SSL issues with mail.domain.com Sectigo

T

tramp

Verified User
Joined
May 1, 2019
Messages
11
Location
Amsterdam
I'm having issues with the installation of SSL certificates for my linux VPS.

Currently i bought two Sectigo SSL certificates for my VPS. I'm running my machine with the hostname exampleX.example.com, my website is matching the hostname, so it's exampleX.com, for my email i use the mail.exampleX.com variation.

I've hosted my VPS with TransIP in the Netherlands, they make a suggestion on how to install the certificates on the VPS bought from them, you can find it here. When i follow the instructions everything goes (pretty) well. The Sectigo certificate for the website exampleX.com is directly installed. When i start with installing the certificate bought for mail.exampleX.com, i run into the problem that as soon as i restart exim, all the websites hosted on my server are down. The mail is secured from that moment on, but the sites are all offline.

How do i fix this situation? It seems to me nothing impossible or weird situation?
 
Is the Sectigo certificate valid for mail.example.tld?

I can't speak for all Sectigo products... and maybe they've changed things. But a PostiveSSL from Sectigo, if you purchase it for example.tld then it's only valid for example.tld and www.example.tld - it does not include mail.example.tld in the SAN.

Perhaps you are using a different Sectigo product. Perhaps you explicitly got the certificate for mail.example.tld. But I would make sure the certificate is actually valid for mail.example.tld before proceeding any further.
 
tramp said:
I'm having issues with the installation of SSL certificates for my linux VPS.

Currently i bought two Sectigo SSL certificates for my VPS. I'm running my machine with the hostname exampleX.example.com, my website is matching the hostname, so it's exampleX.com, for my email i use the mail.exampleX.com variation.

I've hosted my VPS with TransIP in the Netherlands, they make a suggestion on how to install the certificates on the VPS bought from them, you can find it here. When i follow the instructions everything goes (pretty) well. The Sectigo certificate for the website exampleX.com is directly installed. When i start with installing the certificate bought for mail.exampleX.com, i run into the problem that as soon as i restart exim, all the websites hosted on my server are down. The mail is secured from that moment on, but the sites are all offline.

How do i fix this situation? It seems to me nothing impossible or weird situation?
Click to expand...

The domain name of the server needs to match the domain name you own. So if the the domain at the Registrar is

mydomainnameX.com .

The server name should be mysevername.mydomainnameX.com this is the FDQN of the server. The my server name part can be anything cool like raptor, eagle, voldemort, and so on. It's just the name of the server... Ref . https://www.itzgeek.com/how-tos/linux/centos-how-tos/change-hostname-in-centos-7-rhel-7.html

Which would make the website https://mydomainnameX.com or https://www.mydomainnameX.com

mail.mydomainnameX.com

in directadmin.conf did you set all features?

https://help.directadmin.com/item.php?id=15

[h=1]Installing a Purchased Certificate[/h]
 
bdacus01 said:
The domain name of the server needs to match the domain name you own. So if the the domain at the Registrar is

mydomainnameX.com .

The server name should be mysevername.mydomainnameX.com this is the FDQN of the server. The my server name part can be anything cool like raptor, eagle, voldemort, and so on. It's just the name of the server... Ref . https://www.itzgeek.com/how-tos/linux/centos-how-tos/change-hostname-in-centos-7-rhel-7.html

Which would make the website https://mydomainnameX.com or https://www.mydomainnameX.com

mail.mydomainnameX.com

in directadmin.conf did you set all features?

https://help.directadmin.com/item.php?id=15

[h=1]Installing a Purchased Certificate[/h]
Click to expand...

Hi,

Thanx for your reply, yes i followed the id=15 link. As soon as i've activated the SSL for the website the lock becomes green and goes well. After that i follow the next steps for the Apache Mail install, and then the SSL "switches" to mail, and all the websites becomes unavailable..
 
Apache is failing?

What is the Apache error log saying?

/var/log/httpd/error_log

Obviously, don't post any identifying information or really post anything from that log, but is it telling you anything that might lead you in the direction to look?
 
