Solved DANE - SSL certificates not on name when requesting SSL on alias

P

patrickkasie

Verified User
Joined
Sep 21, 2021
Messages
241
Location
Een echte Hollander
Dear DirectAdmin forum,

ChatGPT analysis between both servers at the end

When requesting an SSL for a domain pointer or alias, the mail.sbpg.nl in this example does not use its own certificate, but rather the general certificate from vps01.jk.nl. This is a problem, because this is not allowed when using DANE. This does not go for www.sbpg.nl and sbpg.nl and is exclusive for mail.sbpg.nl. This goes for every CentOS7 server (vps01.jk.nl which is an old one but still receives DA updates, vps06.jk.nl same thing)

This does not apply when using DANE on newer servers that use AlmaLinux. For example vps24.jk.nl does not have this problem. Even though DA doesn't properly update its GUI with those older servers, as I will show in screenshots, shouldn't the SSL certificate requests at least push through as they should on the newer servers?

I did switch DNS records at the appropriate times

vps01.jk.nl:

Email test: patrickkas.nl

Test for modern Internet Standards IPv6, DNSSEC, HTTPS, HSTS, DMARC, DKIM, SPF, STARTTLS, DANE, RPKI and security.txt
internet.nl internet.nl

Email test: sbpg.nl

Test for modern Internet Standards IPv6, DNSSEC, HTTPS, HSTS, DMARC, DKIM, SPF, STARTTLS, DANE, RPKI and security.txt
internet.nl internet.nl
lego4.17.4-SNAPSHOT-8164e09c
CentOS7


vps24.jk.nl

Email test: patrickkas.nl

Test for modern Internet Standards IPv6, DNSSEC, HTTPS, HSTS, DMARC, DKIM, SPF, STARTTLS, DANE, RPKI and security.txt
internet.nl internet.nl

Email test: sbpg.nl

Test for modern Internet Standards IPv6, DNSSEC, HTTPS, HSTS, DMARC, DKIM, SPF, STARTTLS, DANE, RPKI and security.txt
internet.nl internet.nl
lego4.17.4-SNAPSHOT-8164e09c
AlmaLinux 9



Conversation with ChatGPT:

(...)

What about my issue with the mail.sbpg.nl?

ChatGPT zei:​


For mail.sbpg.nl, the issue is likely caused by differences in how the VirtualHost configurations are set up for the domain. Let’s analyze the details and resolve it.

Observations from the Configurations​

  1. VirtualHost Specificity
    • Neither vps24.txt nor vps01.txt contains a dedicated VirtualHost for mail.sbpg.nl.
    • This means mail.sbpg.nl is likely being served by the default VirtualHost configuration or falling back to www.sbpg.nl or www.patrickkas.nl.
  2. Certificate Configuration
    • Both configurations use the same certificate for patrickkas.nl and sbpg.nl, pointing to:
      apache
      Code kopiëren
      SSLCertificateFile /usr/local/directadmin/data/users/patrickkas/domains/patrickkas.nl.cert.combined<br>SSLCertificateKeyFile /usr/local/directadmin/data/users/patrickkas/domains/patrickkas.nl.key<br>
    • This shared certificate must explicitly include mail.sbpg.nl in its Subject Alternative Names (SANs). If mail.sbpg.nl is not listed, SSL verification will fail.



(...)

Then why is it working when I'm using vps24 but not when I'm using vps01 even though they use the same certificate files? I made sure to switch in between both servers as I was testing them with internet.nl respectively

ChatGPT zei:​


The issue lies in the environment differences between vps24 and vps01, even though they use the same certificate files. Here’s why this discrepancy can occur:

Key Differences Impacting Functionality

  1. Apache Configuration
    • vps24:
      • The configuration seems to correctly handle mail.sbpg.nl, possibly because:
        • Apache defaults or fallback VirtualHost handling works correctly.
        • The ServerName or ServerAlias in vps24's VirtualHosts matches the request for mail.sbpg.nl.
    • vps01:
      • The VirtualHost fallback might not correctly match mail.sbpg.nl.
      • The request might be routed to a default VirtualHost that doesn’t match the certificate or domain.
  1. DirectAdmin Hostname
    • DirectAdmin assigns a primary hostname to each server (e.g., hostname.vps24 or hostname.vps01).
    • If vps24 is configured with a hostname included in the certificate SANs (e.g., mail.sbpg.nl), the mail subdomain will work correctly.
    • If vps01 uses a hostname not covered by the certificate SANs, the server will default to the incorrect hostname, causing SSL mismatches.
  1. SSL Protocol Handling
    • vps24:
      • Likely has the SSL configuration correctly aligned with mail.sbpg.nl due to proper inclusion in the Apache VirtualHost or the fallback VirtualHost handling.
    • vps01:
      • Apache may be prioritizing the default VirtualHost, which doesn’t match mail.sbpg.nl, resulting in mismatched certificates.

