Question Wanted: Best practice for certificates (Lets Encrypt) two separate Plesk servers for www and mail

[W4ru]

Server operating system version

Ubuntu 24.04.1 LTS

Plesk version and microupdate number

Plesk Obsidian 18.0.66 Update 2

Hello!

For the last while I have been separating domains for www and mail on two separate Plesk servers.
This results in a lot of manual effort for the renewal of certificates (Lets Encrypt). This is certainly even more inconvenient for me as I operate an external DNS server.

The external DNS server is fully set up. The renewal of the certificate on the Plesk for www is done via DNS entry (_acme-challenge.domain.tld) and works so far.

On the second Plesk server, the domain is set up so that the mx record of domain.tld is reached, mail works. There is also the DNS entry mail.domain.tld as an alias for the customers (IMAP, SMTP) and webmail.domain.tld as an entry point for Roundcube.

Problem: I cannot renew the certificate on the second Plesk because Lets Encrypt uses the IP of the first Plesk for domain.tld and not mail.domain.tld or webmail.domain.tld
Alternatively, I can of course point domain.tld to the second server at the time of renewal, but this may not be a solution for many domains.

Can I perhaps use the CLI to renew the certificate on the second server or is there a “HowTo” for such configurations, which I have not found so far?

If I only have sub-domains on the first (www) Plesk server, this is all easy, as I can then generate the certificates there using a dedicated _acme-challenge.sub.domain.tld.

Thanks for any advice!

 

[scsa20]

Because you're separating web hosting and mail hosting out into 2 different servers you're going to be doing a lot of manual work. You could just go into the plesk panel of where the certificate was created on, export the certificate out (or copy the contents) and manually add it into the other server and assign it accordingly but, again, it won't be fully automatically.

The alternative way of doing this is to use a service like Cloudflare, generate a CA for the web server and install it to the webserver and proxy the web traffic that way. This way the web mail would be getting the certification renewal that you would need to worry about.

The other option (and honestly one that I would recommend for your use case) would simply buy a wildcard certificate to install that would be good for a year (you could buy multiple years as well but you would need to download and install a new certificate every year but this is better then doing it every 3 months). The site I'd recommend for buying certificates for cheap is ssls.com (not affiliated, just love the site when buying certificates for clients because it's much cheaper compared to any other sites).

 

[ChristophRo]

welp, the Plesk release notes of yesterday read like they changed something that could possibly help here.
I have not tested it out yet, but I assume the SSL-it extention will now try to issue a http-01 validated LetsEncrypt cert for "webmail.DOMAIN.TLD" and "mail.DOMAIN.TLD" (????) when you have an email-only subscription.

 

[Sebahat.hadzhi]

That's correct. Since SSL It! 1.16.0/Let's Encrypt 3.2.9 with the "no web hosting" subscription type you can issue and SSL certificate for mail.domain.com. If you observe any issues, please let us know.

 

[W4ru]

Many thanks for the responses!

Yes, the manual copying of the certificate is a solution (only copy & paste) of the key and the two CRT, export and import via file fails.

The variant of a * certificate is a good hint! Time is money... but someone has to pay the costs ;-)


I had also noticed the ‘no web hosting’ subscription, but am just now figuring out how to test and implement it. More on this shortly. That sounds good!

 

[W4ru]

OK, I'm a little further on, but without success.
Regardless of whether the domain was converted from a ‘full’ domain with certificate and www to a ‘mail only’ domain (i.e. certificate renewal)
or a freshly created ‘mail domain’:

The button for generating the certificate remains inactive. Something is missing. I can't find out.

 

[W4ru]

"webmail.DOMAIN.TLD" and "mail.DOMAIN.TLD" (????) when you have an email-only subscription.

Yes! You can see this in my screenshots in the post above.
So far, the theory has been implemented perfectly. But it doesn't work yet

 

[ChristophRo]

Seems you have the DNS service for this domain enabled on your "email" Plesk server.
Can you disable it and see if it works then? (should also no longer show the DANE/TLSA checkbox)

 

[W4ru]

Seems you have the DNS service for this domain enabled on your "email" Plesk server.

You are right! There is still something active on one domain (renewal). But the second (newly created) has no DNS configured (DNS deactivated). So it's something else.

Yesterday I also tested the CLI interface of Letsencrypt, there were error messages that the www-IP of the domain is resolved, even if I explicitly specify webmail.domain.tld (which refers to the ‘mail service plesk only’).

But now I'm testing this again with today's knowledge of the mail-only domain and switched off DNS.

 

[W4ru]

plesk bin extension --exec letsencrypt cli.php -d domain.tld -m [email protected]

Returns:
No web hosting is configured on domain domain.tld (translated from german)

plesk bin extension --exec letsencrypt cli.php -d mail.domain.tld -m [email protected]

Returns:
The execution of cli.php has failed with the following message:
Could not find any domain to install.
exit status 1

 

[ChristophRo]

CLI cannot be used for that at the moment.
The Plesk team will need to fix/adjust this CLI implementation first, in order to make it also work for email-only subscriptions.

