Forwarded to devs Mail-only sites can't create LetsEncrypt certificate

[mr-wolf]

TITLE:

Mail-only sites can't create LetsEncrypt certificate​

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE:

17.5.3 Update #6, Ubuntu 16.04.2 LTS, Intel(R) Xeon(R) CPU E3-1230 v3 @ 3.30GHz​

PROBLEM DESCRIPTION:

A domain that is running its website on another server can not install a certificate for its webmail.

Not only can I not give secure webmail to that customer, I also can't change the server-wide setting of roundcube to https-only (http to https redirect).​

STEPS TO REPRODUCE:

Unable to do the steps as it's not available when no website is configured.​

ACTUAL RESULT:

Nothing to be done.​

EXPECTED RESULT:

I should be able to select a LetsEncrypt certificate when only mail is used.​

ANY ADDITIONAL INFORMATION:

​

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM:

Confirm bug​

 

[IgorG]

What is "Hosting type" for this domain?

 

[mr-wolf]

"No web hosting"

I didn't try hosting a dummy site.
This would solve the problem with Plesk, but then it would fail LetsEncrypt as no DNS records of the bare record nor the www.<domain> would point to that server.

I could solve that by temporrarily change the DNS-records, but then I would have to do this manually each 3 months
I would want to change it back to "no web hosting" after the creation of the certificates.


Not only can I not give secure webmail to that customer, I also can't change the server-wide setting of roundcube to https-only (http to https redirect).

 

[mr-wolf]

Can this get verified?

 

[IgorG]

We plan to secure mail service in the scope of feature EXTLETSENC-159. So, it could be available in the future versions of Let's Encrypt extension.

 

[mr-wolf]

Your answer makes me think that you may have misread the problem I'm having.
Is this so?

I have no interest in securing smtp/imap or pop with a LetsEncrypt certificate.
I am happy with a single wildcard certificate on these services because many mail clients do NOT support SNI.

I believe you are working on multi-certificate mail services (smtp / pop / imap) for future releases.
Please make that an optional feature.
Leave us the decision to keep these mail services single-certificate.
I foresee a lot of problems if I would be forced to use that.
My own solution with the single certificate is more robust and independent of the LetsEncrypt service (for which I'm thankful). As that service is free they can't be held accountable in any way to have it working 24/7.

My problem is that I can't let Plesk manage a LetsEncrypt webmail certificate for a domain for which it is not hosting the website.
The LetsEncrypt extension only works if it is also hosting the website.
I have several clients that have their website somewhere else. This is a very normal thing to do.

Not only can I not give those clients that LetsEncrypt webmail certificate.
I also can't create a server-wide http => https redirect which I would really like to do.

 

[Ruslan Kosolapov]

@mr-wolf, thank you for the report.

Your case is clear, and yes, I confirm it is not supported for now. The issue with webmail securing in case of domain without webhosting (EXTLETSENC-162) will be fixed someday (most probably after LE 2.2).