Forwarded to devs Mail certificate is no longer assigned after it gets renewed by Let's Encrypt

[bit]

Hi Maarten,

ok so do we have to enable this option in SSL it extention separatly?

We habe a server constellation where we have 3 Domains in Plesk.
On exmple.com we do not have access. On this domain there are dns entrys for plesk server.
We have mail.example.com which is the plesk server. This we have 3 times for 3 Domains.
On this we have still the same issue like described above.

regards

 

[bit]

@Maarten

attached i have 2 screenshots where you can see several TLDs and Subdomains. On the TLDs we do not have access to, they are hosted at another server. But at the DNS of the TLDs there are set DNS entrys for the Plesk server that is running at the subdomains. So each domain has its own lets encrypt certificate for mail.example.com and for webmail.

The problem is exactly the same like the first post:
- Lets encrypt automatically generate new certificate
- After that the field for e-mail certificate is empty
- We have to set the certificate manually





After renewig lets encrypt certificate the "SSL/TLS-Zertifikat E-Mail" becomes empty:

 

[Maarten]

I haven’t used the newer approach for securing mail.domain.com yet, I’m still using the workaround with an extra subdomain.

If I remember correctly, there was a post from @Kaspar about this, but I’m not sure where to find it right now.

@Sebahat.hadzhi, do you know if this is documented somewhere in the official Plesk docs? It would be great to have a clear reference instead of relying on forum posts.

 

[Kaspar]

I haven’t used the newer approach for securing mail.domain.com yet, I’m still using the workaround with an extra subdomain.

Does this still work without issue's?

@bit, there should be no need to have separate subdomains to have the mail.<domain> host secured for mail use. This feature is available by default now in the SSL it! extension, as long as there are DNS records on the zone for the mail host pointing to the Plesk server.

 

[Sebahat.hadzhi]

@Maarten, the only documentation on this matter I am aware of is the following support article:

• https://support.plesk.com/hc/en-us/...for-example-com-is-pointing-to-another-server

What @Kaspar is saying is true.

@bit I would still like to explore this further in order to determine if there could be a potential bug. I will need you to provide me with couple of details, please, because at this point I am unable to replicate the behavior when manually reissuing the SSL certificate.
1. Does the issue occur only when the SSL is automatically reissued?
2. Do you have mail.example.com configured as subdomains or aliases?
3. Do I correctly assume that the hosting type of example.com is "Website"?
4. Is the SSL for mail.example.com issued through the main domain's SSL, i.e. "Secure mail on this domain" or has the SSL been issue separately through the subdomain itself?

Thanks in advance.

 

[bit]

Hi together,

@Kaspar :
separate subdomains are still needed because we dont have access to the main domain example.com. That server is not under our control. On the Domain example.com we can only let set DNS entrys thats all.
Because we need email boxes in the format [email protected] we create a domain example.com in Plesk.
The subdomain mail.example.com is needed to connect to the Plesk email server for the user.
This szenario works fine so far since years. We dont have any problems except the problem with renewing Lets encrypt certificate.

@Sebahat.hadzhi :
Manually reissuing ssl cert leads to the same issue. The field is empty after doing this and we have to set that cert from hands.
1.) No, fortunatly we can see that if we manually reissue lets encrypt cert
2.) Yes, mail.example.com is a subdomain of example.com in Plesk. We have 3 different domains pairs of that schema
3.) Yes, the hosting type of all domains is "Website"
4.) We create ssl cert on mail.example.com only for mail.example.com subdomain that clients can connect to. On example.com we have ssl cert create for webmail.example.com. For email we have choose here mail.example.com ssl cert.

So it works fine since years except renewing and set the new cert automatically. So i guess its a small bug in plesk.

 

[bit]

Hi @Kaspar and @Sebahat.hadzhi
do you have any news on this?
regards

 

[Sebahat.hadzhi]

Apologies for not following up on this matter. Although I was unable to replicate the behavior with the specific setup it is very likely for the issue to be occurring due to the configuration itself (the actual presence of the subdomains). As long as you have valid DNS entries for mail.domain.com and webmail.domain.com at the remote zone pointed to the Plesk server, you do not actually need the subdomains configured in Plesk. With that said, could you please try removing the subdomains and changing the hosting type to "No web hosting"?

 

[bit]

Hi @Sebahat.hadzhi

the client are always connected to the subdomains that are pointed to Plesk. The connection is secured with tls certificate, in my case with lets encrypt.
So when i remove the subdomain there is no possibility to secure the connection because the TLS certificate has to run on the Plesk server. My Question is how is the connection secured then? How works this?

I cannot remove the subdomains because then a lot of clients cannot connect anymore.

 

[Kaspar]

@bit, you can remove any mail.* subdomains you have, as Plesk (since Plesk 18.0.71) supports the issuing of certificates to secure mail connection via the mail prefix domain, without having to actually add the mail. manually to a primary domain. See the screenshot for issuing certificates for a domain on my earlier post back in April.

If you're unsure how that works in practice, just add another domain to Plesk (make sure the mail service is enabled for the domain) and look at the certificates options when issuing a certificate for the domain. There you should have the options to include (check) the mail. domain prefix and assign it to the mail domain.