Additional host names for certs provided by dovecot / exim

[Arek]

Hello.

New to DA.

I have a domain, example.com, and dovecot is serving letsencrypt obtained certificates like:

# cat /etc/dovecot/conf/sni/example.com.conf
local_name "example.com www.example.com" {
ssl_cert = </usr/local/directadmin/data/users/test/domains/example.com.cert.combined
ssl_key = </usr/local/directadmin/data/users/test/domains/example.com.key
}

I would like to add pop, pop3, imap, smtp there, too. And also make DA letsencrypt script handle these.

The first idea was to add:

# grep letsencrypt_ /usr/local/directadmin/conf/directadmin.conf
letsencrypt_list=www:mail:ftpopop3:imap:smtp
letsencrypt_list_selected=www:mail:ftpopop3:imap:smtp

and regenerate cert

/usr/local/directadmin/scripts/letsencrypt.sh renew example.com

but no, that only renewed cert with example.com and www.example.com in it.

Then maybe explicitly generate cert for new hostnames only

/usr/local/directadmin/scripts/letsencrypt.sh renew pop3.example.com,imap.example.com,smtp.example.com

which did create new cert with these names (as A records exist, so validation can succeed) but these weren't added to /etc/dovecot/conf/sni/* files.


How can I make DA add these new hosts to /etc/dovecot/conf/sni/* and also renew all existing and future certs, so they contain pop, pop3, imap, smtp hostnames, too? Preferably cmdline solution.

Manually generate certs via /usr/local/directadmin/scripts/letsencrypt.sh and manually add entries to /etc/dovecot/conf/sni/ ? (won't DA overwrite these somehow later?)


For exim it looks like etc/virtual/snidomains needs to be updated with pop3/imap/smtp and existence of cert file will be enough:

tls_certificate=${if exists{/etc/virtual/snidomains}{${lookup{$tls_in_sni}nwildlsearch{/etc/virtual/snidomains}{${if exists{/usr/local/directadmin/data/users/${extract{1}{:}{$value}}/domains/${extract{2}{:}{$value}}.cert.combined}{/usr/local/directadmin/data/users/${extract{1}{:}{$value}}/domains/${extract{2}{:}{$value}}.cert.combined}{/etc/exim.cert}}}{/etc/exim.cert}}}{/etc/exim.cert}}

but again - won't DA overwrite my manual edits?

Thanks.

 

[zEitEr]

but no, that only renewed cert with example.com and www.example.com in it.

Hello,

If you need a certificate to include new names, you should DIrectAdmin interface and request a new certificate. You can not use renewal for it here.

In order to get SNI files updated, you will still need to use DirectAdmin interface, the SNI files do no get updated when using CLI.

 

[Arek]

In order to get SNI files updated, you will still need to use DirectAdmin interface, the SNI files do no get updated when using CLI.

Thanks.

Which action from web UI regenerates (hopefully all, dovecot + etc/virtual/snidomains) SNI files?

And what does it base on as a source to regenerate these files? On certificates CN+altnames? - like does it read what's in all customer certs and then put appropriate entries into dovecot../sni/* and into snidomains ?

(trying to avoid having to click hundreds of domains in UI)

 

[zEitEr]

Which action from web UI regenerates (hopefully all, dovecot + etc/virtual/snidomains) SNI files?

You should request a new certificate from Letsencrypt/ZeroSSL on a Directadmin page.

On certificates CN+altnames?

Yes, a domain + SANs

(trying to avoid having to click hundreds of domains in UI)

Then write a custom script to populate /etc/virtual/snidomains file with all SANs and request a KEY/CERTIFICATE from CLI and then run as root:

echo "action=rewrite&value=mail_sni" >> /usr/local/directadmin/data/task.queue; /usr/local/directadmin/dataskq;