Applicable to:
- Plesk for Linux
- Plesk for Windows
Question
Is it possible to secure the mail server mail.example.com
with Let's Encrypt SSL certificate when the A record for example.com
is pointing to another server?
Answer
Currently, such a functionality is not implemented in Plesk yet.
Consider voting for this feature on the UserVoice portal. The top-ranked suggestions are likely to be included in the next versions of Plesk.
Alternatively, issue a certificate from another authority and secure mail using it:
How to install an SSL certificate for a domain in Plesk (Let's Encrypt / other certificate authorities)
- Create a web hosting enabled subdomain mail.example.com
- Go to Domains > mail.example.com > SSL/TLS Certificates
- Issue a new certificate
- Go to Domains > example.com > Mail Settings
- Assign the certificate for mail.example.com
Note: In case example.com has no web-hosting it's necessary to create a new subscription for sub-domain mail.example.com.
Warning: Settings certificate for mail from different domain is temporary solution. Each Let's Encrypt certificate renewal will delete old certificate and new certificate will be issued. Due to that old certificate on example.com will be unchecked. So each Let's Encrypt certificate renewal requires to assign certificate on domain manually or with script again.
Comments
4 comments
I have done this and worked find, but when the SSL certificate of mail.example.com was renewed the mail settings of example.com where this one was set
The workaround does only work until the certificate is being renewed again, as the renewal process then clears the selected certificate on the root domain leaving the mail without certificate. This is a bug. Can you fix that? It shouldn't touch the configuration on the main domain.
Hello Tom,
Correct. Each certificate renewal requires to set certificate on domain again. This is new scenario that requires additional research that is why feature request is created. For now solution is when Let's Encrypt certificate expires, it requires to renew certificate on domain manually or with command line:
You may create script/scheduled task that is executed on daily basis, for example.
@Julia Minenkova - unfortunately daily execution of the CLI Cert assign isn't really helping ...
If Cert is automatically renewed at 09:00 AM ... and the CLI Script is run every day at let's say 02:00 AM ... we will get calls of our Customers the whole day as they can't access their E-Mails because of Cert Errors ...
Our 1-Level Support is loosing DOZENS OF HOURS per month to manuelly re-assign LE Certs because of this which causes massive support costs ...
We really need to find a better Solution here ... is there the possibility of some kind of Webhook when Certs are renewed - so we can automatically trigger the re-assign after the renew?
Or any other viable solution?
Please sign in to leave a comment.