Let's Encrypt problem with mail.domain.com

@jemesouviens,

I see the certificate is fine for mail.ibroke.ca, tested here: https://ssl-tools.net/mailservers/mail.ibroke.ca

With iPhones you might need to re-create a mail account. Whenever I tested Let's Encrypt with mail_sni from DirectAdmin on MacOS 10.x certificates were accepted fine without an issue.

@sparek,

Creating a mail subdomain may be a solution, but it's not required.
 
The simpliest solution would be to create a mail.ibroke.ca subdomain in your DirectAdmin user panel.

This way, Let's Encrypt should issue a certificate for mail.ibroke.ca.

This is part of the issue with all of these certificate issuances. I'm not sure how DirectAdmin's native Let's Encrypt support does all of this. I guess it issues a certificate for domain.tld with www.domain.tld and mail.domain.tld as SANs? Or maybe it does not issue one for mail.domain.tld, since it's not explicitly mentioned as a ServerAlias in domain.tld's VirtualHost?

I wrote my own wrapper for Let's Encrypt on cPanel years before cPanel offered AutoSSL. I'm using that on DirectAdmin. I actually like the fact that DirectAdmin does not append mail.domain.tld to the ServerAlias, that way I can create mail.domain.tld certificates independently. And then when domain.tld purchases a secure certificate, the Let's Encrypt for mail.domain.tld remains functioning.

ServerAlias or mail.domain.com vhost is not needed to generate Let's Encrypt cert for mail.domain.com for exim/dovecot. If you host no site under mail.domain.com, there is no point creating it :) Just select mail.domain.com in the list of domains, and it'll be added to SAN when generating the cert.
 
I've never really looked at the interface for issuing Let's Encrypt certificates in DirectAdmin, so I guess that's possible.

Never really understood the fascination with making "Issue a free certificate" something that require end-user intervention. That's why I don't use the DirectAdmin Let's Encrypt interface, and why I don't use cPanel's AutoSSL interface. It tends to create more issues than it solves. My belief is that the more options you give end-users to click on... the more they are going to click on them, and then ask questions as to why it's not working or trying to decipher what all they clicked on to change the functionality of their account.

When it comes to issuing free Let's Encrypt certificates... why not just issue them for every hostname that resolves to the server? What reason is there for not needing a secure certificate for a hostname that resolves to the server? And even if a reason exists... you don't have to use it.
 
The simpliest solution would be to create a mail.ibroke.ca subdomain in your DirectAdmin user panel.

This way, Let's Encrypt should issue a certificate for mail.ibroke.ca.

This is part of the issue with all of these certificate issuances. I'm not sure how DirectAdmin's native Let's Encrypt support does all of this. I guess it issues a certificate for domain.tld with www.domain.tld and mail.domain.tld as SANs? Or maybe it does not issue one for mail.domain.tld, since it's not explicitly mentioned as a ServerAlias in domain.tld's VirtualHost?

I wrote my own wrapper for Let's Encrypt on cPanel years before cPanel offered AutoSSL. I'm using that on DirectAdmin. I actually like the fact that DirectAdmin does not append mail.domain.tld to the ServerAlias, that way I can create mail.domain.tld certificates independently. And then when domain.tld purchases a secure certificate, the Let's Encrypt for mail.domain.tld remains functioning.

Thank you for your reply. Would I create the mail.domain.tld subdomain using the "manage subdomains" module, or set it up as a new domain mail.domain.tld ?
 
It doesn't matter - either will create a VirtualHost entry so that a secure certificate can be issued for it.

Although I would read @smtalk post from above - this may not be necessary. Apparently DirectAdmin's system doesn't have an automatic Let's Encrypt issuance system? But you can specify additional hostnames to be issued on a certificate through the Let's Encrypt interface?

If you ask me, there's still a lot of crawling and rolling around with the industry's views towards SSL/TLS everywhere. Automatic issuance? User intervention required for issuance? Handling of DCV requests. mail. and other popular "sub" domains. This movement has a long way to go before it's walking and running obstacle courses.
 
ServerAlias or mail.domain.com vhost is not needed to generate Let's Encrypt cert for mail.domain.com for exim/dovecot. If you host no site under mail.domain.com, there is no point creating it :) Just select mail.domain.com in the list of domains, and it'll be added to SAN when generating the cert.

Unfortunately this does not work for iOS devices. Because mail.domain.tld actually forwards to hostdomain.tld it results in a domain mismatch error at SSL Labs domain checker.

I have created the mail.domain.tld subdomain on our VPS, and now SSL Labs gives us an A rating ... just waiting for it to propagate and check Apple Mail again.
 
Unfortunately this does not work for iOS devices. Because mail.domain.tld actually forwards to hostdomain.tld it results in a domain mismatch error at SSL Labs domain checker.

I have created the mail.domain.tld subdomain on our VPS, and now SSL Labs gives us an A rating ... just waiting for it to propagate and check Apple Mail again.

SSL labs checks http for you, this is why I mentioned “if you want to host a site on mail.domain.com - it needs to be created as a domain” :)
 
Indeed.

There is a difference between services. SSL Labs will check web and web only (port 443). Mail runs on different ports and just doesn't follow the same structure as a web connection.

mail.yourdomain.tld will have to be picked up by the SNI configuration for whatever service you are referring to (SMTP is run by Exim, POP3 and IMAP are run by Dovecot). And then with SNI picking up that name from it's configuration it selects the desired certificate information for that domain name.

Comodo had an online analyzer that would do this for other ports other than web - https://sslanalyzer.comodoca.com - but I guess that was lost when Comodo became Sectigo. I do not know of similar alternative at this time.
 
Back
Top