Plesk Server SSL Certificate issue

[Ihtshama]

Hello Support,
Before yesterday, Whenever my clients used to add their email account into iPhone or other mobile, they were prompted with certificate alert, then they have to trust it to continue. At that time, plesk server was secured with "plesk pool" certificate.
Yesterday, i changed the certificate with one certificate issued for a domain name (Let's encrypt). Problem is still there, users are alerted about the certificate while adding email accounts, and at worst, for latest iPhones, 7, 8 etc, even after selecting "trust" certificate, they see error "can not verify server identity".

Can you please advise a solution, how this alert can be avoided?

Thank you so much in advance.

 

[G J Piper]

Yesterday, i changed the certificate with one certificate issued for a domain name (Let's encrypt).

Do you have more than one domain for your customers running on your server? You can only secure one mail server domain on a server if you are running Postfix/Dovecot as your mail server. So, any other domains would only get the main domain's Let's Encrypt certificate.

If this is the case for you, you are much better off using your own self-signed certificate for mail because then your users won't have to approve and "trust" a new certificate in their mail apps every time Let's Encrypt renews the cert (every few months). I personally have a self-signed cert that expires in 2047 so once my customers have trusted my cert it is good forever for their devices/computers.

 

[Ihtshama]

Hello Piper,
I appreciate your feedback and advice. Yes more than 20 websites for my clients, and, it is a big headache that they have to trust it everytime. My server have Postfix & courier. Will it work?

Can you please share how i can create self-signed certificate please? A good guide for dummies.

 

[G J Piper]

You can create them right from Plesk if you like:
Tools & Settings --> SSL/TLS Certificates --> Add

Fill out the form and hit "self-signed" but make sure the domain for your email server is in the "domain" section without "https://".

If you want a certificate that has a really long expiration date, you'll have to create one manually, as it looks like Plesk only creates self-signed certs with a 1-year expiration date.

Here are the commands I used for my mail cert, in Linux:

openssl genrsa -des3 -out server.key 2048
openssl rsa -in server.key -out server.key
openssl req -sha256 -nodes -new -key server.key -out server.csr -subj '/C=US/ST=YourState/L=YourCity/O=CompanyName/OU=CompanyDivision/CN=yourdomain.com'
openssl x509 -req -sha256 -days 10777 -in server.csr -signkey server.key -out server.crt
cat server.crt server.key > YourNewCert.pem

Then you can take the YourNewCert.pem file it creates and upload it or enter it into Plesk here: Tools & Settings --> SSL/TLS Certificates
Set it to "Certificate for securing mail".

 

[Bitpalast]

I think that the real issue here is that the clients are not using the host name (the general mail server name) but an individual domain name to connect. If they were using the host name and the host name is equipped with the Let's Encrypt certificate they will not experience difficulties with the connection. But when they use a different domain name, particularly Apple mail software will cause lots of issues and often displays wrong, misleading error messages, too. The trick is to use the host name, have the certificate in place, then things will work for Apple devices, too.

 

[G J Piper]

I think that the real issue here is that the clients are not using the host name (the general mail server name) but an individual domain name to connect. If they were using the host name and the host name is equipped with the Let's Encrypt certificate they will not experience difficulties with the connection. But when they use a different domain name, particularly Apple mail software will cause lots of issues and often displays wrong, misleading error messages, too. The trick is to use the host name, have the certificate in place, then things will work for Apple devices, too.

I agree — it is a trade-off. Do you want your customers pressing "why are we not able to use our own domain name we purchased for our mail settings" or "why do I have to trust my domain name's certificate manually" when using a shared hosting environment.

 

[Sergio Manzi]

I agree — it is a trade-off. Do you want your customers pressing "why are we not able to use our own domain name we purchased for our mail settings" or "why do I have to trust my domain name's certificate manually" when using a shared hosting environment.

I'll choose any day the first of the two: heck, even if you go the G Suite/GMail way you'll have to configure Google servers in your clients...

