kb: technical
ext: le
ABT: Group A
Applicable to:
- Plesk Onyx
Symptoms
- Valid SSL certificate is issued for example.com domain and installed in Domains > example.com > Hosting Settings > Security > Certificate, for example issued by Let's Encrypt.
- Another certificate is set for securing mail in Tools & Settings > SSL/TLS Certificates > Certificate for securing mail, for example, Plesk default self-signed certificate.
- Configuring a mail client, the domain name is set as Incoming/Outgoing mail server.
- The mail client is pulling the self-signed Plesk certificate instead of the Let's Encrypt certificate which is currently enabled for the subscription.
Cause
Such behavior is expected. There are two different certificates: a certificate for a website to use secure connection via HTTPS and a certificate to secure connections to mail server.
The connection is being established to the mail server and the certificate configured for securing mail in Plesk is used for the connection.
Resolution
Change the certificate for securing email server with the one which issued for the server's hostname hostname.com using the instructions from the article.
Comments
10 comments
The solution provided is not the best, i want to secure every domain on server with its own wildcard certificates not the main server's certificate because every client when he configures his mail program he will use his own domain's name on settings and he will get back error says certificate is issues for another domain or isn't trusted! please provide a CLI so we can enable option "SSL/TLS certificate for mail" for all subscriptions as I searched and didn't find how to do that, doing this option is available at Plesk on UI but when you have about 100 domains installed on server you will have to do it 100 times! please help us with bulk CLI options for all installed domains?
Hello Fouad Ahmed Fouad,
It is possible to set the certificate for mail with the next command:
# plesk bin subscription_settings --update example.com -mail_certificate 'certificate_name'
You may check all possible options of the command by using help:
# plesk bin subscription --help
Hello Mikhail,
Can we do it like a loop for all domains available on server using the installed SNI let's encrypt certificates instead of doing it manually for every domain at plesk. suppose we have 100 domains and we want to do it in one command.
Any GUI solution to be aplied for the noobs user?
We have same problem, seams not very profesional, say to customer that need accept exception security.
@Alex Rubio
Hi! With SNI support, the certificate can be selected under Domains > example.com > Mail Settings > SSL/TLS certificate for mail (see https://support.plesk.com/hc/en-us/articles/115001446174)
In Plesk Onyx, the certificate should be selected under Tools & Settings > SSL/TLS Certificates > Certificate for securing mail.
@Fouad Ahmed Fouad
With the standard name for Let's Encrypt certificates being "Lets Encrypt example.com", the command to set the mail server certificate for all domains would be as follows (with domains.txt containing the list of the domains):
# cat domains.txt | while read i; do plesk bin subscription_settings -u $i -mail_certificate "Lets Encrypt $i"; done
To put all domain names from Plesk into the text file, use the following command:
# plesk bin domain --list > domains.txt
I am confused by the comments and the solution. Here is my scenario same as Fouad Ahmed Fouad . Main server has a host name of host.example1.com and is secured by a wild card cert for both host and mail.. one of the domains example2.com has a lets encrypt cert for both domain and mail. the email works fine. However the error is showing the host cert as being non trusted when received by a client like apple mail.. So what cert should be used at the domain email?
Hello John Reddy
In that case, the certificate for example2.com should be in use.
Please, make sure that the domain has option to use it's own certificate enabled.
For the detailed investigation, please, submit a support request directly to Plesk or to our partner depending on where the license was purchased.
The top says applicable to Plesk Onyx but option '-mail_certificate' (as in Mikhail's example) does not work in (my) Plesk Onyx.
The option '-mail_certificate' works for me, but the only place where it is located is in that message, it isn´t in the help command and it is not on the Command documentation of subscription command. I have another question, Mikhail Shport do you know if there is another command to do it from xml api ?
Please sign in to leave a comment.