Issue Plesk + Lets Encrypt + iPhone trusting cert

[larryk]

any thoughts on this
Plesk Onyx + lets encrypt + iphone (lack of trust button)

basically, he is saying:
1 Lets Encrypt SSL cert needs to cover client domain AND my host.server.com domain?

is that possible? 1 cert coving 2 domains?

thanks

 

[Bitpalast]

It is possible to combine many different domain names into the same Let's Encrypt certificate, but it is not possible to use it that way in Plesk for the hostname and a domain name without manual intervention on the file level.

 

[larryk]

thanks Peter,
so...
1) is this easy to manually do? add the 2 domains at the file level? can you show me?

2) also confirming this:
when using Plesk Panel --- the plesk email server is at host.domain.com => the standard config?
and all clients are at domain.com => again, standard config.

Then ALL email on Plesk panel is sent from host.domain.com and NOT from each client domain, right?

meaning, the email server is NOT on each client domain, correct?

 

[larryk]

ultimately in the OP, does everyone hosting email and using Lets Encrypt on Plesk have the same issue with iPhone Emails?
or am I just special

 

[Bitpalast]

It is easy when you use a script like "certbot". Please see Certbot and the documentation there. However, I have never tested how this works with Plesk. I am sure you should never us the automatic web server configuration file changes ... But with "certbot certonly" command, it might work.

The SMTP server is sending from host.domain.com, not from the client domain.

 

[Bitpalast]

There is no issue with iPhones. The only issue is that Apple users normally don't know how to operate their own devices and can only work with "assistants" on them. But the moment when they are required to enter configuration data like the correct host name themselves they frequently experience problems It is really an interesting thing to see. I can say that at least 9 out of 10 support requests that we are getting for e-mail setup are coming from Apple users. Not because their software would not work with Plesk or servers in general, but because they are not used to having to do real configuration work. As Plesk does not have an autoconfigure XML file in place, the phones won't pick up the correct configuraton data automatically.

 

[larryk]

thanks for the info... however

the people at
Plesk Onyx + lets encrypt + iphone (lack of trust button)

are saying its a Plesk issue on how it handles (doesn't handle) the SNI.

1) from above the "certbot", it is saying to use the plesk / lets encrypt extension, which I do have installed. But I don't see how it allows 2 domains on 1 cert?
2) from the letsencrypt form, mail server cert (ie. host.servername.com) and client domain cert (domain.com) are not working together.
as in client host settings are domain.com BUT the mail is served from host.servername.com. Then the trust is NOT there because using client domain but email coming from another domain.
3) now in theory, if my clients used host.servername.com as in the incoming/outgoing settings on the email client... that should work, BUT then I lose features/benefits on email reporting.
I have a 3rd party mail filter and reporting would then be grouped ALL email under 1 domain. => not good.


PS. about iphone email, if 9 out of 10 people are having troubles... its an iphone problem. I will say, the iphone email settings are VERY confusing, multiple screens, catch 22s... I mean, there is a specific process just to delete an email account and the stmp server. There are 3 screens that have the user/password on it. 3 different screens. Is apple trying to make it hard? Point blank - android email is simple and it works. iphone can't even put a check box to trust a cert

 

[MarkM]

I actually wrote a provisioning script since iPhone users are so dumb;

OneWebHosting iOS Provisioning

Great way to kill any support requests that are iPhone email setup related.

 

[learning_curve]

ultimately in the OP, does everyone hosting email and using Lets Encrypt on Plesk have the same issue with iPhone Emails? or am I just special

FWIW We use Let's Encrypt *Wildcard Certificates on both the host.domain.com and lots of individual domains. In our case, they all share the same IP address. We don't use Certbot and we don't use the Plesk Let's Encrypt extension because, there's a bit more work to be done on it yet, for use with *Wildcard Certificates, but non *Wildcard Certificates are fine using the Plesk extension. We use THIS provider so it's more of a manual process, but it's simple, easy and works everytime without any problems for us. *Wildcard Certificates renewals need careful organising though, as they are also still a manual process, not automatic.

Perhaps most relevant to your post, is that we don't have any issues with any mail clients that are being used, including many iPhone users. That maybe down to how mail is setup within Plesk in terms of Server Settings and Mail Settings and the various choices that are available within there though, but certificates have never been an issue with mail for us.

We're guessing, but are reasonably sure it's correct, that if, you have a separate IP address for each domain (including a separate IP address for host.domain.com) then the plus side is that the whole thing becomes very easy by comparison. The minus side being, that there's a lot more (repetitive) initial setup work to do, especially if you have many domains...Can't comment more than that, as we're currently moving everything over to a new Ubuntu 18.04.1 / Plesk 17.8.11 server setup, but we're not anticipating any Plesk mail problems on that either, to be fair

 

[larryk]

eeeekkk!!!
so it appears there are many "catch 22s" that are involved. and yes EVERYTHING has pros/cons... except you don't' learn of them UNTIL you use them
which means, AFTER THE FACT.

FYI.
Chief of Unicorns
Learning_Curve

awesome names!!!! and thanks for replying!

anyway, it seems for me with the existing software I have, etc. etc.
I will buy a 2 year SSL license and put that on my mail server domain. so that my clients, even the ones with iphones... they will need to redo their iphone settings 1 more time
but not have to touch it for 2 years

= it would be nice if Plesk allowed my situation to work with the Lets Encrypt extension, but that seems months or years down the line?
= maybe apple will add the trust check box for iphone users = but since it doesn't already exist, it seems like it will NOT happen.

 

[G J Piper]

I actually wrote a provisioning script since iPhone users are so dumb;

OneWebHosting iOS Provisioning

Great way to kill any support requests that are iPhone email setup related.

Hey @Mark Muyskens I'm really interested in this script of yours. Any chance you'd share it?

 

[learning_curve]

I will buy a 2 year SSL license and put that on my mail server domain. so that my clients, even the ones with iphones... they will need to redo their iphone settings 1 more time, but not have to touch it for 2 years

Looks like all those Apple FanBoys won't be sending you an Xmas card then?

None of the IOS / Mac OS / Android / Windows / Ubuntu etc users have ever needed to "...touch it..." (well so far anyway / after several renewals) once any of the FREE Let's Encrypt Certificates have been renewed... on any of the domains that we have. Just saying but yes, YMMV of course

 

[MarkM]

Hey @Mark Muyskens I'm really interested in this script of yours. Any chance you'd share it?

I'll shoot you a copy via PM.

 

[larryk]

question???

attached is the SSL tab in plesk:
does something look odd/strange on it?



fyi. i bought the 2 year ssl and was going to add it to the cert for securing mail....
when it dawned on me... Why does the LE cert have zero used domains?