosting, so not for the website.
The DNS is on a other provider.

Is het possible to use Let's encrypt for webmail.domain.tld and mail.domain.tld (multiple domains)?

The DNS settings for webmail.domain.tld are correct by the other provider buth let's encrypt are failed with te error:

Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/WtaKJBAd9hcCZCnOSpgv8MVUAeUtBl5QiRvu8LBXNKw.
Details:
Type: urn:acme:error:unauthorized
Status: 403
Detail: Invalid response from domain.tld/.well-known/acme-challenge/WHDwMSxfTahjemUONjYiDSNhVrOoJdfA3dMF2YTdpaU: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

So:
We have only the mail function for this customer in our Plesk VPS.

I hope that somebody have a fix for this.
 
It's not just a question of SNI in Postfix or Qmail, it's also a question of webmail's Let's Encrypt protection.

A client can have DNS and web page hosting (for let's say example.com) on a 3rd party server and both mail hosting and webmail access on a Plesk server, as in OP's case.

The address webmail.example.com will work just fine, but the way Plesk generates Let's Encrypt requests makes it impossible to successfully create a Let's Encrypt certificate just for the webmail.example.com, if example.com is hosted elsewhere.

Strictly speaking, a proper solution would be to have both web page hosting and webmail on the same 3rd party server. Webmail shouldn't be seen as a part of the mail hosting... but try explaining that to customers, they generally expect the two to be provided together.

OP's additional problem is that the DNS for the example.com isn't under his control, or a short manual (or even scripted) intervention every three months would be all it takes to get the cert issued and renewed, with a minimal web page "under maintenance" appearance. An ugly hack, but could be acceptable in some cases.

As Plesk functions now, I'm not aware of a clean solution for this issue. Well, except for using a different domain name just for webmail, of course. As long as example2.com would be hosted on the same Plesk server, webmail.example2.com could have a Let's Encrypt certificate and be used for accessing example.com's mailboxes just fine...
 
Is it possible to secure only webmail without binding the main domain?
For example, abc.com uses paid certificate, webmail use Let's encrypt certificate with auto renewing.

Unfortunately, for now, no :(
We have such a feature in our plans, and definitely, someday it will be available.

You can assign a certificate to webmail manually.

Hi,
those quotes from April 2018 in this thread. We've been waiting for this for quite a while. Lets hope it gets done soon.
Cheers,
Tom
 
Back
Top