Results 1 to 3 of 3

Thread: With SNI on, i still get invalid certificate

  1. #1
    Join Date
    Sep 2014
    Posts
    37

    With SNI on, i still get invalid certificate

    I have enabled letsencrypt ssl for my mailserver; this all works flawlessly. The output of https://ssl-tools.net/mailservers/webunity.nl is this:

    Common Name (CN)
    pyrus.webunity.nl

    Alternative Names
    mail.webunity.nl
    pyrus.webunity.nl
    webunity.nl
    www.webunity.nl

    My mailserver runs on my main IP (141.138.194.220) which is also my shared IP of my sites for which i want to enable SNI for.
    So following the remarks in this thread, i've done: /usr/local/directadmin/directadmin c | grep sni

    which shows this:
    enable_ssl_sni=1
    mail_sni=0

    If i now enable let's encrypt via the DA control panel, e.g. https://assistant.vdhoven.info/ and i browse to it, i get the certificate invalid error; where the certificate is pointing to pyrus.webunity.nl. So my assumption is that somehow the current SSL certificate from DA is being served by apache by default.

    Now my question is, if i follow the mail_sni setup in the thread mentioned above, will it 'automagically' start working? Or will my mailserver be screwed (and customer start complaining).

    By the way; i've setup my mailserver with Let's encrypt using this setup: https://help.directadmin.com/item.php?id=645
    which basically created the /usr/local/directadmin/conf/ca.san_config

    The contents are:
    [ req_distinguished_name ]
    CN = pyrus.webunity.nl
    [ req ]
    distinguished_name = req_distinguished_name
    [SAN]
    subjectAltName=DNS:pyrus.webunity.nl, DNS:webunity.nl, DNS:www.webunity.nl, DNS:mail.webunity.nl


    But i am guessing i don't need that anymore and that can be 'deleted' somehow?
    Last edited by webunity; 06-19-2018 at 12:27 PM.

  2. #2
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    12,393
    Hello,

    There is always a chance things will go wrong. And even the feature works for many of us, nobody will guarantee that you won't run into an issue. Even I personally can guarantee only what I do myself.

    Anyway you please feel free to try and follow the steps, and let us know your results. You can always roll back changes.

  3. #3
    Join Date
    Aug 2015
    Posts
    9
    Did you follow the section "TASK QUEUE" too? Something like
    echo "action=rewrite&value=mail_sni&domain=vdhoven.info" >> /usr/local/directadmin/data/task.queue

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •