Issue SSL/TLS cert for mail server not updating (Lets Encrypt)

[remy]

Server operating system version

Ubuntu 20.04.6 LTS

Plesk version and microupdate number

18.0.61 Update #5

It seems Plesk has some issues renewing the TLS certificate which is used by the mail server.

In my setup I have:

Domains:
- domain.tld
- mail.domain.tld (only used for the certificate)
Mail server
- on domain.tld (for mails like [email protected])
- SSL/TLS certificate for mail: Lets Encrypt mail.domain.tld

The renewal of the cert is running fine, calling Domain Default page shows a valid cert everytime. Currently valid until 12 September 2024. Although checking the cert on the postfix server it says NotAfter: Jul 14. So we have indeed a new and an old certificate.

My workaround: In the setting "SSL/TLS certificate for mail" change it to "Not selected", Apply, reselect mail.domain.tld, Apply. I did this a minute ago and now the mail server cert shows: NotAfter: Sep 12

There are several threads in this forum regarding this topic. I also found this: https://support.plesk.com/hc/en-us/...tomatically-updated-by-Let-s-Encrypt-in-Plesk - but as the comments show: This does not work either. And yes: I also have SSL It! installed.

My questions: Are you aware of this "bug"? Will it be fixed? And what can I do here (instead of doing my workaround every three months)?

 

[Kaspar@Plesk]

This is a known limitation (not a bug) for this type of setup. As also described on this knowledge base article: https://support.plesk.com/hc/en-us/...for-example-com-is-pointing-to-another-server

Warning: Settings certificate for mail from different domain is temporary solution. Each Let's Encrypt certificate renewal will delete old certificate and new certificate will be issued. Due to that old certificate on example.com will be unchecked. So each Let's Encrypt certificate renewal requires to assign certificate on domain manually or with script again.

The recommended alternative would be to use the server hostname for any mail connections (SMTP, POP, IMAP) if a connection the main domain (example.com) can not be used.

Or, if you want stick with this setup, you could (for example) a script or cronjob that once in a while runs to apply the mail.example.com certificate to the mail server. Which can be done with plesk bin domain_pref --update example.com -mail_certificate "Let's Encrypt mail.example.com"

 

[tessa67]

If the mail server has the same domain as the Plesk admin interface, it's easy. We know that the certificate of the Plesk administration interface is automatically renewed. Plesk is automatically protected: Expired or self-signed SSL/TLS certificates are replaced with free, valid certificates from Let's Encrypt. The certificate from the Plesk administration interface can be found under the following path: /opt/psa/admin/conf/httpsd.pem

In my configuration, it is the same certificate that I use for the mail server. So you can create a cronjob that copies the certificate, renames it and overwrites it in the /etc/postfix/ folder:

Example for Cronjob:
cp -fp /opt/psa/admin/conf/httpsd.pem /etc/postfix/postfix.pem && chmod 600 /etc/postfix/postfix.pem