Adding domains to server SSL

[117434]

The question I have is simple. Am I correct in the following reasoning and action.

For a couple of years I am fighting a certificate error when using TLS to connect to my mail server. Valid, not for domain. I think I have identified the problem but want to run it by someone with more experience.

All the sites are using HTTPS for web content.

I have a server wide lets Encrypt certificate for server.mydomain.com but I never added the additional domains as referenced in this article: https://docs.directadmin.com/webservices/ssl/service-ssls-and-le.html

I verified that by going to: https://server.mydomain.comORT/evo/admin/server-tls/acme

If I add each domain on the server in the section labeled "Adding more domains to the server certificate" all my email connection and SSl problems should go away.

 

[Richard G]

I have a server wide lets Encrypt certificate for server.mydomain.com

Then this is only for the hostname server.mydomain.com and not valid for domain.com so won't work for domain.com or mail.domain.com ofcourse.

If I add each domain on the server in the section labeled

Why not have each domain automatically create an SSL certificate for the domain? Which is the correct way to go with this.
A lot of it can also be read here: https://docs.directadmin.com/webser...pt-for-domains.html#let-s-encrypt-for-domains

Valid, not for domain.

You might be running into the same issue as a collegue had.
Exactly -where- and -what- are you testing? Because it will never be valid if you test with "mail.domain.com" for example on the normal test sites, because the certificate is created for domain.com but if you use either mail.domain.com or wildcard certificate for the domain, the TLS will be valid, but won't show up if you give in the name mail.domain.com with ssllabs for example.
Reason for this is that test sites like ssllabs are created to check websites, not mail. Which is why they don't test a mail domain.
Explanation you can find here: https://forum.directadmin.com/threa...ng-correct-ssl-letsencrypt.67503/#post-356372

If you want to check if your mail domain has a valid certificate, check with https://crt.sh and enter your domain name and you will see all certificates created including mail.

If you want to check your mail certificat if it's valid, check here:

Mailserver encryption test (STARTTLS, TLS and PFS) · SSL-Tools

or here:

//email/testTo:

www.checktls.com

but in this case, click "more options" first and be sure the "Send SNI" is ticked.