Auto accept renewed email certificates


#1

My domains are:
revo.co.uk, galloacoustics.co.uk, blackvue.uk,

I ran this command:
auto-renewing certificates every 3 months

It produced this output:
Certificates auto-renew correctly, but need to be manually accepted for each email account. On certain platforms (e.g. iOS), this means having to delete the account and re-add from scratch every 3 months. I feel like this can’t be how it’s supposed to operate, so must be an issue with how I’ve configured it. I just don’t know what I need to change though. I realise this is possibly an issue with configuration somewhere other than with Let’s Encrypt but hoped it might at least be something someone has come across or can point me in the correct direction with

My web server is (include version): 185.77.175.243

The operating system my web server runs on is (include version): Centos 7

My hosting provider, if applicable, is: Tagadab

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Plesk 17.5.3


#2

Could you perhaps elaborate on that point? I’m not sure I follow what you’re needing to accept after each renewal.


#3

Hi, thanks for replying. What I mean is, every time the certificates renew, all users get a number of popups in their mail client as per the attachment (All are using Apple Mail)

.

Unfortunately, as a business, we have over 10 different domains, each with their own email accounts, which elevates this issue from an occasional minor inconvenience to a major recurring headache.

On their Macs, they have to go through each certificate and accept. This will fix it the majority of times. However, occasionally they have to delete and re-add the account. This happens every time on iPhone. There seems to be an issue on iOS whereby you can’t alter a certificate once it’s accepted, meaning that the only option, upon renewal, is to delete the account entirely from the iPhone and re-add.

I don’t have the problem on my Android, so I suspect it might be an Apple issue, but it’s so consistent across all users that I’m hoping, even if it’s a configuration issue of my own making, it’s one that others have come across.


#4

If the certificate is being used for a server with the name of “mail.nwxgroup.com”, it must contain the name of “mail.nwxgroup.com”. Your cert apparently does not.


#5

According to Google’s Certificate Transparency query, there has never been a publicly-trusted certificate issued for mail.nwxgroup.com!


#7

…because the name on the certificate doesn’t match the name they’re trying to connect to.


#8

@danb35, the post you replied to was a spam post that quoted a sentence from @fraserYT’s original post verbatim, plus some spam links. :frowning: There wasn’t actually any new information about the certificate problem here.


#9

According to Google’s Certificate Transparency query, there has never been a publicly-trusted certificate issued for mail.nwxgroup.com

This points to an issue with how I have configured my certificates then, since I am definitely seeing that there is a Let’s Encrypt certificate for nwxgroup.com.


#10

Hi @fraserYT

there are two active certificates:

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:true;domain:nwxgroup.com&lu=cert_search

But the first has only

nwxgroup.com
www.nwxgroup.com

as names, the second has only one name - hub.nwxgroup.com.

So if you can update the first certificate, then add a third name mail.nwxgroup.com


#11

Thanks for your help. That makes sense, but the certificate was automatically issued via my Plesk dashboard. I had very few configuration options. I had the choice to include a www subdomain, but that was it.

How would I go about adding mail.nwxgroup.com?

Another source of issues, as far as I can tell, is the top level of our cloud server. This has it’s own certificate issued (xvm72892.vps.cloud.tagadab.com) which we are asked to accept when configuring an email account in a mail client. I appreciate this is a generic name which I need to change to something more specific, but even if I change this to something appropriate to our master brand (e.g. server.nwxgroup.com), because we have so many other brands, would that certificate not still flag up as being a different name than the originator (e.g. revo.co.uk, galloacoustics.com, blackvue.uk etc)


#12

I’ve been speaking with my host about email issues. We have individual let’s encrypt certificates for each website, but they confirmed the mail server uses the same top level certificate for all domains. This is currently xvm72892.vps.cloud.tagadab.com. Because this is generic, and one of our accounts was recently hacked and used for spam, we have been listed with Cloudmark as having a poor reputation. They have said that they would not consider removing us while we have a generic certificate name, so I will change this today to server.nwxgroup.com.

However, because this top level certificate is used for the email of all other domains, we need to add aliases for them all (mail.revo.co.uk, mail.galloacoustics.com, mail.blackvue.uk etc).

The option to add aliases is not present in the Plesk dashboard through which I issued the certificates, even though it appears that it should be.

How would I go about adding these directly with Let’s Encrypt?


#13

The requests are always made by some client application and it’s probably not worthwhile to issue the certificates outside of Plesk if you intend to continue using to administer your services. So I would suggest asking Plesk support why the alias option is missing.


#14

Thanks again for your help and support. I had asked them why the alias option wasn’t available, but they didn’t seem to know. However, since some of our issues seemed to come from so many domains sharing a single IP, I ended up just purchasing a range of IP’s and moving our main sites across them.

More relevant to my original question, I also found a setting in Plesk which changed how certificates identify on outgoing emails. Previously, the default option “Send from domain IP addresses” was selected, but I changed this to “Send from domain IP addresses and use domain names in SMTP greeting”. It seems like this should solve my issue, but I guess time will tell.

In case it helps anyone else, this setting is found in Plesk under Tools and Settings / Mail Server Settings.