I ran this command:
auto-renewing certificates every 3 months
It produced this output:
Certificates auto-renew correctly, but need to be manually accepted for each email account. On certain platforms (e.g. iOS), this means having to delete the account and re-add from scratch every 3 months. I feel like this can’t be how it’s supposed to operate, so must be an issue with how I’ve configured it. I just don’t know what I need to change though. I realise this is possibly an issue with configuration somewhere other than with Let’s Encrypt but hoped it might at least be something someone has come across or can point me in the correct direction with
My web server is (include version): 185.77.175.243
The operating system my web server runs on is (include version): Centos 7
My hosting provider, if applicable, is: Tagadab
I can login to a root shell on my machine (yes or no, or I don’t know):
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Plesk 17.5.3
Hi, thanks for replying. What I mean is, every time the certificates renew, all users get a number of popups in their mail client as per the attachment (All are using Apple Mail)
Unfortunately, as a business, we have over 10 different domains, each with their own email accounts, which elevates this issue from an occasional minor inconvenience to a major recurring headache.
On their Macs, they have to go through each certificate and accept. This will fix it the majority of times. However, occasionally they have to delete and re-add the account. This happens every time on iPhone. There seems to be an issue on iOS whereby you can’t alter a certificate once it’s accepted, meaning that the only option, upon renewal, is to delete the account entirely from the iPhone and re-add.
I don’t have the problem on my Android, so I suspect it might be an Apple issue, but it’s so consistent across all users that I’m hoping, even if it’s a configuration issue of my own making, it’s one that others have come across.
If the certificate is being used for a server with the name of “mail.nwxgroup.com”, it must contain the name of “mail.nwxgroup.com”. Your cert apparently does not.
@danb35, the post you replied to was a spam post that quoted a sentence from @fraserYT’s original post verbatim, plus some spam links. There wasn’t actually any new information about the certificate problem here.
According to Google’s Certificate Transparency query, there has never been a publicly-trusted certificate issued for mail.nwxgroup.com
This points to an issue with how I have configured my certificates then, since I am definitely seeing that there is a Let's Encrypt certificate for nwxgroup.com.
Thanks for your help. That makes sense, but the certificate was automatically issued via my Plesk dashboard. I had very few configuration options. I had the choice to include a www subdomain, but that was it.
Another source of issues, as far as I can tell, is the top level of our cloud server. This has it’s own certificate issued (xvm72892.vps.cloud.tagadab.com) which we are asked to accept when configuring an email account in a mail client. I appreciate this is a generic name which I need to change to something more specific, but even if I change this to something appropriate to our master brand (e.g. server.nwxgroup.com), because we have so many other brands, would that certificate not still flag up as being a different name than the originator (e.g. revo.co.uk, galloacoustics.com, blackvue.uk etc)
I’ve been speaking with my host about email issues. We have individual let’s encrypt certificates for each website, but they confirmed the mail server uses the same top level certificate for all domains. This is currently xvm72892.vps.cloud.tagadab.com. Because this is generic, and one of our accounts was recently hacked and used for spam, we have been listed with Cloudmark as having a poor reputation. They have said that they would not consider removing us while we have a generic certificate name, so I will change this today to server.nwxgroup.com.
The requests are always made by some client application and it’s probably not worthwhile to issue the certificates outside of Plesk if you intend to continue using to administer your services. So I would suggest asking Plesk support why the alias option is missing.
Thanks again for your help and support. I had asked them why the alias option wasn’t available, but they didn’t seem to know. However, since some of our issues seemed to come from so many domains sharing a single IP, I ended up just purchasing a range of IP’s and moving our main sites across them.
More relevant to my original question, I also found a setting in Plesk which changed how certificates identify on outgoing emails. Previously, the default option “Send from domain IP addresses” was selected, but I changed this to “Send from domain IP addresses and use domain names in SMTP greeting”. It seems like this should solve my issue, but I guess time will tell.
In case it helps anyone else, this setting is found in Plesk under Tools and Settings / Mail Server Settings.