• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Resolved Problem with SSL LE (mail settings)

O

onelife9

New Pleskian
Hi. I have a problem with LetsEncrypt certificates for each domain (only for mail). This works fine for sites. For mail, it gets the server's root certificate instead of the domain. Why?

Example:

openssl s_client -showcerts -servername bezglutenowyhert.pl -connect bezglutenowyhert.pl:465



This is my settings. It looks correct.


Zrzut ekranu 2020-11-30 o 12.28.47.pngZrzut ekranu 2020-11-30 o 12.29.09.png
 
The "SSL/TLS certificate for mail" setting is useless without a wildcard certificate, it just doesn't work as you would expect.
If you install the wildcard certificate, it works.
 
Would you not only need a wildcard if you do not address the server by the domain name, but an prefixed domain like smpt.<domain> or imap.<domain> etc.? Else it should be o.k. if you simply enter the domain name as server name.
 
Hey, I still have a problem. I have a Wildcard LE certificate.

SSL Checker

Use our fast SSL Checker will help you troubleshoot common SSL Certificate installation problems on your server including verifying that the correct certificate is installed, valid, and properly trusted.
www.sslshopper.com www.sslshopper.com


I use main domain or mail.*, but still displays the server's root certificate, not the domain.

I know I can use the main domain of the server, but I care about the address per domain.

openssl s_client -showcerts -servername bezglutenowyhert.pl -connect bezglutenowyhert.pl:465


CONNECTED(00000005)


depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3


verify return:1


depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3


verify return:1


depth=0 CN = vps800343.ovh.net


verify return:1


---


Certificate chain


0 s:/CN=vps800343.ovh.net


i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3





or mail.*



openssl s_client -showcerts -servername mail.bezglutenowyhert.pl -connect mail.bezglutenowyhert.pl:465


CONNECTED(00000005)


depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3


verify return:1


depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3


verify return:1


depth=0 CN = vps800343.ovh.net


verify return:1


---


Certificate chain


0 s:/CN=vps800343.ovh.net


i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
Click to expand...
 
You're trying to connect to the SMTP server, but the SMTP server will be protected by default by the host certificate. Try
openssl s_client -showcerts -servername bezglutenowyhert.pl -connect bezglutenowyhert.pl:993
instead.

Please also try this from your own server:
echo 'Q' | openssl s_client -connect bezglutenowyhert.pl:465 -servername bezglutenowyhert.pl -showcerts 2>&1 | grep -Eo 'CN=[^/]+' | uniq

and make sure that the certificate that was issued for your domain is set as the mail certificate of that domain.
 
ok, i try openssl with 993 and it's fine.

openssl s_client -showcerts -servername bezglutenowyhert.pl -connect bezglutenowyhert.pl:993


CONNECTED(00000005)


depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3


verify return:1


depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3


verify return:1


depth=0 CN = bezglutenowyhert.pl


verify return:1


---


Certificate chain


0 s:/CN=bezglutenowyhert.pl






but from my server with 465:


CN=vps800343.ovh.net


CN=Let's Encrypt Authority X3


CN=DST Root CA X3


CN=vps800343.ovh.net


CN=Let's Encrypt Authority X3
Click to expand...


for smtp will always be the root server certificate?

I have SNI turned on.
 
That's a good question. I thought that SMTP can also use the individual certificate. Never really tested it to the bone.

Further research brought up this article on a bug that seems to meet your situation:
support.plesk.com

Plesk Help Center

support.plesk.com support.plesk.com
Do you get any of the warning messages in /var/log/maillog described in that article?
 
unfortunately not... (debug enabled)

I have the current plesk version.

Product version: Plesk Obsidian 18.0.31.2
Build date: 2020/11/27 17:00
 
I'd guess that this case needs a support ticket with Plesk support, so that they can check the situation directly on your server.
support.plesk.com

How to get support directly from Plesk?

Question How to get support directly from Plesk? Answer Lease-type Plesk licenses purchased directly from Plesk running on supported Plesk version include full free support. Perpetual-type license...
support.plesk.com support.plesk.com
If you have a license from a reseller, you could consider of using the free "test" for paid support.
 
You must log in or register to reply here.

Similar threads

S
Question Mail subdomains with wrong TLS certificate (e.g. imap.example.tld)
Replies
1
Views
228
Kaspar
K
M
Resolved Let's encrypt webmail keeps using old certificate
Replies
5
Views
1K
Peter Debik
P
T
Issue SSL Cert for domain doesnt work with mailserver
Replies
1
Views
192
Peter Debik
P
carlsson
Issue Mail on Plesk, web on other provider, how do I create a correct SSL?
Replies
2
Views
133
carlsson
carlsson
W
Issue Problems with changing Domain IP address.
Replies
0
Views
87
wyga
W
Back
Top