• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion
  • Please beaware of a breaking change in the REST API on the current Plesk release (18.0.62).
    Starting from Plesk Obsidian 18.0.62, requests to REST API containing the Content-Type header with a media-type directive other than “application/json” will result in the HTTP “415 Unsupported Media Type” client error response code. Read more here

Issue SSL/TLS cert for mail server not updating (Lets Encrypt)

R

remy

Basic Pleskian
Server operating system version
Ubuntu 20.04.6 LTS
Plesk version and microupdate number
18.0.61 Update #5
It seems Plesk has some issues renewing the TLS certificate which is used by the mail server.

In my setup I have:

Domains:
- domain.tld
- mail.domain.tld (only used for the certificate)
Mail server
- on domain.tld (for mails like [email protected])
- SSL/TLS certificate for mail: Lets Encrypt mail.domain.tld

The renewal of the cert is running fine, calling Domain Default page shows a valid cert everytime. Currently valid until 12 September 2024. Although checking the cert on the postfix server it says NotAfter: Jul 14. So we have indeed a new and an old certificate.

My workaround: In the setting "SSL/TLS certificate for mail" change it to "Not selected", Apply, reselect mail.domain.tld, Apply. I did this a minute ago and now the mail server cert shows: NotAfter: Sep 12

There are several threads in this forum regarding this topic. I also found this: https://support.plesk.com/hc/en-us/...tomatically-updated-by-Let-s-Encrypt-in-Plesk - but as the comments show: This does not work either. And yes: I also have SSL It! installed.

My questions: Are you aware of this "bug"? Will it be fixed? And what can I do here (instead of doing my workaround every three months)?
 
This is a known limitation (not a bug) for this type of setup. As also described on this knowledge base article: https://support.plesk.com/hc/en-us/...for-example-com-is-pointing-to-another-server

Warning: Settings certificate for mail from different domain is temporary solution. Each Let's Encrypt certificate renewal will delete old certificate and new certificate will be issued. Due to that old certificate on example.com will be unchecked. So each Let's Encrypt certificate renewal requires to assign certificate on domain manually or with script again.
Click to expand...

The recommended alternative would be to use the server hostname for any mail connections (SMTP, POP, IMAP) if a connection the main domain (example.com) can not be used.

Or, if you want stick with this setup, you could (for example) a script or cronjob that once in a while runs to apply the mail.example.com certificate to the mail server. Which can be done with plesk bin domain_pref --update example.com -mail_certificate "Let's Encrypt mail.example.com"
 
You must log in or register to reply here.

Similar threads

futureweb
Question Issues with SSL Certificate Renewal for Mail Services in Plesk: Seeking Automated Solution via CLI or API
Replies
8
Views
610
futureweb
futureweb
Azurel
Resolved Mail for "Let`s Encrypt certificates for ***** have been issued/renewed" missing?
Replies
2
Views
451
Azurel
Azurel
D
Issue Lets Encrypt Not Successful over port 80
Replies
8
Views
991
Daiv
D
Quinten
Resolved Lets Encrypt for mails server problem
Replies
2
Views
292
Quinten
Quinten
S
Question Mail subdomains with wrong TLS certificate (e.g. imap.example.tld)
Replies
1
Views
381
Kaspar
K
Back
Top