Plesk Onyx + lets encrypt + iphone (lack of trust button)

OS: CentOS Linux 7.5.1804 (Core)‬
Panel: Plesk Onyx Version 17.5.3

So all is good for people using iPhones to send/receive email on my server EXCEPT when the LETsENCRYPT cert renews.

client domain has SSL via plesk using LETsENCRYPT.
my plesk server host has LETsENCRYPT (this is host.domain.com that is actually sending email)

all email clients have a notification that ask, do you want to trust this cert EXCEPT the iPhone.
is there are way around it?

my solution is to not use LETsENCRYPT and buy a 2 year ssl for my server host domain.

The current solution of deleting settings and email account on iphone (and adding them back) is NOT a good one.

any feeback?
thanks

Then you're doing something very wrong--most likely that the clients are trying to connect to a hostname that isn't on the cert.

thanks dan,

so to confirm:

  1. are you saying, if settings are done correctly, NO email client will ask: “do you trust the SSL”?

  2. via plesk panel, LETsENCRYPT is done for client domain, call it: XYZ.com
    also via plesk, my server has LETsENCRYPT for host.servername.com

then on email client, they using for incoming and outgoing server: XYZ.com

note: all email coming/going on my server goes through host.servername.com, unless I’m wrong?

ps. I know LETsENCRYPT and Plesk are integrated (work well together)… so please correct me where I have it wrong? thanks!!!

PSS. I am lead to believe it’s the iPhone with the issue. my macbook has the “check box”, but iphone does not!

Yes. That's the point of publicly-trusted certificates--you shouldn't ever need to manually trust them. If you do, something is wrong. There are several candidates for that "something", but the one that seems to come up most often in the email context is that (using your examples) the client is connecting to XYZ.com, but the server is presenting a certificate for (only) host.servername.com. It's possible (common, even) to have more than one name on a cert; in the case you describe, you should probably have a single cert that covers both xyz.com and host.servername.com.

The problem is aggravated by the fact that iOS devices don't tend to have as much flexibility as real computers, so a configuration problem that could be worked around on a computer, can't on an iPhone.

ohhhh… interesting…

So can Plesk and LETsENCRYPT (via the simple push button in plesk) have 1 LETsENCRYPT SSL for the xyz.com domain and the host.servername.com ?

my guess is No, Plesk doesn’t do that via a simple push of but maybe my support team can get it done?

thanks! never new about a cert covering 2 different domains :slight_smile:

Hi,

The issue tend to be vary… you probably need to share us the exact error message and the certificate output (the subject name, common name, certificate authority) in order for us to help you better…

However, can you please take a look at this post and see if step 7 is done? (That should be able to resolve your issue, that the certificate is not trusted…, Probably a hostname mismatch or self signed)
https://docs.plesk.com/en-US/onyx/administrator-guide/plesk-administration/securing-plesk/securing-plesk-and-the-mail-server-with-ssltls-certificates.59466/#o78763

If the above post resolved your issue, please tell us (so we could close this thread)… if not, please provide us the following information:

  1. Certificate shown in the “do you trust screen”
  2. CA of that certificate

Or please provide us the domain name in issue & port (for smtp / pop) so we could try to connect to the server and see what’s the output of the certificate.

Thank you

Thanks Steven,

  1. yes, that link your provided, all steps were done (I actually redid step 7)
  2. these are client emails (only people with iPhone), my email is fine and all clients with any BESIDES iPhone.
  3. because on item 1 above, there were already selected, it did not change/fix anything.
  4. so when the iphone user who tries to use email: they see this:

cannot verify server identity
The identity of “xyz.com” cannot be verified by Mail. Review the certificate details to continue.
Continue
Details
Cancel

note: click continue does nothing but SHOW you a lot of stuff… the same option as Details.

NOTE: all other clients I have seen: android, mac os, etc… when this happens, it has a check box that you can select to “Trust it”. You click the box and hit continue. all is good. BUT the iphone does not have the check box.
AND the only solution I know is to delete email account and SMTP server OFF the iPhone and just added it back. Exact Same Settings. And it works just fine.

