Let's Encrypt problem with mail.domain.com

anton1982

Verified User
Joined
Jun 12, 2016
Messages
43
When I create a new SSL certificate for a domain through DA it displays all subdomains (and mail, smtp, ftp, etc.) in a list. I put checkboxen with all of them and in a matter of minutes the domain name https://domain.com works perfectly. The problem is that mail.domain.com does not work. For some reason the certificate is not used by mail.domain.com.

When I do a test ssl-tools.net/mailservers I get:

------
The mailservers of mail.domain.com can be reached through an encrypted connection.
However, we found problems that may affect the security.
------

The error given is "Hostname Mismatch". For some reason mail.domain.com uses the certificate of the server (not the user). So for example: server.hostingprovider.com

I have checked a lot of topics but cannot find the problem.

My /usr/local/directadmin/data/users/username/domains/domain.com.san_config looks like:

[ req ]
default_bits = 4096
default_keyfile = keyfile.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
prompt = no
output_password = bogus

[ req_distinguished_name ]
CN = domain.com
emailAddress = [email protected]

[ req_attributes ]
[ SAN ]
subjectAltName=DNS:ftp.domain.com, DNS:mail.domain.com, DNS:pop.domain.com, DNS:domain.com, DNS:smtp.domain.com, DNS:www.domain.com

What am I doing wrong?
 
Okay.. So in other words this means that my problem is not due to any misconfig? I find it strange that letsencrypt does create the subdomains (like mail. and ftp.) When users create accounts in f.e. Apple Mail or Outlook they get the message that it's not trusted (not secure). Is there any way to get this pass without any problems?

Also can you explain why "The mailservers of mail.domain.com can be reached through an encrypted connection."? And that it uses my base hostname for it? Like server04.hostingprovider.com
 
Yes, that's confusing.

Is there any way to get this pass without any problems?

Check the links I've provided earlier to get Dovecot SNI working.

As for Exim SNI check this: https://www.google.com/search?q=exim_sni+site:directadmin.com

Also can you explain why "The mailservers of mail.domain.com can be reached through an encrypted connection."? And that it uses my base hostname for it? Like server04.hostingprovider.com

There is also a server-wide SSL/TLS cert installed into Exim, Dovecot, Apache/NGINX, ProFTPd/PureFTPd be default. It can be either self-signed or issues by an issuer. Since that encrypted connection works with a server wide cert. That's it.

Please search the forums and articles http://help.directadmin.com/ for more details.
 
Got it.

It's strange that non-working things are implemented in production releases, but that's ok.
 
It's not included at all yet, it's planned for Version 1.515 and the current is only 1.514 (1.51.4).
 
I read that already, but the point is that I enabled it in 1514 and it... showed in the skins, added the entry in the file, etc... Which is... strange.
 
Thank you zEitEr for your help. I understand but it is indeed confusing. I'm disappointed because in my opinion this should be working on a mature platform like DirectAdmin. Now customers are getting these annoying error messages in their email clients. Since wattie couldn't get it to work I think I will wait till version 1.515 to be sure. I hope V 1.515 isn't that far away :) Again thanks for helping.
 
I read that already, but the point is that I enabled it in 1514 and it... showed in the skins, added the entry in the file, etc... Which is... strange.


You see interface updated. And that's due to Dovecot SNI which is already can be used. So you can install users certs for POP(s)/IMAP(s), i.e. reading email via a encrypted connection. And that's what do the most of us - reading emails, and that's why most of users get warnings... so if you enable Dovecot SNI and install users cert into it with this you will cover most needs of users.


Thank you zEitEr for your help. I understand but it is indeed confusing. I'm disappointed because in my opinion this should be working on a mature platform like DirectAdmin. Now customers are getting these annoying error messages in their email clients. Since wattie couldn't get it to work I think I will wait till version 1.515 to be sure. I hope V 1.515 isn't that far away :) Again thanks for helping.


You're welcome. Please feel free to start using Dovecot SNI at your earliest convenience, it works fine for iphone and android users as well as for windows users.
 
Hi Alex, I've followed instructions (Dovecot SNI) but it does not work with me. What I have done:

1) Added dovecot_sni=1 to directadmin.conf and restarted DA
2) cd /usr/local/directadmin/custombuild
./build update
./build dovecot_conf

Here it said "You cannot update Dovecot configuration files, because you do not have it set in options.conf file." So:
3) in options.conf i changed dovecot_conf=no to dovecot_conf=yes
4) echo "action=rewrite&value=dovecot_sni" >> /usr/local/directadmin/data/task.queue
5) ./build dovecot_conf

I also tried to go to User Level -> SSL Certificates and save again.

I do not know if this helps but I also do not get a "/usr/local/directadmin/custombuild/custom/dovecot" directory.

Please help!
 
