Enable SSL on mail.domain.com

[epsilon4]

Hello there,

Actually I have testing DA, in order to migrate my servers from other control panel.

I have followed all the tutorials, but I can't enable SSL to mail subdomain.

I installed LetsEncrypt, and the hostname works well. Also www.domain.com, and domain.com have SSL installed. And I create wordpress.domain.com subdomain and reissue the SSL, and works fine too!

But at the moment I clicked mail, pop, smtp, imap and webmail options and reissue the SSL, when I try on Chrome, the "https" appears in red color.

Also said "the ssl for mail.domain.com is incorrect, and the issuer is hostname.domain.com".

The result of /usr/local/directadmin/directadmin c | grep sni is:

enable_ssl_sni=1
mail_sni=1

And /usr/local/directadmin/directadmin c | grep letsencrypt is:

letsencrypt=1
letsencrypt_renewal_days=60
letsencrypt_renewal_failure_notice_after_attempt=5
letsencrypt_disable_renew_after_renew_failure=0
letsencrypt_max_requests_per_week=100
letsencrypt_multidomain_cert=2
letsencrypt_renewal_success_notice=0
letsencrypt_renewal_notice_to_admins=1
letsencrypt_renewal_error_to_users=1
renew_letsencrypt_on_suspended_domain=0
letsencrypt_account_email=0
letsencrypt_list=www:mail:ftpop:smtp
letsencrypt_list_selected=www

Any idea about how to fix this?

Thanks!

 

[factor]

did your back up come from Cpanel? Or are you testing on a blank or new account?

Does DNS resolve out to mail.domain.com?

Did you follow this? first?
https://help.directadmin.com/item.php?id=648

Looks like you did..

Try only clicking mail. then do it.

if pop, smtp, imap and webmail aren't resolving leave them off . sometime it just gives up if one errors..

 

[Richard8]

I often find LetsEncrypt works best when you pick the least amount of names you need.

I only do 'mail' instead of imap/pop/smtp/etc, for example, and with fewer names it seems to have less issues and hits the limit less frequently.

 

[epsilon4]

did your back up come from Cpanel? Or are you testing on a blank or new account?

Does DNS resolve out to mail.domain.com?

Did you follow this? first?
https://help.directadmin.com/item.php?id=648

Looks like you did..

Try only clicking mail. then do it.

if pop, smtp, imap and webmail aren't resolving leave them off . sometime it just gives up if one errors..

Hello,

First of all, is a fresh install, I have migrated some cPanel backups, but just for testing and learning. Later I deleted the SO, and reinstall CentOS 7 and DA. I created 2 nameservers, and pointed this domain (which I have problems with mail subdomain).

All subdomains resolves well, but with mail, pop, smtp and imap the SSL appears in red color.

I followed the steps from that tutorial. And activated the options letsencrypt, enable_ssl_sni and mail_sni.

I often find LetsEncrypt works best when you pick the least amount of names you need.

I only do 'mail' instead of imap/pop/smtp/etc, for example, and with fewer names it seems to have less issues and hits the limit less frequently.

Yes, I will use only the 'mail' subdomain. Because my actual customers used it to configure in Outlook. But I said all that subdomains have not SSL just to give you more information about the problem.

 

[factor]

you also may need to setup your list in this feature.
https://www.directadmin.com/features.php?id=1851

letsencrypt_list=www:mail:ftp:pop:smtp:webmail
letsencrypt_list_selected=www:webmail:mail

 

[epsilon4]

you also may need to setup your list in this feature.
https://www.directadmin.com/features.php?id=1851

letsencrypt_list=www:mail:ftp:pop:smtp:webmail
letsencrypt_list_selected=www:webmail:mail

Yes, I have added that option too. But still the problem, what I don't understand, is when I add other subdomain, for example: sub1.domain.com, sub2.domain.com, and issue the SSL, that subdomains works! But mail one still not working.

 

[factor]

migrated some cPanel backups,

Inside the Public_Html or any of the subdomains do you see .well-known folders? Delete them out. see here https://forum.directadmin.com/showthread.php?t=58059&p=297126#post297126

When the cpanel to da backup migrator its creating Domain Pointers in DA you have to go to the Users side and delete them. Account Manager -> Domain Pointer, select them all and click delete

we need to let smtalk know.. I will cross post.

 

[epsilon4]

Inside the Public_Html or any of the subdomains do you see .well-known folders? Delete them out. see here https://forum.directadmin.com/showthread.php?t=58059&p=297126#post297126

When the cpanel to da backup migrator its creating Domain Pointers in DA you have to go to the Users side and delete them. Account Manager -> Domain Pointer, select them all and click delete

we need to let smtalk know.. I will cross post.

