Letsencrypt Exim issues

[e0f]

Hi There,

Firstly just have to say DA is a fantastic program and I am long time user first time poster.

I was hoping for some help if possible as I am experiencing difficulties with my letsencrypt certificates for the domains hosted on the server. From my tests using openssl it looks like the certificate has applied to dovecot and exim and the ssl letsencrypt certificates for apache have applied successfully but for the life of me can not gmail app using SSL/TLS to use the letencrypt certificates. The error I get when in the gmail app is "certificate not valid - the gmail app can't guarantee the security of this email address. Your messages would be at risk"

I have read some of the DA threads about letsencryptand from what I understand when you generate a domain certificate (/usr/loca/directadmin/scripts/letsencrypt.sh request example.com 4096) DA should generate the associated certificates based on the A name records contents in the DNS zone for each domain so should have a www (which it does) mail,stmp,ftp etc

I have rebuilt exim and letsencrypt by

./build update

./build exim

./build letsencrypt

./build rewrite_confs (this seems related to apache)

I can see the key,cert and combined cert in the DA users domain directory

ls -al /usr/local/directadmin/data/users/xxxx/domains/*.cert*

-rw-r----- 1 diradmin access 2220 Jul 22 09:24 /usr/local/directadmin/data/users/xxxx/domains/xxxx.com.cert
-rw-r----- 1 diradmin access 4047 Jul 22 09:24 /usr/local/directadmin/data/users/xxxx/domains/xxxx.com.cert.
combined
-rw-r----- 1 diradmin access 11 Jul 22 09:24 /usr/local/directadmin/data/users/xxxx/domains/xxxx.com.cert.
creation_time

ls -al /usr/local/directadmin/data/users/xxxx/domains/*.key
-rw-r----- 1 diradmin access 3247 Jul 22 09:24 /usr/local/directadmin/data/users/xxxx/domains/xxxx.com.key

I have looked at the exim.conf.variables and can see the lines

tls_on_connect_ports=465

tls_certificate=${if exists{/etc/virtual/snidomains}{${lookup{$tls_in_sni}nwildlsearch{/etc/virtual/snidomains}{${
if exists{/usr/local/directadmin/data/users/${extract{1}{:}{$value}}/domains/${extract{2}{:}{$value}}.cert.combine
d}{/usr/local/directadmin/data/users/${extract{1}{:}{$value}}/domains/${extract{2}{:}{$value}}.cert.combined}{/etc
/exim.cert}}}{/etc/exim.cert}}}{/etc/exim.cert}}
tls_privatekey=${if exists{/etc/virtual/snidomains}{${lookup{$tls_in_sni}nwildlsearch{/etc/virtual/snidomains}{${i
f exists{/usr/local/directadmin/data/users/${extract{1}{:}{$value}}/domains/${extract{2}{:}{$value}}.key}{/usr/loc
al/directadmin/data/users/${extract{1}{:}{$value}}/domains/${extract{2}{:}{$value}}.key}{/etc/exim.key}}}{/etc/exi
m.key}}}{/etc/exim.key}}
openssl_options=+no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1 +cipher_server_preference
tls_require_ciphers=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-
RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305HE-RSA-AES256-GCM-SHA384HE-RSA-
AES128-GCM-SHA256
tls_dhparam = /etc/exim_dh.pem
tls_dh_max_bits = 4096

In some of the posts on letsencrypt in the DA forum some of the posters made mention of a san_configfile but as some of these posts were over a fairly old I was unsure if this was still required. If it is I presume I add it this config to /usr/loca/directadmin/

https://forum.directadmin.com/threa...crypt-certificate-for-exim-and-dovecot.52802/ and associated posts linked on this thread.

My DA conf file has the following settings.

