Forwarded to devs Postfix SNI TLS-Certs not auto-updated

[Fredrik Svensson]

User name: Fredrik Svensson

TITLE

Postfix SNI TLS-Certs not auto-updated

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

Plesk Obsidian v18.0.30_build1800200918.13 os_CentOS 7

PROBLEM DESCRIPTION

Certificates issued by Let's Encrypt, used for email, are not automatically replaced for postfix (SMTP) when the actual certificate is updated by Let's Encrypt.

The certificates for Postfix for that domain are stored by Plesk in /var/spool/postfix/plesk/certs.db but this is not auto updated unless you manually toggle 'SSL/TLS Certificate for e-mail' to "None choosen" and back again.

Dovecot, incoming email, no problem. The auto updated certificates from Let's Encrypt are stored and used there but not for postfix so outgoing emails are stopped default 90 days after Let's Encrypts first generation of the cert.

Apparantly it doesn't matter whether the extension SSL-IT is used or not. The bug is still there.

Please read more here: Issue - Postfix SNI TLS-Certs not auto-updated

STEPS TO REPRODUCE

Create a Let's Encrypt certificate, either wildcard or directly for mail.yourdomain.com, and use it as the certificate for E-mail in Plesk Control Panel. When this certificate is auto updated (default 60 days later) it will be put in use by Plesk for the main webb domain AND for Dovecot (incoming mail) but NOT for Postfix (SMTP).

ACTUAL RESULT

SMTP eventually stops working since the used (old) certificate by postfix will be invalid 90 days later.

EXPECTED RESULT

We want Postfix to use the same (newly refreshed) certificate as Dovecot.

ANY ADDITIONAL INFORMATION

Issue - Postfix SNI TLS-Certs not auto-updated

This morning I could not send mail from some accounts, Thunderbird said the certificate has expired. Problem: When selecting "SSL/TLS certificate for mail" in the mail settings of an individual domain, the certificate for Postfix for that domain is stored by Plesk in...

talk.plesk.com

If this has been reported already as an official bug I apologize but I couldn't find it beeing forwarded to your technicians anywhere.

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug

 

[IgorG]

Thank you,
Bug confirmed EXTLETSENC-884

 

[ybabaeva]

Hi @Fredrik Svensson
may I ask you about more details how to reproduce this case.
What are LetsEncrypt and SSLit! versions of extensions you have installed? I believe they are the latest - LE 2.12.0 and SSLit! 1.6.0 but just to be sure.
When you issue certificate for domain do you mark checkbox to secure mail or do you assign certificate to mail through Mail settings afterwards?
Is there anything specific in your mail configuration you may think of? Just trying to find the exact steps to reproduce since on my test set with LetsEncrypt and SSLit!, Plesk 18.0.30, CentOS 7 certificate is autorenewed for Postfix as well.

 

[Fredrik Svensson]

@ybabaeva
We don't use SSLit. It's not even installed. We assign the certificate through Mail settings afterwards. Two cases:
1) Wildcard Let's Encrypt certificate used for both www & mail.
2) Regular Let's Encrypt certificate only used for mail.domain.com (when the customers A record for www points to some other place).

In both cases we manually mark the generated certificate to be used for the customers mail.
We though of testing SSLit but when reading more about our problem we understood that it would not help since other people (with SSLit) are experiencing the same thing.

It's nothing special about our setup at all. The certificate itself is updated but the file /var/spool/postfix/plesk/certs.db is not updated when Let's Encrypt certificates are auto updated.

I understand it can be somewhat cumbersome to recreate this fault in a lab environment since you have to wait for the auto-renew procedure to kick in. Maybe you can fool the system by setting in panel.ini:
[ext-letsencrypt]
renew-before-expiration = 90

After such renewal from Let's Encrypt you can, for instance, use an online service like Mailserver encryption test (STARTTLS, TLS and PFS) · SSL-Tools where you can see the expiration date of the mail certificate OR you can issue the following commands on the server and you will notice that the used certificate differs.

1) Will show the correct renewed certificate
# openssl s_client -showcerts -connect mail.mydomain.se:995 -servername mail.mydomain.se

2) Will show the old obsolete certificate
# openssl s_client -starttls smtp -showcerts -connect mail.mydomain.se:587 -servername mail.mydomain.se

 

[ybabaeva]

@Fredrik Svensson , thank you for your answer!
The thing is that in scope of fix for EXTLETSENC-884 bug we plan to add clear warning that standalone LetsEncrypt extension does not support renewal of certificate on mail. Only SSLit! extension supports such renewal - this feature to secure mail service was introduced in December 2019. So probably other people with SSLit! complained before this functionality was implemented.
I'm particularly interested if you managed to face the issue with renewal on mail with both LE and SSLit! installed. Just tested that it works for me with same Plesk, same OS - file /var/spool/postfix/plesk/certs.db is updated, new certificate is returned by both Postfix and Dovecot. So with LE and SSLit! extensions it's supposed to be working, and if there is some bug I'm really willing to find out the details how to reproduce it.

 

[Fredrik Svensson]

@ybabaeva. Thanks for your suggestion regarding latest functionality with SSLit.

I will indeed try it out and come back here with observations and results.

Until then - have a nice day!

 

[IgorG]

Bug EXTLETSENC-884 was fixed in Let's Encrypt 2.12.1 Change Log for Plesk Obsidian

 

[unixnut]

@Fredrik Svensson , thank you for your answer!
The thing is that in scope of fix for EXTLETSENC-884 bug we plan to add clear warning that standalone LetsEncrypt extension does not support renewal of certificate on mail. Only SSLit! extension supports such renewal - this feature to secure mail service was introduced in December 2019. So probably other people with SSLit! complained before this functionality was implemented.
I'm particularly interested if you managed to face the issue with renewal on mail with both LE and SSLit! installed. Just tested that it works for me with same Plesk, same OS - file /var/spool/postfix/plesk/certs.db is updated, new certificate is returned by both Postfix and Dovecot. So with LE and SSLit! extensions it's supposed to be working, and if there is some bug I'm really willing to find out the details how to reproduce it.

We're using Plesk Obsidian 18.0.43 on Linux.

We're importing a certificate for a domain using plesk bin certificate --update . We're facing the same issue where /var/spool/postfix/plesk/certs.db isn't being regenerated.

Is there a way that a command-line tool can trigger the above update, similar to what happens when SSLit generates a certificate?

 

[Jérôme Dejoie]

Still the same problem when using the command :

plesk bin certificate --update 'domain.com certificate' -domain domain.com

The new certificate is not deployed on Postfix. Actual workaround is to run this command after :

plesk bin subscription_settings --update domain.com -mail_certificate 'domain.com certificate'

Found here.