Yeah, Apache is failing. It says:

jul 12 08:28:19 systemd[1]: Starting The Apache HTTP Server...
jul 12 08:28:19 systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
jul 12 08:28:19 kill[18526]: kill: cannot find process ""
jul 12 08:28:19 systemd[1]: httpd.service: control process exited, code=exited status=1
jul 12 08:28:19 systemd[1]: Failed to start The Apache HTTP Server.
jul 12 08:28:19 systemd[1]: Unit httpd.service entered failed state.
jul 12 08:28:19 systemd[1]: httpd.service failed.

It seems that the Key pair doesn't match: apache was not starting because of that key pair.

So the question is if you can insert two certificates in one file?
That will be one for example.com and one for mail.example.com
 
example.tld would have to have it's own VirtualHost container.

and mail.example.tld would have to have it's own VirtualHost container.

Sorta, kinda, related to my post at:

https://forum.directadmin.com/showthread.php?t=58182

I don't exactly know how you have this set up.

You would need to have a VirtualHost container:

<VirtualHost %ip%:443 >
...
ServerName example.tld
...
</VirtualHost>

And a VirtualHost container:

<VirtualHost %ip%:443 >
...
ServerName mail.example.tld
...
</VirtualHost>

The ServerName example.tld VirtualHost would link to example.tld's certificate and key with the SSLCertificateFile and SSLCertificateKeyFile directives.

The ServerName mail.example.tld VirtualHost would link to mail.example.tld's certificate and key with the SSLCertificateFile and SSLCertificateKeyFile directives.
 
Presumably this VirtualHost entry would be in

/usr/local/directadmin/data/users/%username_owner_of_example.tld%/httpd.conf

Although... I doubt you want to edit this file directly.

Have you created a mail.example.tld subdomain from %username_owner_of_example.tld%'s user panel?
 
sparek said:
example.tld would have to have it's own VirtualHost container.

and mail.example.tld would have to have it's own VirtualHost container.

Sorta, kinda, related to my post at:

https://forum.directadmin.com/showthread.php?t=58182

I don't exactly know how you have this set up.

You would need to have a VirtualHost container:

<VirtualHost %ip%:443 >
...
ServerName example.tld
...
</VirtualHost>

And a VirtualHost container:

<VirtualHost %ip%:443 >
...
ServerName mail.example.tld
...
</VirtualHost>

The ServerName example.tld VirtualHost would link to example.tld's certificate and key with the SSLCertificateFile and SSLCertificateKeyFile directives.

The ServerName mail.example.tld VirtualHost would link to mail.example.tld's certificate and key with the SSLCertificateFile and SSLCertificateKeyFile directives.
Click to expand...

I doubt if they both have their own container. It's my TLD, so i connected the tld to my admin account on DA, sayd that, in the user account of the admin, i only have the example.tld as domainname, so not an second like mail.expample.tld

My thought was that it's just one domain, and the subdomain, mail.example.tld has it's own SSL.

Now you said this, i can imagine there has to be some route somewhere who says example.tld uses certificate1 and mail.example.tld uses SSL certificate 2..
 
I'm not sure if I'm fully understanding this - I'm still relatively new to DirectAdmin, so maybe I've lost something in translation.

If you don't have an entry for mail.example.tld ... can you not create a subdomain in the user panel for this user?

Account Manger -> Subdomain Management -> Add Subdomain

One VirtualHost container will only allow for one certificate. Either that certificate has to be valid for all of the hostnames listed in the ServerName and ServerAlias directives (called SANs on the certificate) or you will get a CN mismatch error if you try to access a ServerName or ServerAlias on that VirtualHost that is not listed on the certificate.

To get around this, you create individual VirtualHost containers for those extra hostnames.

If one certificate is made out for example.tld and www.example.tld, then you would install that certificate on the VirtualHost container that lists example.tld and www.example.tld in the ServerName and ServerAlias directives.

If you have another certificate made out for mail.example.tld, then it would have to be installed in a separate VirtualHost container... one that has mail.example.tld as it's ServerName or ServerAlias. (ServerAlias is optional in a VirtualHost container, ServerName is not).
 
A pretty simple explanation for everyone. If you want to HOST content on mail.domain.com, for example, but your website here - you need to create subdomain or domain for it :) If you don't want to host your website there, HTTP protocol test is not the one you should use to check if IMAP/POP3/SMTP have a certificate. If https://mail.domain.com does not have certificate, it does not mean imap/pop3/smtp don't have it too. I hope it helps people to understand what this thread was about. Thank you.
 