Hello Anton,

What you see:

Code:
/usr/local/directadmin/directadmin c | grep sni
?

Code:
ls -al /etc/dovecot/conf/sni
ls -al /etc/dovecot/conf/
?
 
Hi Alex,

Thank you for your reply.

/usr/local/directadmin/directadmin c | grep sni
enable_ssl_sni=1
dovecot_sni=1
exim_sni=0

ls -al /etc/dovecot/conf/sni
Gives a list of all domains like:
-rw-r--r-- 1 root root 854 Jul 17 16:01 domain.com.conf

ls -al /etc/dovecot/conf/
-rw-r--r--. 1 root root 46 Jul 17 16:01 imap_mail_plugins.conf
-rw-r--r--. 1 root root 15 Jul 17 16:01 ip.conf
-rw-r--r--. 1 root root 54 Jul 17 16:01 limits.conf
-rw-r--r-- 1 root root 550 Jul 17 16:01 lmtp.conf
-rw-r--r--. 1 root root 35 Jul 17 16:01 lmtp_mail_plugins.conf
-rw-r--r-- 1 root root 33 Jul 17 16:01 maildir_copy_with_hardlinks.conf
-rw-r--r--. 1 root root 90 Jul 17 16:01 mail_max_userip_connections.conf
-rw-r--r--. 1 root root 35 Jul 17 16:01 mail_plugins.conf
-rw-r--r-- 1 root root 2681 Jul 17 16:01 namespace_private.conf
-rw-r--r--. 1 root root 27 Jul 17 16:01 protocols.conf
drwxr-xr-x 2 root root 4096 Jul 17 16:01 sni
-rw-r--r--. 1 root root 149 Jul 17 16:01 ssl.conf
 
From this point I assume IMAPs/POPs should work with a valid SSL/TLS cert for at least one domain - domain.com.
No other domains added.
 
The services like https://ssl-tools.net/mailservers do check SMTPs, but they do not check connections to POPs, IMAPs. Hence you see the alerts, errors, warnings there.

I see a valid cert when check it in my console:

Code:
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = tr***********en.com
verify return:1
---
Certificate chain
 0 s:/CN=tr***********en.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate

So, it's installed fine.
 
Hi Alex, thanks for your quick reply and help! Really appreciated.

The 'problem' just is the outgoing mailserver (SNI for Exim), right? So will just have to wait for this to be finished to completely get rid of these annoying warnings in Mail apps. Is there any estimation on this release as far as you know?

Another small question :) How do you check certificates through console?
 
Hello

I am also having issues with DOMAIN MISMATCH and my LE SSL certificate.

when I check mail.ibroke.ca with SSL Labs checker, it comes back to me with:


SSL Report: mail.ibroke.ca (184.75.254.202)
Assessed on: Tue, 06 Aug 2019 14:58:00 UTC | Hide | Clear cache
Scan Another »

Certificate name mismatch
Click here to ignore the mismatch and proceed with the tests

Try these other domain names (extracted from the certificates):

banana.a1websolutions.com (<---- this is my VPS host server)

What does this mean?

We were able to retrieve a certificate for this site, but the domain names listed in it do not match the domain name you requested us to inspect. It's possible that:

The web site does not use SSL, but shares an IP address with some other site that does.
The web site no longer exists, yet the domain name still points to the old IP address, where some other site is now hosted.
The web site uses a content delivery network (CDN) that does not support SSL.
The domain name is an alias for a web site whose main name is different, but the alias was not included in the certificate by mistake.

SSL Report v1.35.1

Can somebody PLEASE tell me what I am doing wrong to secure mail.ibroke.ca?

My boss is furious because our emails have not been working for 2 weeks now! :'(

JMS
 
The response from my host, was that banana.a1websolutions.com is serured as evident by the green lock symbol when you go to that URL in a browser.

The crazy part of all of this, is that iPhones (Apple Mail) are the only devices that seem to have issue with this?
 
The simpliest solution would be to create a mail.ibroke.ca subdomain in your DirectAdmin user panel.

This way, Let's Encrypt should issue a certificate for mail.ibroke.ca.

This is part of the issue with all of these certificate issuances. I'm not sure how DirectAdmin's native Let's Encrypt support does all of this. I guess it issues a certificate for domain.tld with www.domain.tld and mail.domain.tld as SANs? Or maybe it does not issue one for mail.domain.tld, since it's not explicitly mentioned as a ServerAlias in domain.tld's VirtualHost?

I wrote my own wrapper for Let's Encrypt on cPanel years before cPanel offered AutoSSL. I'm using that on DirectAdmin. I actually like the fact that DirectAdmin does not append mail.domain.tld to the ServerAlias, that way I can create mail.domain.tld certificates independently. And then when domain.tld purchases a secure certificate, the Let's Encrypt for mail.domain.tld remains functioning.
 
Back
Top