Plesk / unable to get the certs working on ios devices

Hi

I am using LE on Plesk and it worked like a charm until yesterday. Somehow the certs are not recognized on IOS devices anymore and there seems to be no way to trust it? I did a check on https://crt.sh/?q=heymans.name and I think the cert is OK… not sure.

What can I do to get the certs running on ios again? Sites and webmail run fine btw.

Thanks!

My domain is: heymans.name

I ran this command:

It produced this output:

My web server is (include version): nginx - latest

The operating system my web server runs on is (include version): CentOS Linux 7.6.1810 (Core)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Plesk Onyx 17.8.11 #49

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): not using

Hi @snewpers

crt.sh doesn't help to check your current configuration. crt shows only that you have created a certificate. Not, if it is installed.

But your configuration looks good - https://check-your-website.server-daten.de/?q=heymans.name

Your certificate is new

CN=heymans.name
	14.04.2019
	13.07.2019
expires in 89 days	heymans.name, webmail.heymans.name, 
www.heymans.name - 3 entries

both connections use it

and you don't have chain errors or mixed content warnings.

So the typical errors are missing -> Grade E is ok.

Do you have a screenshot?

Thanks Juergen!

What would you like a screenshot of?

The mailaccounts that cause errors are all POP3 accounts, on IOS. I added a new email address on the server and used the IMAP protocol and got the same warning about an expired/untrusted cert but I did het the option to trust it. Something I cannot do with the ‘old’ POP3 accounts.

If you let me know what you’d like to see I’ll make a screenshot of it.

Again, thanks

Ah, the pop3 are the problem.

I don't use Plesk. But doesn't Plesk use an own pop3 subdomain?

No - pop3.heymans.name isn't defined.

Need the mailserver additional actions to use the new certificate? It's a thing of your Plesk-installation.

There

https://support.plesk.com/hc/en-us/articles/115000179934-How-to-secure-Plesk-mail-server-with-Let-s-Encrypt-certificate-

are screenshots.

Thanks Juergen,

I have LE set up just like the help center explains, and is has been working fine for a few months, on all domains on the server. The default setting for plesk mail is to use no subdomains for either pop/imap/smtp.

The problem is pop3 for sure now, everything else works. I have to dig in deeper it seems.

Thanks for your help!

I started to work again after I received this automated email:

The following domains of Reseller (login XXX) have been secured with Let's Encrypt certificates:
<none>

The following Let's Encrypt certificates for XXX (login XXX) have been renewed:

The is really there. not sure why there's no info there.
The domains being updated are the main domains for the server. Could it be that the main server cert needs to be renewed before any secondary domain is renewed? After receiving this, the ios devices started to work again (pop3).

thanks!

I don't know.

That's a plesk internal thing, this isn't a Letsencrypt mail.

Perhaps ask in a Plesk forum.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.