As for the problem with the greyed out button in the web GUI, I don't have a clue...
The whole procedure works like a charm on our servers.
The only difference I can see, is that on our systems it never shows the DANE/TLA checkbox at all. (though that should not make or break anything...IMHO)

 

[Sebahat.hadzhi]

@W4ru , do you perhaps have an alias configured for the subscription in question?

 

[W4ru]

@W4ru , do you perhaps have an alias configured for the subscription in question?

Yesterday I checked a few things again and switched two more websites to “no hosting” (where the website runs on a third-party server). Those then *automatically* had a certificate a few hours later and it could also be renewed manually *crazy* - so I can also confirm to @ChristophRo for now: Basically, this might work here too.

However, it apparently makes no difference whether DNS is active or not.

@Sebahat.hadzhi: It has no effect whether there is an alias. The button is active for a domain with alias but “no hosting”. In the domain overview, it does not matter whether you click on “SSL certificates” at domain.tld or aliasdomain.tld: It takes you to the certificate setup of domain.tld and there I can retrieve the certificate.

Now the phenomenon remains with the domain that I have just created on the server (all the others have been set up for a long time and moved to this new server a week ago via Migrator). All other “no hosting” domains have received a valid certificate (it is unclear to me which background process on the server caused this).

The domain created for the first time (without alias, without prior certificate setup) remains without a clickable button. Crazy.

I'll investigate further...


BTW @Plesk-Support: In the certificate overview “mail-only-domains” are shown as “expired”, even if there is a valid certificate. Apparently it is not included that there is a certificate for webmail.domain.tld or the mailbox access. Screenshot attached, all listed there HAVE a valid certificate for mail.domain.tld and webmail.domain.tld
I think this can be improved with a few lines of code ;-)

 

[W4ru]

OMG :-/

Sorry for the confusion. Now it's also clear why I can't retrieve a certificate for the newly created domain: I had neglected to change the DNS entries on the external DNS server for mail. and webmail.
Annoying!

I did this immediately and the button for generating the certificate is active!

Summary: If the DNS entries are correct, the certificate can be generated with/without an alias domain for “no hosting” domains. It also makes no difference whether the local DNS is active or not.

So I have a perfect solution. Yeah! Many thanks to everyone who has supported this approach!

Two todo remain for the Plesk team:
- Addition to the CLI
- Correction of the incorrect output in the certificate overview (and possibly also the notification, it is still unclear whether it correctly evaluates the certificate data)

@ChristophRo: What is your experience with the certificate overview and the notifications for automatically renewed or expired certificates for “no hosting” domains?

 

[ChristophRo]

We have no experience so far with this feature and will most likely also not gain any in the foreseeable future.
Since more than 20 years, we encourage/enforce our customers to use the Plesk servername/fqdn as the name for incoming/outgoing emails and will most likely not change that policy in the future.

We have one server with email-only subscriptions on it and here we are required to provide SSL connections via imap/pop/smtp/email/webmail subdomains.
Here we use a custom setup with acme.sh and an _acme-challenge.domain.tld CNAME record in the (externally hosted) DNS zone, to achieve that.
But we will/can also not change that, as this new Plesk solution does not support LetsEncrypt certificates that cover imap.domain.tld/pop.domain.tld/smtp.domain.tld

 

[Sebahat.hadzhi]

BTW @Plesk-Support: In the certificate overview “mail-only-domains” are shown as “expired”, even if there is a valid certificate. Apparently it is not included that there is a certificate for webmail.domain.tld or the mailbox access. Screenshot attached, all listed there HAVE a valid certificate for mail.domain.tld and webmail.domain.tld
I think this can be improved with a few lines of code ;-)

Thank you for your input. We are aware of this issue. Technically the SSL is not installed for the main domain of the subscription, which is why the overview page does not provide any data. Our team is already working on improving that behavior in order to provide relevant information for the mail/webmail certificates.

 

[mow]

Yes, the manual copying of the certificate is a solution (only copy & paste) of the key and the two CRT, export and import via file fails.

We have everything (mail, subdomains) except www. of our main domain hosted on our plesk server. /well-known/ is mounted via sshfs, and there's a cronjob copying the certs over (and reloading nginx). Bit kludgy, but works so far.

 

[W4ru]

/well-known/ is mounted via sshfs, and there's a cronjob copying the certs over (and reloading nginx). Bit kludgy, but works so far.

Ingenious! In other areas, I'm more like ‘Gyro Gearloose’ - your idea forces me to imitate it. Thanks for this input!

 

[W4ru]

Hmm, now I have to hijack my own thread ;-)

I don't really understand the concept of what is preventing the creation of SSL certificates without wildcards for hosting domains, **even** mail.domain.tld!
Only after many months have I realised why I always have to change the TXT entry in the external DNS for some domains, while not for others.
If it is not a wildcard domain, it works just smooth.

However, if it is not a wildcard domain, then mail.domain.tld does not get a certificate.

But the non-hosting domain does. Couldn't that be the same for both?

Here are two screens for clarification. One is a ‘no-hosting domain’, the other is a domain without www and without * certificate. But then also without mail.

 

[Sebahat.hadzhi]

Integrating the option for the hosting type is a base for backward compatibility issues, which our team wanted to avoid. The primary idea of introducing that feature is to allow users who use Plesk for mail hosting only the possibility to secure mail/webmail.domain.com.