• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion
  • Please beaware of a breaking change in the REST API on the next Plesk release (18.0.62).
    Starting from Plesk Obsidian 18.0.62, requests to REST API containing the Content-Type header with a media-type directive other than “application/json” will result in the HTTP “415 Unsupported Media Type” client error response code. Read more here

Issue MTA "Target principal name incorrect" with Let's Encrypt

N

NetBob

New Pleskian
Hi,

I read many threads now and found no solution to my recent problem, so hopefully someone can help me.

The server config is:
- multiple domains (~30) on a dedicated server with 1 IP
- Let's Encrypt extension is installed
- Plesk version: Onyx 17.8.11 #20
- Let's Encrypt version 2.6.1.398
- all domains (www and webmail) are secured with Let's Encrypt
- Plesk and E-Mail is secured with certificate from Serverpool with Let's Encrypt
- Standard-Site under IP-address is set to "None"
- the SSL report under www.ssllabs.com throws an Overall Rating of "A", all green, for the main domain and the other domains

The problem now is, when fetching mails with Outlook over SSL (port 995/25 TLS) each client gets the error "Target principal name incorrect" - for the main domain of the server and all other domains.
e.g. for
mail.maindomain.de
mail.domain1.de
mail.domain2.de
etc.

The error appears since the the server certificate has expired. It has been renewed for the next 3 Months, when inspecting the certificate in the MTA is says valid until 17th Dec 2018.

Any ideas what to do next?

Thanks for any advice
Please let me know when more info is required
 
Thx for your reply

The KB article is, again, checked and verfied (including all comments and further links).
1) the cert is issued on the server's hostname and set for securing Plesk and Email (as already mentioned)
2) just to be sure the terminology is not confused: server's hostname is the same as "maindomain.de"
3) when collecting mails via MTA with "mail.maindomain.de" it throws the error
4) with "maindomain.de" it works (!), altough it is not what is intended
5) with "domain1.de" and "mail.domain1.de" for smtp/pop again the error is "target principal name is incorrect"
6) not mentioned yet, but of course the Resource records in the DNS template contain "mail.<domain>."

And just to make it clear: I'd rather give up securing mails withTLS than setting all customer's smtp/pop-settings to "mail.maindomain.de" or "maindomain.de", it would be quite unprofessional and confusing them.

Well, as Let's Encrypt supports specifying mutliple domains under one IP (up to ~100 domains) fortunately it is not neccessary to change MTA's settings, it is just an issue of configuring Plesk to work together with Let's Encrypt.

The php-script under ripkens/Plesk-Mail-LetsEncrypt, which uses the Plesk-API, worked before and certified all domains registered in Plesk, including "mail.<domain>.". Today it throws the following:

//
Fetching Domain DNS Records.
(1 / x) | domain1.de K
(2 / x) | domain2.de K
....

Creating Certificate for x domains and assign it to Plesk Panel
[2018-09-18 16:58:46.932] ERR [extension/letsencrypt] Execution of /usr/local/psa/admin/plib/modules/letsencrypt/scripts/cli.php failed with exit code 1 and the output:
[2018-09-18 16:58:46.330] ERR [extension/letsencrypt] Domain validation failed for mail.domain1.de: Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/<unique identifier 1>.
Details:
Type: urn:acme:error:unauthorized
Status: 403
Detail: Invalid response from http://mail.domain1.de/.well-known/acme-challenge/<unique identifier 2>: "<HTML>
<HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD>
<BODY>
<H1>Not Found</H1>
The requested document was not found on this server"
[2018-09-18 16:58:46.627] ERR [extension/letsencrypt] Domain validation failed: Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/<unique identifier 1>.
Details:
Type: urn:acme:error:unauthorized
Status: 403
Detail: Invalid response from http://mail.domain1.de/.well-known/acme-challenge/<unique identifier 2>: "<HTML>
<HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD>
...
3 times for the different cert parts
...
Rename Certificate
Unable to update certificate Lets Encrypt certificate: Certificate does not exist.

exit status 1
Assign Certificate to MailServer
DONE
//

What happens is, it tries to create a file under "domain1.de/.well-known/acme-challenge/" which fails, so the verification of Let's Encrypt fails...

I've tested it with http and https, so this is not the cause. The php-script permissions are "-rw-r--r-- 1 root root", under root it should be able to create these folders and files, shouldn't it?

Are there any other ways of of including all domain names with "mail.domainX.de"? Manually by configuring / coping pem-files or via tool or script?

Any help is appreciated and would most probably help many others :)
 
You must log in or register to reply here.

Similar threads

A
Issue The target principal name is incorrect
Replies
1
Views
100
Kaspar@Plesk
Kaspar@Plesk
M
Issue Lets Encrypt SSL issued but the website is not secured
Replies
9
Views
335
Kaspar@Plesk
Kaspar@Plesk
P
Forwarded to devs SSL It! - inconsistent Let’s Encrypt branding
Replies
2
Views
1K
AYamshanov
AYamshanov
Hangover2
Forwarded to devs SSL It! breaks renewal and usage of Let's Encrypt wildcard certificates when subdomains are involved
2
Replies
32
Views
7K
porplemontage
porplemontage
D
Issue Lets Encrypt Not Successful over port 80
Replies
8
Views
693
Daiv
D
Back
Top