Letsencrypt..., still getting localhost cert

oehTie

Verified User
Joined
Aug 14, 2008
Messages
9
Hello,

I have enabled let's encrypt on a domain, but it doesn't really do what i expect it to do....

The server, web01.domain.com, runs the domain under the admin user. I have enabled let's encrypt. Going to www.domain.com i get a valid cert. Going to smtp.domain.com, (should be included according to the letsencrypt query) i get a localhost cert.

Using outlook to request mail via smtp.domain.com i get the same localhost domain.

How do i replace that localhost thing without breaking the letsencrypt autorenewal?


hope you guys can help me,

Thanks

oehTie
 
Though the presence of mail_sni in directadmin.conf is obligatory, it is not sufficient. Exim's config and dovecot's config should be updated, OpenSSL 1.x+ should be installed.
 
I now get:

Key is for a different cert than ssl_cert


in my maillog.... I use the directadmin function to request the certs at Letsencrypt.... configs have been updates by custombuild 2.0.

openssl is installed:
# openssl
OpenSSL> version
OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL>

is this version too old maybe?
 
the key i see in the dovecot conf matches the key i see in the directadmin gui...
 
the key i see in the dovecotconfig matches what i see in the directadmin gui's
 
hi zEitEr,

first of all thanks for your time.

I have walked through the document again, i have everything. Domain is for example www.interops.nl (which works) but if i go to smtp.interops.nl i get a localhostcert. When i try to login at www.interops.nl/squirrelmail or smtp.interops.nl/squirrelmail i get the localhost cert, the Imap connection error, and in the maillog the error message that the key mismatches.... But i can't find to set the correct key because it all seems correct....
 
ehm nope.... i have kerio appliances running but on different ip's. you should get 185.165.69.92. When i try pinging the domains, i get the right ip...

MX record points to a kerio appliance now. I have a customer that uses mail.interops.nl and smtp.interops.nl which still point to the webserver. He doesn't use the mx.
 
When I connect to your main IP, I get the error:

Code:
CONNECTED(00000003)
140510348514984:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:782:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 270 bytes and written 327 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1514968687
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

When I connect to your MX host mx1.interops.nl I get the kerio cert:

Code:
CONNECTED(00000003)
depth=0 CN = kerio-connect-appliance, C = US
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = kerio-connect-appliance, C = US
verify error:num=10:certificate has expired
notAfter=Oct  4 12:18:36 2015 GMT
verify return:1
depth=0 CN = kerio-connect-appliance, C = US
notAfter=Oct  4 12:18:36 2015 GMT
verify return:1
---
Certificate chain
 0 s:/CN=kerio-connect-appliance/C=US
   i:/CN=kerio-connect-appliance/C=US
---
...
...


So I'd rather have access to your server in order to investigate it further and suggest a fix (usually I charge for it).
 
Back
Top