Enable SSL on mail.domain.com

epsilon4

Verified User
Joined
Jul 6, 2019
Messages
18
Hello there,

Actually I have testing DA, in order to migrate my servers from other control panel.

I have followed all the tutorials, but I can't enable SSL to mail subdomain.

I installed LetsEncrypt, and the hostname works well. Also www.domain.com, and domain.com have SSL installed. And I create wordpress.domain.com subdomain and reissue the SSL, and works fine too!

But at the moment I clicked mail, pop, smtp, imap and webmail options and reissue the SSL, when I try on Chrome, the "https" appears in red color.

Also said "the ssl for mail.domain.com is incorrect, and the issuer is hostname.domain.com".

The result of /usr/local/directadmin/directadmin c | grep sni is:

enable_ssl_sni=1
mail_sni=1

And /usr/local/directadmin/directadmin c | grep letsencrypt is:

letsencrypt=1
letsencrypt_renewal_days=60
letsencrypt_renewal_failure_notice_after_attempt=5
letsencrypt_disable_renew_after_renew_failure=0
letsencrypt_max_requests_per_week=100
letsencrypt_multidomain_cert=2
letsencrypt_renewal_success_notice=0
letsencrypt_renewal_notice_to_admins=1
letsencrypt_renewal_error_to_users=1
renew_letsencrypt_on_suspended_domain=0
letsencrypt_account_email=0
letsencrypt_list=www:mail:ftp:pop:smtp
letsencrypt_list_selected=www

Any idea about how to fix this?

Thanks! :)
 

bdacus01

Verified User
Joined
Jul 22, 2017
Messages
670
Location
Murfreesboro
did your back up come from Cpanel? Or are you testing on a blank or new account?

Does DNS resolve out to mail.domain.com?

Did you follow this? first?
https://help.directadmin.com/item.php?id=648

Looks like you did..

Try only clicking mail. then do it.

if pop, smtp, imap and webmail aren't resolving leave them off . sometime it just gives up if one errors..
 

Richard8

Verified User
Joined
Jul 4, 2019
Messages
67
I often find LetsEncrypt works best when you pick the least amount of names you need.

I only do 'mail' instead of imap/pop/smtp/etc, for example, and with fewer names it seems to have less issues and hits the limit less frequently.
 

epsilon4

Verified User
Joined
Jul 6, 2019
Messages
18
did your back up come from Cpanel? Or are you testing on a blank or new account?

Does DNS resolve out to mail.domain.com?

Did you follow this? first?
https://help.directadmin.com/item.php?id=648

Looks like you did..

Try only clicking mail. then do it.

if pop, smtp, imap and webmail aren't resolving leave them off . sometime it just gives up if one errors..
Hello,

First of all, is a fresh install, I have migrated some cPanel backups, but just for testing and learning. Later I deleted the SO, and reinstall CentOS 7 and DA. I created 2 nameservers, and pointed this domain (which I have problems with mail subdomain).

All subdomains resolves well, but with mail, pop, smtp and imap the SSL appears in red color.

I followed the steps from that tutorial. And activated the options letsencrypt, enable_ssl_sni and mail_sni.

I often find LetsEncrypt works best when you pick the least amount of names you need.

I only do 'mail' instead of imap/pop/smtp/etc, for example, and with fewer names it seems to have less issues and hits the limit less frequently.
Yes, I will use only the 'mail' subdomain. Because my actual customers used it to configure in Outlook. But I said all that subdomains have not SSL just to give you more information about the problem.
 

epsilon4

Verified User
Joined
Jul 6, 2019
Messages
18
you also may need to setup your list in this feature.
https://www.directadmin.com/features.php?id=1851

Code:
letsencrypt_list=www:mail:ftp:pop:smtp:webmail
letsencrypt_list_selected=www:webmail:mail
Yes, I have added that option too. But still the problem, what I don't understand, is when I add other subdomain, for example: sub1.domain.com, sub2.domain.com, and issue the SSL, that subdomains works! But mail one still not working.
 

bdacus01

Verified User
Joined
Jul 22, 2017
Messages
670
Location
Murfreesboro
migrated some cPanel backups,
Inside the Public_Html or any of the subdomains do you see .well-known folders? Delete them out. see here https://forum.directadmin.com/showthread.php?t=58059&p=297126#post297126

When the cpanel to da backup migrator its creating Domain Pointers in DA you have to go to the Users side and delete them. Account Manager -> Domain Pointer, select them all and click delete

we need to let smtalk know.. I will cross post.
 

epsilon4

Verified User
Joined
Jul 6, 2019
Messages
18
Inside the Public_Html or any of the subdomains do you see .well-known folders? Delete them out. see here https://forum.directadmin.com/showthread.php?t=58059&p=297126#post297126

When the cpanel to da backup migrator its creating Domain Pointers in DA you have to go to the Users side and delete them. Account Manager -> Domain Pointer, select them all and click delete

we need to let smtalk know.. I will cross post.
Thanks again, I checked the .well-known directory, and I could not find it. But I followed the tutorial, and I created a test.txt, and when I go to http://domain.com/.well-known/acme-challenge/test.txt I see the file in Chrome.

Also, when I install the LetsEncrypt SSL the log shows this:

Code:
Requesting new certificate order...
Processing authorization for mail.domain.com...
Challenge is valid.
Processing authorization for domain.com...
Challenge is valid.
Processing authorization for www.domain.com...
Challenge is valid.
Generating 4096 bit RSA key for domain.com...
openssl genrsa 4096 > "/usr/local/directadmin/data/users/domain/domains/domain.com.key.new"
Generating RSA private key, 4096 bit long modulus
...............................++
..............................................................................++
e is 65537 (0x10001)
Checking Certificate Private key match... Match!
Certificate for domain.com has been created successfully!
Let's see what smtalk think about this, may him can help us.
 

epsilon4

Verified User
Joined
Jul 6, 2019
Messages
18
Make sure you have rewritten the dovecot/exim config files, as explained by directadmin: https://www.directadmin.com/features.php?id=2019

If you follow these steps correctly it should work correctly (we have it working on dozens of servers).
Thank you for the info. I have followed the steps of this tutorial, and the problem still.

My /etc/dovecot/conf/sni result:

Code:
local_name mail.domain.com {
  ssl_cert = </usr/local/directadmin/data/users/domain/domains/domain.com.cert.combined
  ssl_key = </usr/local/directadmin/data/users/domain/domains/domain.com.key
}
local_name domain.com {
  ssl_cert = </usr/local/directadmin/data/users/domain/domains/domain.com.cert.combined
  ssl_key = </usr/local/directadmin/data/users/domain/domains/domain.com.key
}
local_name www.domain.com {
  ssl_cert = </usr/local/directadmin/data/users/domain/domains/domain.com.cert.combined
  ssl_key = </usr/local/directadmin/data/users/domain/domains/domain.com.key
}
And /etc/virtual/snidomains:

Code:
mail.domain.com:domain:domain.com
domain.com:domain:domain.com
www.domain.com:domain:domain.com
Thanks.
 

epsilon4

Verified User
Joined
Jul 6, 2019
Messages
18
Hello,

The support team sent me the solution. The SNI SSL is installed on IMAP, POP and SMTP, so if you need to use it on HTTP, you must have to create the subdomain first, and then reissue the SSL.

Regards.
 
Top