(...)
 

Attachments

  • chrome_yULqwZEHfH.png
    chrome_yULqwZEHfH.png
    80.4 KB · Views: 5
  • chrome_pbJf7IObdE.png
    chrome_pbJf7IObdE.png
    80.3 KB · Views: 5
For instance mail.sbpg.nl does not seem to have any apache related setting as far as i can see, as it goes (for the webserver side) to the /var/www/html directory (hence showing the: Apache is functioning normally) if the subdomain is not existing for that domain so it is only used for email and not as a website subdomain. But as it is a email check on internet.nl why should it be a issue on the webserver i wonder?

If you need any further help/feedback, our office is in Alkmaar too (i know Robbert, i am the neighbour of Simply). Say hi from Sjoerd he will know that it is me probably ;)
 
patrickkasie said:
the mail.sbpg.nl in this example does not use its own certificate
Click to expand...


Hello,

Directadmin does not create virtual hosts for mail.domain.nl, hence no valid certificate can be found here by default. The mail.domain.nl is designed to be used over POP, IMAP, SMTP only, not web. If you need another behaviour, then it should be added into virtual hosts either through Directadmin interface (one per user/domain) or using templates.

More results from Google: https://www.google.com/search?q=site:directadmin.com+mail.|DOMAIN| on the same topic.
 
Dear DA forum,

I do understand that e-mail is designed not to be used by a browser. I absolutely understand that

Yet, why do 2 completely seperate servers with the same setup with the exception of the OS have 2 wildly differing results? The mail.domain aliases for vps01.jk.nl do NOT produce their own certificate, but the mail.domain aliases for vps24.jk.nl DO, and it actually shows on the results from internet.nl. Please refer to my first message.

Thank you for the clarification, but it seems as if the question has been interpreted incorrectly, or that I've asked it incorrectly. Either way, DANE works for mail.domain.nl on VPS24 for domain aliases but not for VPS01 domain aliases and it's that difference that I'm trying to find out so that we may pass DANE records tests on VPS01 as well.
 
patrickkasie said:
The mail.domain aliases for vps01.jk.nl do NOT produce their own certificate, but the mail.domain aliases for vps24.jk.nl DO, and it actually shows on the results from internet.nl.
Click to expand...

I've got servers with CentOS 7 as well as AlmaLinux 8, and none of them attaches mail.domain.com aliases to a hostname, and none of them creates a separate certificate mail.domain.com by default. We used a custom script to attach mail.domain.com as an alias to a hostname as well as added mail.domain.com as SAN to a certificate for a hostname. But it was done by a custom script. DirectAdmin does not offer anything of the kind, it uses SNI model for DOVECOT, EXIM. Thus if you see different behaviour on your servers, it should be investigated from inside, i.e. somebody will need to connect to your server and see how and why do they behave differently.

patrickkasie said:
Please refer to my first message.
Click to expand...

For me, the initial message contains too much information, which probably mislead. I see you've got an issue, but I believe you troubleshoot it wrong, and all the collected information (whether it is correct or not) looks to be too much to learn it. That's why you've got so little reactions here.
 
I see. Thank you for your response. I think that the party who we hire our VPS-es from created an AlmaLinux image that actually took care of this. This solves this issue.

May I ask what script you have been using to achieve this?
 
patrickkasie said:
May I ask what script you have been using to achieve this?
Click to expand...

I don't have a copy of it. It was specially written for a customer of mine, and I never needed it for my own. There is nothing special in the script, all it does is:

1. collect a list of hosted domains from the file `/etc/virtual/domainowners`
2. request a new certificate for a hostname with the updated list of SAN`s

That's it.

I post some scripts either on the forums or here: https://github.com/poralix/directadmin-utils
If you want and have spare time, you might search the forums.
 
You must log in or register to reply here.
Back
Top