So the 1st time iPhone tries a cert… it will trust it. IF however, the Lets Encrypt cert updates/renews… it fails.
and I have to go back to delete and add it again.

thanks

Hi,

In the details… is it shown that the certificate was issued by Let’s Encrypt? (CA)

Thank you

What's the real domain? What are the details?

Hello… thanks again Steve

so yes, i confirmed it is the Lets Encrypt cert. The popup on the iPhone is this:

host.servername.com
Issued by Let’s Encrypt Author…

NOT TRUSTED
Expires 10/1/18…

More Details >

and all links/clicks basically go no where… you can’t “do” anything.
TO ME… its an iPhone bug. The iPhone should add a “trust checkbox”, just like the MAC OS…
and all is good.

HOWEVER, the above replies are telling me I should NEVER need to “Trust” a cert… but I’ve always had to trust a cert for email while I have used Plesk over the years.

thanks, but the real domain, real details are not in question. The issue is why is the problem coming up to begin with.

PS. my client just deleted email account/ SMTP server off the iphone and added it back. All is working now. same settings, etc. BUT I can’t have client do this every 3 months.

It kind of is. It's pretty hard for us to tell exactly what's going on without being able to see the actual domains. Recall that when you opened the topic, you would have been presented with the following:

Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

If you could decide that the real domain isn't really important, then I guess you should be able to figure out yourself what the problem is, right? :wink:

Not trying to be mean here, but if you don't really actually know the problem, how do you actually know the real details aren't possibly the answer to the problem?

Thanks everyone for the help. the crt.sh site is pretty cool :slight_smile:

https://crt.sh/?q=501ranch.com
https://crt.sh/?q=host.webinteractiveconsulting.com

notes:

  1. only iphone has issues when host cert renews
  2. then if iphone user deletes/removes email account and the smtp server, then ADDs it back… it works fine.
  3. ALL other email clients (including macbooks), it just prompts with “do you trust this cert” and click yes, it works fine.

So if the iPhone would just fix their issue? All would be good, but that isn’t going to happen.

If someone knows the cause of my server (plesk mail server) forcing all email clients to Ask For Trust… well, that would be great too!

otherwise, my only other option (that I know of) is to buy a 2 year cert like I had before and use it for mail server.

thanks

Hi,

I personally think the issue is with the configuration of your services… (since no SNI is enabled)

Since connecting with openssl s_client -connect 501ranch.com:465 -servername 501ranch.com (and all encrypted mail port) only show a certificate for subject=/CN=host.webinteractiveconsulting.com.

I’m even suspecting if Plesk have SNI support on mails… (As of Aug 17 2018, more certificates for mail servers still need to be done from command line…)

Thank you

That's not fine, Let's Encrypt certs should work without any errors, warnings or other measures of such sorts.

Also, we need to exactly know which hostname is used in the e-mail clients to connect to and which service gives the error. IMAP? SMTP?

Hi @larryk

I don't know exact what iPhone is doing there. But

https://host.webinteractiveconsulting.com/

hasn't the correct certificate:

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:host.webinteractiveconsulting.com&lu=cert_search

Instead, there is a self signed certificate. Maybe iPhone checks the domain.

So change the certificate of https://host.webinteractiveconsulting.com/

That’s not the concerned here I’m afraid…

Hi @larryk
The output from POP & SMTP & IMAP are with an valid certificate, however without SNI (so it will always be your server certificate instead of the sites certificate)

That’s the reason your clients always need to “true” the certificate… (And a 2 year certificate in your means, only represent that the user won’t need to retrust the certificate again in two years) I’m afraid there’s no automated “working” solution, you’ll need to wait until Plesk decided to support it… (Or there might be some plugins that will help your server setup SNI, just might be)

Thank you

thanks Steven,

uhm…

Plesk says by default it is?

Juergen,
so that is some left over SSL? I don’t think its on my server, but will check. So you are thinking iPhone sees that old one instead of the Lets Encrypt one? But iphone works as long as cert doesn’t get renewed.

thanks

thanks Osiris,
email client was 501ranch.com or smtp.501ranch.com
using imap.

outgoing / sending was the problem as incoming mail would work.

ps
but other clients/iphone user could not send or receive, etc. I agree that settings are important… BUT none the less, after the renewal of cert… problem happened AFTER the renewal