 

[Ihtshama]

I think that the real issue here is that the clients are not using the host name (the general mail server name) but an individual domain name to connect. If they were using the host name and the host name is equipped with the Let's Encrypt certificate they will not experience difficulties with the connection. But when they use a different domain name, particularly Apple mail software will cause lots of issues and often displays wrong, misleading error messages, too. The trick is to use the host name, have the certificate in place, then things will work for Apple devices, too.

Dear Peter,
Your answers got my attention, thank you. It seems logical but the certificate with which the mail server is secured MUST be from a domain on server. At the moment, it is from mail.prodesigner.ch. When a client with his website www.aaacn.ch tries to add his email account, he must use mail.aaacn.ch or aaacn.ch as outgoing/incoming mail server. They cannot really use main server name here, mail.prodesigner.ch. Are you pointing to use this? I tried and it didnt work actually.

Here comes the error in iPhone; it alerts "cannot verify server identity", (check attachment please, 01.jpg ) the mail server is secured with SSL from a domain "mail.prodesigner.ch". and gives three options to proceed, "continue, details and cancel ", Then on clicking details>trust, it moves forward.

In this scanario, your answer is bit confusing, How you will advise your solution in this case then?

 

[Ihtshama]

You can create them right from Plesk if you like:
Tools & Settings --> SSL/TLS Certificates --> Add

Fill out the form and hit "self-signed" but make sure the domain for your email server is in the "domain" section without "https://".

If you want a certificate that has a really long expiration date, you'll have to create one manually, as it looks like Plesk only creates self-signed certs with a 1-year expiration date.

Here are the commands I used for my mail cert, in Linux:

openssl genrsa -des3 -out server.key 2048
openssl rsa -in server.key -out server.key
openssl req -sha256 -nodes -new -key server.key -out server.csr -subj '/C=US/ST=YourState/L=YourCity/O=CompanyName/OU=CompanyDivision/CN=yourdomain.com'
openssl x509 -req -sha256 -days 10777 -in server.csr -signkey server.key -out server.crt
cat server.crt server.key > YourNewCert.pem

Then you can take the YourNewCert.pem file it creates and upload it or enter it into Plesk here: Tools & Settings --> SSL/TLS Certificates
Set it to "Certificate for securing mail".

Thanks a lot for the guide. Actually i got this .pem file. But Plesk is not accepting this file. Do i have to fill in form in plesk and then have to press "request" or "self signed". and after that selecting that certificate, new upload options will come to upload .crt etc. Even for that .crt is giving errors.

Error: Unable to set the certificate: Incompatible private key/certificate pair.

 

[Sergio Manzi]

When a client with his website www.aaacn.ch tries to add his email account, he must use mail.aaacn.ch or aaacn.ch as outgoing/incoming mail server. They cannot really use main server name here, mail.prodesigner.ch. Are you pointing to use this? I tried and it didnt work actually.

My opinion (and sorry, I know you asked Peter...) is that YES, they should use mail.prodesigner.ch for both SMTP and IMAP/POP3, and I can assure you that it works (I'm using the same kind of configuration, for several domains...)

Only thing I can imagine for why it didn't worked for you, is because your cert wasn't issued for mail.prodesigner.ch but only for prodesigner.ch, www.prodesigner.ch and eventually webmail.prodesigner.ch. If this is the case, just add mail.prodesigner.ch as an alias of prodesigner.ch and request a new cert which include mail.prodesigner.ch too

Edit: when I'm talking about "alias" I'm not meaning a simple CNAME but a domain alias, at Plesk level...

 

[Ihtshama]

My opinion (and sorry, I know you asked Peter...) is that YES, they should use mail.prodesigner.ch for both SMTP and IMAP/POP3, and I can assure you that it works (I'm using the same kind of configuration, for several domains...)