I don't want to host any content on the mail.domain.com address. I just want to secure the connection of the email.
I'm at the point now, i just don't care with which certificate we're doing this. I'm working on it now for 3 days on a row, and certainly it isn't that easy. I've spoken to various people, from my hosting provider up to de helpdesk op DA, and nobody can get it working for me.

If it's that easy. Please give a noob explenation for this, because im really getting frustrated up here. :)

In my frustration, i forget about a quite important part of the story.

The websites hosted on the VPS are using hostname server.domain.com, the email uses the hostname mail.domain.com :'-)
 
tramp said:
I don't want to host any content on the mail.domain.com address. I just want to secure the connection of the email.
I'm at the point now, i just don't care with which certificate we're doing this. I'm working on it now for 3 days on a row, and certainly it isn't that easy. I've spoken to various people, from my hosting provider up to de helpdesk op DA, and nobody can get it working for me.

If it's that easy. Please give a noob explenation for this, because im really getting frustrated up here. :)

In my frustration, i forget about a quite important part of the story.

The websites hosted on the VPS are using hostname server.domain.com, the email uses the hostname mail.domain.com :'-)
Click to expand...

Did you generate mail.domain.com certificate from DirectAdmin user level? What’s the full domain name? (If you would not like to post it here - you may PM it or create a ticket). Thank you.
 
smtalk said:
A pretty simple explanation for everyone. If you want to HOST content on mail.domain.com, for example, but your website here - you need to create subdomain or domain for it :) If you don't want to host your website there, HTTP protocol test is not the one you should use to check if IMAP/POP3/SMTP have a certificate. If https://mail.domain.com does not have certificate, it does not mean imap/pop3/smtp don't have it too. I hope it helps people to understand what this thread was about. Thank you.
Click to expand...

But you can't install a secure certificate for mail.example.tld - for use in Dovecot and Exim SNI - unless mail.example.tld exists as a VirtualHost... correct?

I mean... you can't specify to install a secure certificate on a domain name unless that domain name is attached to a user... at least with the API.

Although... personally... for me I'm looking at developing my own system to handle mail.example.tld for Exim and Dovecot... since I really just plan to use Let's Encrypt certificates for this.

Doing this in Dovecot is simple enough, simply create an include file i.e. /etc/dovecot/conf.d/999-custom_sni.conf - with contents:

local_name "mail.example.tld" {
ssl_cert = </opt/extra_certificates/mail.example.tld.combined
ssl_key = </opt/extra_certificates/mail.example.tld.key
}

Exim is way more complicated (I always have trouble with their if statements), but something like: (sorry for the multi-line but I think it makes it easier to read):

Code: 
tls_certificate=${\
     if exists{\
         /etc/virtual/snidomains\
     }\
     {\
         ${\
             lookup{\
                 $tls_in_sni\
             }\
             nwildlsearch{\
                 /etc/virtual/snidomains\
             }\
             {\
                 ${\
                     if exists{\
                         /usr/local/directadmin/data/users/${extract{1}{:}{$value}}/domains/${extract{2}{:}{$value}}.cert.combined\
                     }\
                     {\
                         /usr/local/directadmin/data/users/${extract{1}{:}{$value}}/domains/${extract{2}{:}{$value}}.cert.combined\
                     }\
                     {\
                        ${\
                                if exists{\
                                        /opt/extra_certificates/$tls_in_sni.cert.combined\
                                }\
                                {\
                                        /opt/extra_certificates/$tls_in_sni.cert.combined\
                                }\
                                {\
                                        /etc/exim.cert\
                                }\
                        }\
                     }\
                 }\
             }\
             {\
                ${\
                        if exists{\
                                /opt/extra_certificates/$tls_in_sni.cert.combined\
                        }\
                        {\
                                /opt/extra_certificates/$tls_in_sni.cert.combined\
                        }\
                        {\
                                /etc/exim.cert\
                        }\
                }\
             }\
        }\
     }\
     {\
        ${\
                if exists{\
                        /opt/extra_certificates/$tls_in_sni.cert.combined\
                }\
                {\
                        /opt/extra_certificates/$tls_in_sni.cert.combined\
                }\
                {\
                        /etc/exim.cert\
                }\
        }\
     }\
}


