mail_sni not working only if Let's Encrypt cert is created for mail.domain.com

GERMANORONOZ

New member
Joined
Dec 30, 2015
Messages
4
Hello Everyone,

I have enabled mail_sni, and followed every guide related to the topic and every forum thread as well.

It is working properly if I have a domain and I create a cert for domain.com, www.domain.com and mail.domain.com and the three of them resolve to the server's IP.

The problem is that I'm using this server only for email, so www and @ zones are not resolving for this server but others.

mail, pop, smtp and MX record are pointing to this server though, and email service is working as expected.


When I launch a new Let's Encrypt cert I always check only mail.domain.com for the cert entries and tried setting as common name www.domain.com, domain.com and mail.domain.com, but the result is always the same:

Requesting new certificate order...
Processing authorization for mail.domain.com...
Challenge is valid.
Generating 4096 bit RSA key for domain.com...
openssl genrsa 4096 > "/usr/local/directadmin/data/users/USER/domains/domain.com.key.new"
Generating RSA private key, 4096 bit long modulus
...............................................................................................................++
...................................................++
e is 65537 (0x10001)
error, no objects specified in config file
problems making Certificate Request
/usr/local/directadmin/data/users/USER/domains/domain.com.csr: No such file or directory
140603990054544:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/usr/local/directadmin/data/users/USER/domains/domain.com.csr','r')
140603990054544:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
Unable to find certificate. Something went wrong. Printing response...
Error parsing certificate request: asn1: syntax error: sequence truncated


Hope you can help me or point me to the right direction.

Thank you
Best regards
 
Hello,

If you create a cert for domain.com which will include mail.domain.com, pop.domain.com, smtp.domain.com, you can't avoid validating of domain.com. So you will need to create a cert for mail.domain.com which can include pop.domain.com, smtp.domain.com.


You would probably need to add mail.domain.com, pop.domain.com, smtp.domain.com as an alias for domain.com, and then you can create a cert for mail.domain.com which will include pop.domain.com, smtp.domain.com.
 
Back
Top