Applicable to:
- Plesk for Linux
Question
How to secure webmail.example.com with a Let's Encrypt certificate when example.com is hosted on a different server?
.
Answer
This functionality is not supported by the Let's Encrypt extension yet.
Take part in our product improvement and vote for this feature on Plesk UserVoice, the top-ranked suggestions are likely to be included in future Plesk versions.
As a workaround:
Note: The following steps are valid when the web hosting is configured with Apache only or with Apache and Nginx as a reverse proxy.
-
Go to Subscriptions > example.com > Mail Settings > Disable the webmail in the main domain setting to none the Webmail option > Click on OK to apply changes:
-
Go to Subscriptions > example.com > Add Subdomain > Create subdomain webmail.example.com > Click on OK to apply changes:
-
Go to Domains > webmail.example.com > Apache & nginx Settings
-
Add the following content to the Additional Apache directives section for both Additional directives for HTTP and Additional directives for HTTPS:
Note: On Plesk Obsidian servers, replace the line
FcgidInitialEnv PP_CUSTOM_PHP_CGI_INDEX fastcgiwith the lineFcgidInitialEnv PP_CUSTOM_PHP_CGI_INDEX plesk-php73-fastcgi.-
RedHat-based systems:
CONFIG_TEXT: DocumentRoot "/usr/share/psa-roundcube"
Alias /roundcube/ "/usr/share/psa-roundcube/"
Alias /.well-known/ "/var/www/vhosts/example.com/webmail.example.com/.well-known/"
<IfModule mod_suexec.c>
SuexecUserGroup roundcube_sysuser roundcube_sysgroup
</IfModule>
<IfModule mod_fcgid.c>
FcgidInitialEnv PP_CUSTOM_PHP_CGI_INDEX fastcgi
FcgidInitialEnv PP_CUSTOM_PHP_INI "/etc/psa-webmail/roundcube/php.ini"
FcgidMaxRequestLen 134217728
<Directory "/usr/share/psa-roundcube">
Options -Indexes +FollowSymLinks
AllowOverride FileInfo
Require all granted
Include "/etc/httpd/conf/plesk.conf.d/roundcube.htaccess.inc"
<Files ~ (\.php$)>
SetHandler fcgid-script
FCGIWrapper /var/www/cgi-bin/cgi_wrapper/cgi_wrapper .php
Options +ExecCGI
</Files>
</Directory>
</IfModule> -
Debian-based systems:
CONFIG_TEXT: DocumentRoot "/usr/share/psa-roundcube"
Alias /roundcube/ "/usr/share/psa-roundcube/"
Alias /.well-known/ "/var/www/vhosts/example.com/webmail.example.com/.well-known/"
<IfModule mod_suexec.c>
SuexecUserGroup roundcube_sysuser roundcube_sysgroup
</IfModule>
<IfModule mod_fcgid.c>
FcgidInitialEnv PP_CUSTOM_PHP_CGI_INDEX fastcgi
FcgidInitialEnv PP_CUSTOM_PHP_INI "/etc/psa-webmail/roundcube/php.ini"
FcgidMaxRequestLen 134217728
<Directory "/usr/share/psa-roundcube">
Options -Indexes +FollowSymLinks
AllowOverride FileInfo
Require all granted
Include "/etc/apache2/plesk.conf.d/roundcube.htaccess.inc"
<Files ~ (\.php$)>
SetHandler fcgid-script
FCGIWrapper /var/www/cgi-bin/cgi_wrapper/cgi_wrapper .php
Options +ExecCGI
</Files>
</Directory>
</IfModule>
-
-
If the Additional nginx directives field is present, add the following content to it:
CONFIG_TEXT: location ~ ^/(?!.well-known).*$ {
proxy_pass http://webmail.example.com:7080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
} -
Go to Domains > webmail.example.com > Let's Encrypt and click Install.
-
Add certificate to a repository navigating to Subscriptions > example.com > SSL/TLS Certificates and select Add SSL/TLS Certificate:
OR
Advanced Settings if that menu is not present
Type in the certificate name (you will use it to identify the certificate in the list of all certificates), then upload it as described below:
- If you store the certificate in the form of the
*.keyand the*.crtfiles, scroll down to the Upload the certificate files section and upload the files. If both the certificate and the private key parts of your certificate are contained in a*.pemfile (you can check it by opening the*.pemfile in any text editor), just upload it twice, both as the private key and the certificate. Click Upload Certificate when you have finished.
- If you store the certificate as text, scroll down to the Upload the certificate as text section and paste the certificate and the private key parts into the corresponding fields. Click Upload Certificate when you have finished.
- If you experience issues with certificate installation, contact the seller and ask instructions for Plesk.
- If you store the certificate in the form of the
-
Select the installed certificate.
-
Click on Secure Webmail:
**
Comments
9 comments
The "Use Let's Encrypt certificate" part is not update
"FcgidInitialEnv PP_CUSTOM_PHP_CGI_INDEX fastcgi" need change to "FcgidInitialEnv PP_CUSTOM_PHP_CGI_INDEX plesk-php73-fastcgi"
===== My Plesk version =====
Plesk Obsidian
Version 18.0.20, last updated on Oct 29, 2019 11:00 PM
How am I supposed to use a Let's Encrypt Wildcard on the server that is just hosting mail? Since the site is not hosted on the server hosting mail the LE file validation will fail.
I followed the second option, creating a webmail subdomain and it now I get an internal server error for webmail and I can't turn webmail back on under the primary domain because there is a subdomain with the name webmail.xxxx.com. These workarounds don't seem to work at all.
Hello @Nick,
There're plans to add functionality to assign TLS Certificate to Webmail on a domain without hosting.
As for the issue, you currently have, please, submit a request for Plesk Support, additional investigation is required. If the license was bought from us directly, the request may be submitted to us. If it was purchased from our partner, submit a request to them.
@Lok Ming Chu
Hi,
I agree with you because starting from Plesk Obsidian PHP by OS vendor my be not installed at all. The article will be modified accordingly.
As a workround for roundcube:
1. Copy /usr/local/psa/admin/conf/templates/default/webmail/roundcube.php -> /usr/local/psa/admin/conf/templates/custom/webmail/roundcube.php
2. Edit the custom roundcube.php -> Append following Line under Alias /roundcube/ :
Alias /.well-known/acme-challenge "/var/www/vhosts/default/htdocs/.well-known/acme-challenge"
3. plesk sbin httpdmng --reconfigure-all
4. Add Subdomain webmail.domain.tld
5. Secure this Subdomain with Let`s Encrypt
6. Click SSL on the Maindomain, click Advanced Settings and secure webmail with the certificate from the Subdomain
And thats all, i hope this helps.
Greetz Alex
Hello Alexander Koch
Thank you for the suggestion, it may be useful for other Pleskians.
The workaround posted by Alexander Koch on January 23, 2020 is only applicable for Linux, not Windows. How can we do for Windows ?
I managed securing webmail.domain.tld by creating the subdomain "webmail", issuing a certificate for it, then deleting this subdomain, and use the previously generated certificate to secure the Webmail.
But this will only work for 3 months, and certificate will not be renewed automatically !
WOuld you please update your workaround to be applicable to Windows !? Thank you very much... We can't wait any longer for a working workaround. (and Yes, I voted on Uservoice.. this is opened since 2017 such a shame for the dev team)
Hello Alex. At this moment the only available workaround for Windows is to purchase SSL certificate from the 3rd party.
Please sign in to leave a comment.