Only thing I can imagine for why it didn't worked for you, is because your cert wasn't issued for mail.prodesigner.ch but only for prodesigner.ch, www.prodesigner.ch and eventually webmail.prodesigner.ch. If this is the case, just add mail.prodesigner.ch as an alias of prodesigner.ch and request a new cert which include mail.prodesigner.ch too

Edit: when I'm talking about "alias" I'm not meaning a simple CNAME but a domain alias, at Plesk level...

Let me give it a try. thanks a lot. But doing so, users will not be prompted for alert?

But do you think after LetsEncrypt certificate will expire in 3 months, the users will be asked again to trust?

PS. I liked your idea of selfsigned certificate for next 20 years. Why not creating this certificate and using it with mail.prodesigner.ch and asking clients to use it?

 

[Sergio Manzi]

Let me give it a try. thanks a lot. But doing so, users will not be prompted for alert?

No: they will be NEVER asked for trust, not even the first time! That's the beauty of a good (not self-signed) certificate...

but... I'm seeing that prodesign.ch does not have any MX record and that aaacn.ch has ms14.webland.ch as its MX... I'm afraid you have more issues... (maybe..)

 

[Ihtshama]

Perfect point. Thanks a ton.

Actually, i am using shortcut name for our domain name, it is www.professionaldesigner.ch

Can you please check the attachment, i am trying to secure webmail with certificate issed for mail.professionaldesigner.ch but plesk is again using same SSL from main domain. Surprised. (i just renamed Letsencrypt with secureSSL for understanding)

Can you pls advise, thank you so much.

PS. My Skype for quick chat: ProDesignerCH

 

[Ihtshama]

I think your trick worked, Sergio thanks. I am not seeing that alert by using mail.professionaldesigner.ch. Amazing solution! (My clients are not that smart that they would question why to use mail.professionaldesigner.ch as mail server. lol)

But do you think after LetsEncrypt certificate will expire in 3 months, the users will be prompted, or it have a bad thing on clients side, due to which, one should use self-signed certificate with long expiry?

Thanks

 

[Sergio Manzi]

I never did it the way you're doing. I choose a different route that seems more logical to me. It may be a good or bad way, I let the others to judge. What you're doing seems what we call (in Italy) "UCAS", "Ufficio Complicazioni Affari Semplici", that is "Office for the Complication of Simple Affairs"...

• Just install (if you haven't already) the Let's Encrypt extension
• Create/modify a subscription that contains your, FQDN, Fully Qualified Domain Name: mail.prodesign.ch
• Inside that subscription use the Let's Encrypt extension to issue/renew the certificate. If you have aliases inside that subscription be sure to include the aliases to the name for which the cert must be issued (they should appear in the right panel, in the LE extension...)
• Once you've done that, go to Tools & Settings -> SSL/TSL Certificates, and on the row that says "Certificate for securing mail" click change and then just choose the certificate you want (it's already there... no need to upload anything...)

 

[Sergio Manzi]

I think your trick worked, Sergio thanks.

Glad to hear that!

You're welcome!

 

[Sergio Manzi]

But do you think after LetsEncrypt certificate will expire in 3 months, the users will be prompted, or it have a bad thing on clients side, due to which, one should use self-signed certificate with long expiry?

Nope, nope, nope! They will NEVER see anything, unless you leave the certificate to expire, so keep an eye that the certificate is really auto-renewed (30 days before actual expiration)

 

[MarkM]

And on the level of certs expiring... i'll just toss out this cool tool i found;

Certificate Expiry Monitor

 

[Sergio Manzi]

Nice catch Mark!

 

[G J Piper]

Thanks a lot for the guide. Actually i got this .pem file. But Plesk is not accepting this file. Do i have to fill in form in plesk and then have to press "request" or "self signed". and after that selecting that certificate, new upload options will come to upload .crt etc. Even for that .crt is giving errors.

Error: Unable to set the certificate: Incompatible private key/certificate pair.

You may have to cut and paste the actual pem file text components into the Plesk text fields to get it to accept it. (for the manual self-cert method)