Results 1 to 2 of 2

Thread: mail_sni not working only if Let's Encrypt cert is created for mail.domain.com

  1. #1
    Join Date
    Dec 2015
    Posts
    3

    mail_sni not working only if Let's Encrypt cert is created for mail.domain.com

    Hello Everyone,

    I have enabled mail_sni, and followed every guide related to the topic and every forum thread as well.

    It is working properly if I have a domain and I create a cert for domain.com, www.domain.com and mail.domain.com and the three of them resolve to the server's IP.

    The problem is that I'm using this server only for email, so www and @ zones are not resolving for this server but others.

    mail, pop, smtp and MX record are pointing to this server though, and email service is working as expected.


    When I launch a new Let's Encrypt cert I always check only mail.domain.com for the cert entries and tried setting as common name www.domain.com, domain.com and mail.domain.com, but the result is always the same:

    Requesting new certificate order...
    Processing authorization for mail.domain.com...
    Challenge is valid.
    Generating 4096 bit RSA key for domain.com...
    openssl genrsa 4096 > "/usr/local/directadmin/data/users/USER/domains/domain.com.key.new"
    Generating RSA private key, 4096 bit long modulus
    ...............................................................................................................++
    ...................................................++
    e is 65537 (0x10001)
    error, no objects specified in config file
    problems making Certificate Request
    /usr/local/directadmin/data/users/USER/domains/domain.com.csr: No such file or directory
    140603990054544:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/usr/local/directadmin/data/users/USER/domains/domain.com.csr','r')
    140603990054544:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
    Unable to find certificate. Something went wrong. Printing response...
    Error parsing certificate request: asn1: syntax error: sequence truncated


    Hope you can help me or point me to the right direction.

    Thank you
    Best regards

  2. #2
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    12,400
    Hello,

    If you create a cert for domain.com which will include mail.domain.com, pop.domain.com, smtp.domain.com, you can't avoid validating of domain.com. So you will need to create a cert for mail.domain.com which can include pop.domain.com, smtp.domain.com.


    You would probably need to add mail.domain.com, pop.domain.com, smtp.domain.com as an alias for domain.com, and then you can create a cert for mail.domain.com which will include pop.domain.com, smtp.domain.com.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •