Resolved Securing multiple domains with Let's Encrypt SSL certificate

zigojacko · Jan 13, 2020

This has been a problem for a while that I've never managed to figure out...

Say we have a VPS running Plesk with 20 different client's hosted,we have secured everything for one client domain using the Let's Encrypt SSL certificate and whilst this works fine in any tools and browser directly, in email clients, it throws a security exception warning stating that the site is trying to identify itself with invalid information and the reason for that is because the VPS hostname differs from the client domain.

So how we can bypass this security warning if the hostname for example, is like wps-01.example.co.uk and the client domain is like domain1.co.uk? Is it possible?

I would have thought this would be a common problem for anyone trying to use the Let's Encrypt SSL certificate that comes with Plesk but I've not managed to find anything online that discusses this.

Monty · Jan 13, 2020

Check here: How to secure a Plesk mail server with different SSL certificates (SNI support)

zigojacko · Jan 13, 2020

Monty said:
Check here: How to secure a Plesk mail server with different SSL certificates (SNI support)

I already have that set and if I run the command on the command line, it returns the common name as the VPS hostname as expected.

So all that does is verify that the problem is what I said above.

The common name (hostname) is different to the client domains which is why the security warning is being thrown.

Monty · Jan 13, 2020

zigojacko said:
I already have that set and if I run the command on the command line, it returns the common name as the VPS hostname as expected.

That's exactly what is NOT expected if you set up your system according to the KB article. Each of your domain should have a separate SSL certificate for the mail service. You should not see the VPS hostname in the certificate.

Please check/verify that your system supports SNI for Postfix (Postfix version must be 3.4 or higher) and that you configured the SSL/TLS mail settings of all your domains correctly (Domains > example.com > Mail > Mail Settings)

If you still have the problem please post:
* Your OS version
* Your Plesk version
* Your Postfix version
* Your Let's Encrypt settings for your domains
* Your mail client version + configuration

zigojacko · Jan 13, 2020

Monty said:
That's exactly what is NOT expected if you set up your system according to the KB article. Each of your domain should have a separate SSL certificate for the mail service. You should not see the VPS hostname in the certificate.

Please check/verify that your system supports SNI for Postfix (Postfix version must be 3.4 or higher) and that you configured the SSL/TLS mail settings of all your domains correctly (Domains > example.com > Mail > Mail Settings)

If you still have the problem please post:
* Your OS version
* Your Plesk version
* Your Postfix version
* Your Let's Encrypt settings for your domains
* Your mail client version + configuration

Yes, it is exactly the issue I can't fix.

The issue seems to be that the certificate for webmail seems to be getting picked up from the Plesk 'Tools & Settings' page (which is set to 'Lets Encrypt certificate from server pool') instead of the one set in the domain 'Mail Settings' which is set to the one specifically for that domain.

OS: CentOs 7.7
Plesk: Onyx 17.8.11
Postfix: 2.10.1

Let's Encrypt Domain Settings:

The blurred areas are the actual client domain and the current certificate in use is the one for the same domain. In 'Mail Settings', the same certificate is set (the one for this domain).

Mail Client: Doesn't matter which one used but as an example, Thunderbird 68.3.1 - as you can see from the below, after getting the security warning in Thunderbird, you can view the certificate and add a security exception if you wish and the certificate looks like this:

You can see here that the common name is set to the hostname and not that of the actual client's domain as per set in the client specific Let's Encrypt certificate (as selected in the Mail Settings for that domain). The above certificate seems to be the default one set in the global Tools & Settings (Let's Encrypt certificate from server pool) instead of the one for the domain.

zigojacko · Jan 13, 2020

I am not sure why the image above is not working but the URL for it is this:

https://i.ibb.co/tpY40fs/domain-specific-le-ssl.png

Monty · Jan 13, 2020

Well, there you have it:

zigojacko said:
Plesk: Onyx 17.8.11
Postfix: 2.10.1

It is clearly stated on the KB article I posted that you need Plesk Obsidian (18.0) and Postfix 3.4 for SNI to work.

So your solution would be to upgrade to Plesk Obsidian and then try again.

zigojacko · Jan 13, 2020

Monty said:
Well, there you have it:

It is clearly stated on the KB article I posted that you need Plesk Obsidian (18.0) and Postfix 3.4 for SNI to work.

So your solution would be to upgrade to Plesk Obsidian and then try again.

