• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved Securing multiple domains with Let's Encrypt SSL certificate

zigojacko

Basic Pleskian
This has been a problem for a while that I've never managed to figure out...

Say we have a VPS running Plesk with 20 different client's hosted,we have secured everything for one client domain using the Let's Encrypt SSL certificate and whilst this works fine in any tools and browser directly, in email clients, it throws a security exception warning stating that the site is trying to identify itself with invalid information and the reason for that is because the VPS hostname differs from the client domain.

So how we can bypass this security warning if the hostname for example, is like wps-01.example.co.uk and the client domain is like domain1.co.uk? Is it possible?

I would have thought this would be a common problem for anyone trying to use the Let's Encrypt SSL certificate that comes with Plesk but I've not managed to find anything online that discusses this.
 
I already have that set and if I run the command on the command line, it returns the common name as the VPS hostname as expected.

That's exactly what is NOT expected if you set up your system according to the KB article. Each of your domain should have a separate SSL certificate for the mail service. You should not see the VPS hostname in the certificate.

Please check/verify that your system supports SNI for Postfix (Postfix version must be 3.4 or higher) and that you configured the SSL/TLS mail settings of all your domains correctly (Domains > example.com > Mail > Mail Settings)

If you still have the problem please post:
* Your OS version
* Your Plesk version
* Your Postfix version
* Your Let's Encrypt settings for your domains
* Your mail client version + configuration
 
That's exactly what is NOT expected if you set up your system according to the KB article. Each of your domain should have a separate SSL certificate for the mail service. You should not see the VPS hostname in the certificate.

Please check/verify that your system supports SNI for Postfix (Postfix version must be 3.4 or higher) and that you configured the SSL/TLS mail settings of all your domains correctly (Domains > example.com > Mail > Mail Settings)

If you still have the problem please post:
* Your OS version
* Your Plesk version
* Your Postfix version
* Your Let's Encrypt settings for your domains
* Your mail client version + configuration

Yes, it is exactly the issue I can't fix.

The issue seems to be that the certificate for webmail seems to be getting picked up from the Plesk 'Tools & Settings' page (which is set to 'Lets Encrypt certificate from server pool') instead of the one set in the domain 'Mail Settings' which is set to the one specifically for that domain.

OS: CentOs 7.7
Plesk: Onyx 17.8.11
Postfix: 2.10.1

Let's Encrypt Domain Settings:

domain-specific-le-ssl.png


The blurred areas are the actual client domain and the current certificate in use is the one for the same domain. In 'Mail Settings', the same certificate is set (the one for this domain).

Mail Client: Doesn't matter which one used but as an example, Thunderbird 68.3.1 - as you can see from the below, after getting the security warning in Thunderbird, you can view the certificate and add a security exception if you wish and the certificate looks like this:

le-ssl-cert-wrong-hostname.png


You can see here that the common name is set to the hostname and not that of the actual client's domain as per set in the client specific Let's Encrypt certificate (as selected in the Mail Settings for that domain). The above certificate seems to be the default one set in the global Tools & Settings (Let's Encrypt certificate from server pool) instead of the one for the domain.
 
Well, there you have it:

Plesk: Onyx 17.8.11
Postfix: 2.10.1

It is clearly stated on the KB article I posted that you need Plesk Obsidian (18.0) and Postfix 3.4 for SNI to work.

So your solution would be to upgrade to Plesk Obsidian and then try again.
 
Well, there you have it:



It is clearly stated on the KB article I posted that you need Plesk Obsidian (18.0) and Postfix 3.4 for SNI to work.

So your solution would be to upgrade to Plesk Obsidian and then try again.

I wasn't expecting that to work because I've experienced the same issue on another server running Obsidian (I actually thought this one was when I originally posted in this forum category).

But however, I have now got this sorted and for the benefit of others visiting this thread, the one thing I noticed is that 'Securing Mail Access' appeared after updating Plesk and subsequently Postfix. This is for securing IMAP/POP etc and is different to 'Securing Webmail' which is an option in previous versions of Plesk. I highlight the option that I needed to configure in the below screenshot.

plesk-obsidian-le-settings.png


Thanks for your help with this @Monty
 
Well, there you have it:
Plesk: Onyx 17.8.11
Postfix: 2.10.1
It is clearly stated on the KB article I posted that you need Plesk Obsidian (18.0) and Postfix 3.4 for SNI to work.So your solution would be to upgrade to Plesk Obsidian and then try again.
Spot on @Monty and @zigojacko this is the Obsidian section of the forum ;) There's a separate Onyx (incl 17.8.11) section.

However, @zigojacko there is still an option for 17.8.11 but.. it takes a LOT of setup, a LOT of patience, it's never going to be perfect and the law of diminishing returns applies :eek: dependent on how many domains you're hosting... The option is to generate one Let's Encrypt Multi-Domain Wildcard Certificate as well as all the normal certificates. In this Multi-Domain Wildcard Certificate, every domain has the wildcard option and one of those domains, must be the domian where you're hosting Plesk itself from. We know it works, because that's how we ran our own Plesk setup back when we were using 17.8.11. The downsides are all those already mentioned, but those do include; manual certifcate renewals only (including all the DNS verification posts & checks - two of these on each domain, because they are all wildcard status. This still works, even if all of your DNS is outside of Plesk, as ours was & still is) plus, you still cannot use the Plesk Let's Encrypt Extension to generate the Let's Encrypt Multi-Domain Wildcard Certificate. You have to use another application e.g. THIS (acme.sh) which is excellent & works regardless of Plesk. If you read all of THIS old thread, right to the end, first of all before doing anything, it might explain things about this option for you too. You might get a No SNI warning on on domains, but only on the 2nd certificate that's shown when testing on sllabs.com etc but that's slightly irrelevent as the 1st certificate has only one domain name on it. However, it does (certainly did for us) solve the e-mail problem in 17.8.11.

Upgrading to Obsidian is much less work and easier :D
 
Spot on @Monty and @zigojacko this is the Obsidian section of the forum ;) There's a separate Onyx (incl 17.8.11) section.

However, @zigojacko there is still an option for 17.8.11 but.. it takes a LOT of setup, a LOT of patience, it's never going to be perfect and the law of diminishing returns applies :eek: dependent on how many domains you're hosting... The option is to generate one Let's Encrypt Multi-Domain Wildcard Certificate as well as all the normal certificates. In this Multi-Domain Wildcard Certificate, every domain has the wildcard option and one of those domains, must be the domian where you're hosting Plesk itself from. We know it works, because that's how we ran our own Plesk setup back when we were using 17.8.11. The downsides are all those already mentioned, but those do include; manual certifcate renewals only (including all the DNS verification posts & checks - two of these on each domain, because they are all wildcard status. This still works, even if all of your DNS is outside of Plesk, as ours was & still is) plus, you still cannot use the Plesk Let's Encrypt Extension to generate the Let's Encrypt Multi-Domain Wildcard Certificate. You have to use another application e.g. THIS (acme.sh) which is excellent & works regardless of Plesk. If you read all of THIS old thread, right to the end, first of all before doing anything, it might explain things about this option for you too. You might get a No SNI warning on on domains, but only on the 2nd certificate that's shown when testing on sllabs.com etc but that's slightly irrelevent as the 1st certificate has only one domain name on it. However, it does (certainly did for us) solve the e-mail problem in 17.8.11.

Upgrading to Obsidian is much less work and easier :D

Thanks for the info @learning_curve - definitely sounds like upgrading to Obsidian is easier :D
 
Back
Top