Skip to content

futureweb/Plesk-Postfix-SNI-TLS-Cert-Fixer

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
plesk-Postfix-SNI-TLS-Cert-Fixer.sh
plesk-Postfix-SNI-TLS-Cert-Fixer.sh
 
 

Repository files navigation

Plesk Postfix SNI TLS Cert Fixer

This script addresses a bug encountered in Plesk regarding the assignment of SSL certificates for mail services.

Bug Description

When a secondary domain's SSL certificate is assigned to the mail services of a primary domain in Plesk, and the secondary domain's certificate is renewed, the certificate in the Postfix hash map for the primary domain is not updated. This results in the delivery of outdated certificates for mail services.

Bug Reproduction

To reproduce the issue, follow these steps:

  1. Have a primary domain with active mail services, e.g., example.com.
  2. Have another domain, e.g., mail.example.com.
  3. Create an SSL certificate (Let’s Encrypt or other) for the mail.example.com domain using SSL.
  4. Assign the mail.example.com certificate to the mail services of the example.com domain.
  5. Renew the certificate for mail.example.com.
  6. Postfix is still delivering the old Cert as it's cached within Postfix Certs Hash Map (/var/spool/postfix/plesk/certs.db).

Solution

The provided script fixes the issue by updating certificates in question and re-assigning them to the primary Domain Mail services. Which results in updated Configuration Files, especifically the Postfix Certs hash map, to prevent the delivery of outdated certificates when a current one exists.

Usage

  1. Clone the repository:
git clone https://github.com/futureweb/Plesk-Postfix-SNI-TLS-Cert-Fixer.git
  1. Make the script executable:
chmod +x plesk_postfix_sni_tls_cert_fixer.sh
  1. Execute the script:
./plesk_postfix_sni_tls_cert_fixer.sh

Important Note

While this script provides a workaround for the issue, it's essential to address the underlying problem. Outdated certificates should not be delivered when they have already been renewed. The script is provided as-is, and the developer holds no responsibility for any problems arising from its use.

Customization

Depending on your specific Plesk setup and configurations, customization of the script may be necessary to suit other scenarios.

Cronjob Setup

To ensure that certificates are fixed in a timely manner, consider setting up a cronjob that executes the script regularly. For example, to run the script every other month, add the following cronjob:

0 0 1 */2 * /path/to/plesk_postfix_sni_tls_cert_fixer.sh

This will execute the script on the first day of every other month.

Acknowledgment

This script was developed by Andreas Schnederle-Wagner, Futureweb GmbH (https://www.futureweb.at).

Note: Please ensure you have proper backups before executing any scripts, especially those that modify system configurations.

About

SNI-TLS Cert Fixer for mail.dom.tld LE Certs when dom.tld is not pointing to Plesk Server itself. More Information here: https://talk.plesk.com/threads/issues-with-ssl-certificate-renewal-for-mail-services-in-plesk-seeking-automated-solution-via-cli-or-api.374148/

Resources

Readme

License

GPL-3.0 license
Activity

Stars

1 star

Watchers

3 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages