Issue When Mail Domain SSL Renews The Cert Reverts To domain.tld

[Ladylinux]

Server operating system version

Debian 11

Plesk version and microupdate number

18.0.65

Hello,

So this is a reoccurring annoyance. I have some accounts that I migrated off Cpanel and Hsphere that customers use mail.domain.tld for incoming and outgoing mail server.

I had to manually create a mail.domain.tld sub domain and then bind its cert to its mail settings.

When the domain mail.domain.tld renews for whatever reason the cert for mail.domain.tld reverts to just domain.tld

This is repeatable and results in a lot of customers complaining about cert issues

I have to go into the panel and manually apply mail settings to get the renewed SSL to bind properly to the mail.domain.tld

Mind you the panel shows the binding correctly to mail.domain.tld SSL

This obvious Kludge only exists because Plesk refuses despite many many requests to natively support mail.domain.tld SSL

Issue Let's Encrypt SSL certificate for mail server when the "A" DNS record for domain is pointing to another server

This feature is required for users with the configuration when on the Plesk only mail server for domain is used. "A" DNS record for mail.example.com is pointing to Plesk server, when when "A" record for example.com is pointing to another server.

plesk.uservoice.com

So any work around to keep these mail.domain.tld ssl bound properly ?

Thanks!!

Ladylinux

 

[Ladylinux]

OK,

Guess voting is a waste of time here.

Add possibility issue Let's Encrypt SSL certificate for mail server when the "A" DNS record for domain is pointing to another server

This feature is required for users with the configuration when on the Plesk only mail server for domain is used. "A" DNS record for mail.example.com is pointing to Plesk server, when when "A" record for example.com is pointing to another server.

plesk.uservoice.com

https://support.plesk.com/hc/en-us/articles/12377057738135-Is-it-possible-to-secure-the-mail-server-mail-example-com-with-Let-s-Encrypt-SSL-certificate-when-the-A-record-for-example-com-is-pointing-to-another-server

Sigh,

LadyLinux

 

[Maarten]

This is a well-known issue that has been discussed frequently on the forum. Unfortunately, it doesn't seem like a solution will be available in the near future. Hopefully, Plesk will consider addressing this at some point, as it's been a recurring request for quite some time.

 

[Sebahat.hadzhi]

@Ladylinux, @Maarten, thank you for bringing that up. Our team is currently working on introducing the ability to secure email-only hosting with Let’s Encrypt certificates. I do not want to provide any ETA at the moment in case something goes wrong and they need to postpone it, but it is planned for the release of the next SSL It! (+ Let’s Encrypt) version.

 

[Ladylinux]

@Ladylinux, @Maarten, thank you for bringing that up. Our team is currently working on introducing the ability to secure email-only hosting with Let’s Encrypt certificates. I do not want to provide any ETA at the moment in case something goes wrong and they need to postpone it, but it is planned for the release of the next SSL It! (+ Let’s Encrypt) version.

Thank You!!

LadyLinux

 

[Ladylinux]

Hi,

This is still wacked

With a "New" mail only domain and the latest SSL It! (Version 1.16.0-4789) Lets Encrypt (3.2.9 (14 January 2025)) extensions one can not secure properly a clients mail server.

SSL binds webmail.customerdomain.tld to mail.customerdomain.tld unless you deselect "secure webmail" when issuing a ssl certificate

If you do this deselect webmail is no longer ssl protected

This is not what should happen

Sigh,

LadyLinux

 

[trialotto]

@Ladylinux , @Maarten, @Sebahat.hadzhi

Situation has been changed, slightly for the better, but certainly not for the best.

In general, it is not recommend (and not good practice) to create a (separate) mail.domain.tld - keep that subdomain for the mail server, not for domain hosting!

In essence, the LE certificate for domain.tld is and can be equivalently valid for the mail.domain.tld.

The problem nowadays seems to be that the SslIt! extension (that includes Let's Encrypt) has some (major and minor) issues.

This issue - assigning a certificate to mail.domain.tld properly - is one of them.

Duly noted, it will be added to a list of "requested changes" that will be submitted in the form of a bug report.

In summary, @Ladylinux, if you have encountered some bugs in SslIt! extension, please elaborate!

Kind regards.....

 

[Ladylinux]

This issue - assigning a certificate to mail.domain.tld properly - is one of them.

Duly noted, it will be added to a list of "requested changes" that will be submitted in the form of a bug report.

Yes this is maddening. I have existing clients who are thousands of miles away from me who barely can change a password much less change mail server incoming and outgoing. These clients were migrated from Cpanel where mail.domain.tld is standard. The deselecting of mail.domain.tld when renewing is a massive annoyance and should have been resolved long ago.

My Debian 11 server with Plesk 18.0.70 and latest extensions still has the issue.

Lady Linux

 

[Kaspar]

Yes this is maddening. I have existing clients who are thousands of miles away from me who barely can change a password much less change mail server incoming and outgoing. These clients were migrated from Cpanel where mail.domain.tld is standard. The deselecting of mail.domain.tld when renewing is a massive annoyance and should have been resolved long ago.

My Debian 11 server with Plesk 18.0.70 and latest extensions still has the issue.

Lady Linux

The recently update of the SSL It! extension introduced native support to include the mail. subdomain into the domain certificate. There should be no need anymore to separately create subdomains and set/configure different certificates for the mail service on a domain.