tls_privatekey=${\
     if exists{\
         /etc/virtual/snidomains\
     }\
     {\
         ${\
             lookup{\
                 $tls_in_sni\
             }\
             nwildlsearch{\
                 /etc/virtual/snidomains\
             }\
             {\
                 ${\
                     if exists{\
                         /usr/local/directadmin/data/users/${extract{1}{:}{$value}}/domains/${extract{2}{:}{$value}}.key\
                     }\
                     {\
                         /usr/local/directadmin/data/users/${extract{1}{:}{$value}}/domains/${extract{2}{:}{$value}}.key\
                     }\
                     {\
                        ${\
                                if exists{\
                                        /opt/extra_certificates/$tls_in_sni.key\
                                }\
                                {\
                                        /opt/extra_certificates/$tls_in_sni.key\
                                }\
                                {\
                                        /etc/exim.key\
                                }\
                        }\
                     }\
                 }\
             }\
             {\
                ${\
                        if exists{\
                                /opt/extra_certificates/$tls_in_sni.key\
                        }\
                        {\
                                /opt/extra_certificates/$tls_in_sni.key\
                        }\
                        {\
                                /etc/exim.key\
                        }\
                }\
             }\
        }\
     }\
     {\
        ${\
                if exists{\
                        /opt/extra_certificates/$tls_in_sni.key\
                }\
                {\
                        /opt/extra_certificates/$tls_in_sni.key\
                }\
                {\
                        /etc/exim.key\
                }\
        }\
     }\
}

You can add this exim code into /etc/exim.variables.conf replacing the current tls_certificate and tls_privatekey and you probably have to convert it into a single line (?), but it should work. At least assuming I've got the convoluted nested if's set correctly.

This way I can put extra - non-DirectAdmin created - Let's Encrypt certificates (or any certificate for that matter) in /opt/extra_certificates and Dovecot and Exim will be able to pick up on them. This negates the need for mail.example.tld to exist as a VirtualHost but still allows SNI to be used for Exim and Dovecot.

Maybe this post will be useful to someone?
 
When you use a other certificate then LetsEncrypt you have to register the subdomain seperatly in directadmin.

For clearence:

I use example.com as website.
I use server.example.com:2222 as directadmin adres.
I use mail.example.com as mailserver.

To make everything work, register example.com as domain in directadmin, and register mail.example.com as domain aswell!
so not as subdomain

Paste the generated keys in the right place (there are many how-to's online)
And make sure that you copy the certificates in full :)

Thanks for helping out smtalk!
 
Last edited:
sparek said:
But you can't install a secure certificate for mail.example.tld - for use in Dovecot and Exim SNI - unless mail.example.tld exists as a VirtualHost... correct?

I mean... you can't specify to install a secure certificate on a domain name unless that domain name is attached to a user... at least with the API.

Although... personally... for me I'm looking at developing my own system to handle mail.example.tld for Exim and Dovecot... since I really just plan to use Let's Encrypt certificates for this.

Doing this in Dovecot is simple enough, simply create an include file i.e. /etc/dovecot/conf.d/999-custom_sni.conf - with contents:

local_name "mail.example.tld" {
ssl_cert = </opt/extra_certificates/mail.example.tld.combined
ssl_key = </opt/extra_certificates/mail.example.tld.key
}

Exim is way more complicated (I always have trouble with their if statements), but something like: (sorry for the multi-line but I think it makes it easier to read):

Code: 
tls_certificate=${\
     if exists{\
         /etc/virtual/snidomains\
     }\
     {\
         ${\
             lookup{\
                 $tls_in_sni\
             }\
             nwildlsearch{\
                 /etc/virtual/snidomains\
             }\
             {\
                 ${\
                     if exists{\
                         /usr/local/directadmin/data/users/${extract{1}{:}{$value}}/domains/${extract{2}{:}{$value}}.cert.combined\
                     }\
                     {\
                         /usr/local/directadmin/data/users/${extract{1}{:}{$value}}/domains/${extract{2}{:}{$value}}.cert.combined\
                     }\
                     {\
                        ${\
                                if exists{\
                                        /opt/extra_certificates/$tls_in_sni.cert.combined\
                                }\
                                {\
                                        /opt/extra_certificates/$tls_in_sni.cert.combined\
                                }\
                                {\
                                        /etc/exim.cert\
                                }\
                        }\
                     }\
                 }\
             }\
             {\
                ${\
                        if exists{\
                                /opt/extra_certificates/$tls_in_sni.cert.combined\
                        }\
                        {\
                                /opt/extra_certificates/$tls_in_sni.cert.combined\
                        }\
                        {\
                                /etc/exim.cert\
                        }\
                }\
             }\
        }\
     }\
     {\
        ${\
                if exists{\
                        /opt/extra_certificates/$tls_in_sni.cert.combined\
                }\
                {\
                        /opt/extra_certificates/$tls_in_sni.cert.combined\
                }\
                {\
                        /etc/exim.cert\
                }\
        }\
     }\
}