Thanks again, I checked the .well-known directory, and I could not find it. But I followed the tutorial, and I created a test.txt, and when I go to http://domain.com/.well-known/acme-challenge/test.txt I see the file in Chrome.

Also, when I install the LetsEncrypt SSL the log shows this:

Requesting new certificate order...
Processing authorization for mail.domain.com...
Challenge is valid.
Processing authorization for domain.com...
Challenge is valid.
Processing authorization for www.domain.com...
Challenge is valid.
Generating 4096 bit RSA key for domain.com...
openssl genrsa 4096 > "/usr/local/directadmin/data/users/domain/domains/domain.com.key.new"
Generating RSA private key, 4096 bit long modulus
...............................++
..............................................................................++
e is 65537 (0x10001)
Checking Certificate Private key match... Match!
Certificate for domain.com has been created successfully!

Let's see what smtalk think about this, may him can help us.

 

[ViAdCk]

Make sure you have rewritten the dovecot/exim config files, as explained by directadmin: https://www.directadmin.com/features.php?id=2019

If you follow these steps correctly it should work correctly (we have it working on dozens of servers).

 

[epsilon4]

Make sure you have rewritten the dovecot/exim config files, as explained by directadmin: https://www.directadmin.com/features.php?id=2019

If you follow these steps correctly it should work correctly (we have it working on dozens of servers).

Thank you for the info. I have followed the steps of this tutorial, and the problem still.

My /etc/dovecot/conf/sni result:

local_name mail.domain.com {
  ssl_cert = </usr/local/directadmin/data/users/domain/domains/domain.com.cert.combined
  ssl_key = </usr/local/directadmin/data/users/domain/domains/domain.com.key
}
local_name domain.com {
  ssl_cert = </usr/local/directadmin/data/users/domain/domains/domain.com.cert.combined
  ssl_key = </usr/local/directadmin/data/users/domain/domains/domain.com.key
}
local_name www.domain.com {
  ssl_cert = </usr/local/directadmin/data/users/domain/domains/domain.com.cert.combined
  ssl_key = </usr/local/directadmin/data/users/domain/domains/domain.com.key
}

And /etc/virtual/snidomains:

mail.domain.com:domain:domain.com
domain.com:domain:domain.com
www.domain.com:domain:domain.com

Thanks.

 

[epsilon4]

Hello,

The support team sent me the solution. The SNI SSL is installed on IMAP, POP and SMTP, so if you need to use it on HTTP, you must have to create the subdomain first, and then reissue the SSL.

Regards.

 

[ozgurerdogan]

I am having the same issue. What do you mean create subdomain first? mail.domain.com is webmail url. So how can I create it first?

 

[Zhenyapan]

I am having the same issue. What do you mean create subdomain first? mail.domain.com is webmail url. So how can I create it first?

create appropriate DNS A-record (and MX)

 

[ozgurerdogan]

I have them already. I created real subdomain with same name as webmail mail.domain.com and this time ssl error is gone. But can not go to roundcube this time.

 

[Zhenyapan]

I have them already. I created real subdomain with same name as webmail mail.domain.com and this time ssl error is gone. But can not go to roundcube this time.

because real subdomain has own vitrual host, you can add redirect to htacess inside it

 

[ozgurerdogan]

I did so. So result is, it is not possible to user mail.domain.com as webmail url with ssl enables users (without redirecting it hostname.server.com) ?

 

[tarik]

Hello,

The support team sent me the solution. The SNI SSL is installed on IMAP, POP and SMTP, so if you need to use it on HTTP, you must have to create the subdomain first, and then reissue the SSL.

Regards.

Dear I am managing multiple only mail private servers via DA, I always, when adding new domain that i will manage emails on that server for that domain for example: newdomain5.com, when i add that domain in users tab, i always add the subdomain for each domain like: mail.newdomain5.com, and than i set other DNS things from DA to Cloudflare DNS if domain is coming from cloudflare and than starting creating and emails etc... and everything is great, my clients using mail.newdomain5.com in their mail clients like outlook etc.. and there is no problems or warning for ssl cert, everyting works great beucase subdomain catch the ssl, beucase i add the subdomain mail. to point to that mail server on cloudflare dns...

am i right mr @Richard G @factor

 

[tarik]

I have them already. I created real subdomain with same name as webmail mail.domain.com and this time ssl error is gone. But can not go to roundcube this time.

for roundcube use another link like mail.domain.com/roundcube ...

 

[Active8]

@tarik i dont know what you are doing but stop with posting on old threads (seen now at least 3 posts today ) it makes really no sense