I wasn't expecting that to work because I've experienced the same issue on another server running Obsidian (I actually thought this one was when I originally posted in this forum category).

But however, I have now got this sorted and for the benefit of others visiting this thread, the one thing I noticed is that 'Securing Mail Access' appeared after updating Plesk and subsequently Postfix. This is for securing IMAP/POP etc and is different to 'Securing Webmail' which is an option in previous versions of Plesk. I highlight the option that I needed to configure in the below screenshot.

Thanks for your help with this @Monty

learning_curve · Jan 13, 2020

Monty said:
Well, there you have it:

zigojacko said:

Plesk: Onyx 17.8.11
Postfix: 2.10.1

Click to expand...

It is clearly stated on the KB article I posted that you need Plesk Obsidian (18.0) and Postfix 3.4 for SNI to work.So your solution would be to upgrade to Plesk Obsidian and then try again.

Spot on @Monty and @zigojacko this is the Obsidian section of the forum

There's a separate Onyx (incl 17.8.11) section.

However, @zigojacko there is still an option for 17.8.11 but.. it takes a LOT of setup, a LOT of patience, it's never going to be perfect and the law of diminishing returns applies

dependent on how many domains you're hosting... The option is to generate one Let's Encrypt Multi-Domain Wildcard Certificate as well as all the normal certificates. In this Multi-Domain Wildcard Certificate, every domain has the wildcard option and one of those domains, must be the domian where you're hosting Plesk itself from. We know it works, because that's how we ran our own Plesk setup back when we were using 17.8.11. The downsides are all those already mentioned, but those do include; manual certifcate renewals only (including all the DNS verification posts & checks - two of these on each domain, because they are all wildcard status. This still works, even if all of your DNS is outside of Plesk, as ours was & still is) plus, you still cannot use the Plesk Let's Encrypt Extension to generate the Let's Encrypt Multi-Domain Wildcard Certificate. You have to use another application e.g. THIS (acme.sh) which is excellent & works regardless of Plesk. If you read all of THIS old thread, right to the end, first of all before doing anything, it might explain things about this option for you too. You might get a No SNI warning on on domains, but only on the 2nd certificate that's shown when testing on sllabs.com etc but that's slightly irrelevent as the 1st certificate has only one domain name on it. However, it does (certainly did for us) solve the e-mail problem in 17.8.11.

Upgrading to Obsidian is much less work and easier

zigojacko · Jan 13, 2020

learning_curve said:
Spot on @Monty and @zigojacko this is the Obsidian section of the forum There's a separate Onyx (incl 17.8.11) section.

However, @zigojacko there is still an option for 17.8.11 but.. it takes a LOT of setup, a LOT of patience, it's never going to be perfect and the law of diminishing returns applies dependent on how many domains you're hosting... The option is to generate one Let's Encrypt Multi-Domain Wildcard Certificate as well as all the normal certificates. In this Multi-Domain Wildcard Certificate, every domain has the wildcard option and one of those domains, must be the domian where you're hosting Plesk itself from. We know it works, because that's how we ran our own Plesk setup back when we were using 17.8.11. The downsides are all those already mentioned, but those do include; manual certifcate renewals only (including all the DNS verification posts & checks - two of these on each domain, because they are all wildcard status. This still works, even if all of your DNS is outside of Plesk, as ours was & still is) plus, you still cannot use the Plesk Let's Encrypt Extension to generate the Let's Encrypt Multi-Domain Wildcard Certificate. You have to use another application e.g. THIS (acme.sh) which is excellent & works regardless of Plesk. If you read all of THIS old thread, right to the end, first of all before doing anything, it might explain things about this option for you too. You might get a No SNI warning on on domains, but only on the 2nd certificate that's shown when testing on sllabs.com etc but that's slightly irrelevent as the 1st certificate has only one domain name on it. However, it does (certainly did for us) solve the e-mail problem in 17.8.11.

Upgrading to Obsidian is much less work and easier

Thanks for the info @learning_curve - definitely sounds like upgrading to Obsidian is easier

Resolved Securing multiple domains with Let's Encrypt SSL certificate

zigojacko

Basic Pleskian

Monty

Silver Pleskian

zigojacko

Basic Pleskian

Monty

Silver Pleskian

zigojacko

Basic Pleskian

zigojacko

Basic Pleskian

Monty

Silver Pleskian

zigojacko

Basic Pleskian

learning_curve

Silver Pleskian

zigojacko

Basic Pleskian

Similar threads