tls_privatekey=${\
     if exists{\
         /etc/virtual/snidomains\
     }\
     {\
         ${\
             lookup{\
                 $tls_in_sni\
             }\
             nwildlsearch{\
                 /etc/virtual/snidomains\
             }\
             {\
                 ${\
                     if exists{\
                         /usr/local/directadmin/data/users/${extract{1}{:}{$value}}/domains/${extract{2}{:}{$value}}.key\
                     }\
                     {\
                         /usr/local/directadmin/data/users/${extract{1}{:}{$value}}/domains/${extract{2}{:}{$value}}.key\
                     }\
                     {\
                        ${\
                                if exists{\
                                        /opt/extra_certificates/$tls_in_sni.key\
                                }\
                                {\
                                        /opt/extra_certificates/$tls_in_sni.key\
                                }\
                                {\
                                        /etc/exim.key\
                                }\
                        }\
                     }\
                 }\
             }\
             {\
                ${\
                        if exists{\
                                /opt/extra_certificates/$tls_in_sni.key\
                        }\
                        {\
                                /opt/extra_certificates/$tls_in_sni.key\
                        }\
                        {\
                                /etc/exim.key\
                        }\
                }\
             }\
        }\
     }\
     {\
        ${\
                if exists{\
                        /opt/extra_certificates/$tls_in_sni.key\
                }\
                {\
                        /opt/extra_certificates/$tls_in_sni.key\
                }\
                {\
                        /etc/exim.key\
                }\
        }\
     }\
}

You can add this exim code into /etc/exim.variables.conf replacing the current tls_certificate and tls_privatekey and you probably have to convert it into a single line (?), but it should work. At least assuming I've got the convoluted nested if's set correctly.

This way I can put extra - non-DirectAdmin created - Let's Encrypt certificates (or any certificate for that matter) in /opt/extra_certificates and Dovecot and Exim will be able to pick up on them. This negates the need for mail.example.tld to exist as a VirtualHost but still allows SNI to be used for Exim and Dovecot.

Maybe this post will be useful to someone?
Click to expand...

Incorrect :) mail.domain.com is not needed to exist as vhost at all, to have the cert generated for it. dovecot/exim configs work automatically for that. Do you have any issues with it?
 
Well, it really doesn't matter if it's set up as a subdomain or as a domain... the end result is the same... a VirtualHost container for ServerName mail.example.tld gets created.

That is ultimately what has to happen in order to install a secure certificate in Apache.

The greater question might be... why can't you just upload a certificate and private key and add those directly to the SNI certificate pools for Exim and Dovecot? Because... in this scenario, I don't think you really care if mail.example.tld is accessible via Apache or not. But since secure certificates are most commonly associated with a web server, most control panel require setting up a secure VirtualHost entry in Apache (or whatever web server you are using) and then Dovecot (or whatever POP3/IMAP service you are using) and Exim (or whatever MTA you are using) leeches off of that certificate information.
 
sparek said:
Well, it really doesn't matter if it's set up as a subdomain or as a domain... the end result is the same... a VirtualHost container for ServerName mail.example.tld gets created.
Click to expand...

If you want a certificate for IMAP/POP3/SMTP, domain doesn't need to be created as a subdomain or domain. You just go to SSL management of domain.com, select mail.domain.com for Let's Encrypt and click generate. It should work out of the box.
 
I've been a bit late with a reply, but i'm glad to say @smtalk helped me out the same day!
We had to put in the certificates in the right way and reboot the system.
 
You must log in or register to reply here.
Back
Top