Applicable to:
- Plesk Obsidian for Linux
Symptoms
-
After Let's Encrypt certificate is set for mail SNI using the How to secure a Plesk mail server with different SSL certificates (SNI support) article, default certificate is returned by the mail server instead:
# echo Q | openssl s_client -connect mail.example.com:25 -starttls smtp -servername mail.example.com -showcerts 2>/dev/null | openssl x509 -noout -text | grep 'Subject:|DNS:'
Subject: CN = plesk.example.org
DNS:plesk.example.org -
Following can be found in the
/var/log/maillog
if Postfix debug is enabled:CONFIG_TEXT: postfix/smtpd[43261]: warning: error loading SNI data for mail.example.com: unexpected PEM type: CERTIFICATE REQUEST
postfix/smtpd[43261]: warning: error loading private keys and certificates from: SNI data for mail.example.com: aborting TLS handshake -
The certificate for the mail SNI has a CSR (certificate signing request) in the Postfix SNI configuration:
# postmap -s /var/spool/postfix/plesk/certs | grep 'mail.example.com' | cut -d$'\t' -f2 | base64 -d | head -n1
-----BEGIN CERTIFICATE REQUEST----- -
The certificate also has CSR component supplied in Domain > example.com > SSL/TLS Certificates > Advanced Settings (if SSL It! is installed) > CertificateName
Cause
Product issue:
-
#PPPM-10715 "Fixed issues created by the bug fix PPPM-10715. You can now rename your domain or restore it from a backup—no issues with your mail for a domain will occur."
Fixed in:- Plesk Obsidian 27 August 2019 (Linux)
- Plesk Obsidian 31 July 2019 (Linux)
Resolution
Workaround
If update is not possible for some reason you may try the following
Update to the latest version of Plesk Obsidian.
In case it is not possible to update, use the certificates without CSR supplied (not issued by Let's Encrypt, or SSL It! extensions).
Comments
3 comments
Any Solution here?
I am using Let's encrypt and have latest Updates installed, last check today.
I got Errors in Maillog, TLS SNI XY from XY[xx.xx.xx.xx] not matched, using default chain
Moreover and truly this affects only obsidian. on other older Server no Problems.
I just saw many such fails -.-
Hello @Lenor
The most probable cause of the issue is the fact that many domains use one IP address and the global certificate for a mail from Plesk > Tools & Settings > SSL/TLS Certificates > Certificate for securing mail. So, to use SNI it is necessary to set separate certificates for each domain there Plesk > Domains > example.com > Mail Settings > SSL/TLS certificate for mail.
However, it should not affect email delivery.
After upgrading to Obsidian i was able to create and select a certificate for each domain and its mail service. But these certificates are ignored, because on Tools&Settings -> SSL/TLS there is still the global option for mail certificates and this one is delivered by the mail server.
How do i make plesk use the new certificates i created and assigned to each including for the mail service?
Please sign in to leave a comment.