enable_ssl_sni=1
ssl=1
mail_sni=1
letsencrypt=1

When i try openssl

openssl s_client -connect xxxx.xxxx.com.au:993

CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = xxxx.xxxx.com
verify return:1
---
Certificate chain
0 s:CN = xxxx.xxxx.com
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
---
Server certificate
-----BEGIN CERTIFICATE-----
ZMIIGpzCCBY+gAwIBAgISA1EE12lEq2L+gUKcUI6BIgleMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjA3MTgwNzQ5MzdaFw0yMjEwMTYwNzQ5MzZaMB8xHTAbBgNVBAMT
FG5jYzE3MDFkLmhlcnN0aWsuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
CgKCAgEA2okwwfKFf9vVPMUbf/AuqNQyH5tEh8E6KBIfXfkx62MlALM/ByJEDpVP
qHpl7DW6wre8VSZn5w2VJaQOvRGUuVx8HyyyJUjS6aF9/tyK0IVjnDxMFEbhP0fv
qe2NdsJ1RB2eSz6Ye+v7/g24Re4ESqn7v+TmMCyUxJQVVfYhF2XJzb84lRpB98i0
JCOT8ktRahYlX6Pn7GFt2544SWjWml7iJ0hdj0zYUM3O9rW8u0ORdQrQ7mEWAQqy
S7JoPHg1kSWzhENPUBJqG329z9Xb9NDSXaPoEl+xV7yBoI+FKVVIWZJ7RU/e4DPN
QyosGwPAGOZVFEV99KX6ELli7x3+RYxSoJsQ1Ht1isIjOmGVk/LrxMcWX//FZ+7y
uVz+dVj3t0U1xMGbk92r7/i1SVQSnahZTWtQz8QnwrK25sT8mImHQQW4pcci3jUJ
bzkTtVv2Q3Aw1+InHV219u1E+08HqTDYcqwVzp4AOE402LMxpm18F0uSKzgHhC/F
3pjyhILG2c6SkfqIOfQJ0VIPqEfZhl++CymeQL/B/QL05IbghEHzlSKHTLB/zLCG
aqFPX76MNAYB8/zbqXomSsliPw6CDLhpJ/iXZbPGAjBJywyLnh9C6xiF0CwjJwb1
u5nVh8migyjc5JIseJiBrpEuplnT7Xixy3tIh4H7YzXQ2oVDT58CAwEAAaOCAsgw
ggLEMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUUimxgOWmvDtBVPIZzWNes7YVW0Aw
HwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBH
MCEGCCsGAQUFBzABhhVodHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKG
Fmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8wgZgGA1UdEQSBkDCBjYIOY3AuaGVyc3Rp
ay5jb22CC2hlcnN0aWsuY29tghBtYWlsLmhlcnN0aWsuY29tghNtYWlsLnhkeHN0
dWRpb3MuY29tghRuY2MxNzAxZC5oZXJzdGlrLmNvbYIQc210cC5oZXJzdGlrLmNv
bYIPd3d3LmhlcnN0aWsuY29tgg54ZHhzdHVkaW9zLmNvbTBMBgNVHSAERTBDMAgG
BmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3Bz
LmxldHNlbmNyeXB0Lm9yZzCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB1AEHIyrHf
IkZKEMahOglCh15OMYsbA+vrS8do8JBilgb2AAABghB/p4cAAAQDAEYwRAIgClUZ
VeCWKvU0xBuOTuAjIbH4jCUIKrt7hpAKY0mIowQCIDP+ipfpNuKKAWUxp6OPH5RX
7D/U/TXjKsJtc/lp6bu3AHYAKXm+8J45OSHwVnOfY6V35b5XfZxgCvj5TV0mXCVd
x4QAAAGCEH+pXAAABAMARzBFAiEAmFRA9riQoLuo5QiF/DmarHJVIrElG6rp/mE+
WY6/0UsCIBXgvjSNKpbiC12WnBJOpTNURn4YzA9SCDbkvQcQze1/MA0GCSqGSIb3
DQEBCwUAA4IBAQBaRUvjQS6PUsYWktT2+2OYL6mxhjSy9hVEG8qlTI32GJQOh0DT
7jKTLNOhx3AugbW/02gb4x5yh/qR+TmOBSwAdEtBZR6PNbyCjVW1mIGEfhqOyrx+
erc1Y6T3aOvQI9BfSs3+9XRmuM9hsky4LmojMkbjqRNMaqXDh89eXpHjZzLT2Nm1
uBypapcvVFJHDhgDYO+kqiP3m9nowjcQKASWcp5GxaS6Py0f3WDFP1VgkAamN74+
HwXSrBdicIgmzNmytLN6eoAVxD+74xn93wA6ToamvxKUYjUF36kEfB/fsicZ3LI4
skEBwGHQYsE8RblDvMukUBjlmogmVU7PMndZv
-----END CERTIFICATE-----
subject=CN = xxxx.xxxx.com

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3834 bytes and written 388 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 62971EFAF293D303590BD569203D9924F765A1101EF99053A05F6FE8EDEF1B84
Session-ID-ctx:
Resumption PSK: AF1C8A8F8C8C26645A213B8AEBF56B2022256BDA19DBA6DA8EA88244C4A418088643863CD4D79829AF54F5F8EE770B
AA
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - d0 e2 8c 86 fc b0 2e 58-d7 a1 a0 b8 4a 1f 83 de .......X....J...
0010 - 7f 2b f6 fe 29 e5 9b 5e-3f f9 0d 78 ac cb 29 da .+..)..^?..x..).
0020 - a6 88 6e 26 56 dd c3 92-9c 75 3d 3f 95 5e fc 2b ..n&V....u=?.^.+
0030 - 4d 91 69 01 7f d8 2e f9-b8 5e 18 f7 50 0d c3 27 M.i......^..P..'
0040 - 89 46 45 97 e0 6c 1d 7d-ad 1a 73 8c 35 e2 d6 19 .FE..l.}..s.5...
0050 - 96 8a 0b 52 60 3a ce 8e-c1 a2 ea 45 39 2d 08 81 ...R`:.....E9-..
0060 - ea 09 1b 90 7a 45 68 06-d2 7c 97 f0 0e 68 a4 ef ....zEh..|...h..
0070 - 2f c9 53 61 7c 8f a0 3e-e5 08 1c ea a6 78 d4 ed /.Sa|..>.....x..
0080 - c4 d9 44 63 2e 74 2e 1b-34 e5 10 44 7b a7 4b 3d ..Dc.t..4..D{.K=
0090 - a9 0f 3b eb 5e a3 84 aa-75 c3 98 3a 08 e7 e2 b3 ..;.^...u..:....
00a0 - 95 42 22 48 22 67 cf 7f-a2 cf bf 9a 6e 44 67 ba .B"H"g......nDg.
00b0 - 28 51 8f 53 8d f0 a8 76-a4 3f 1f e8 37 ca 3d 38 (Q.S...v.?..7.=8
00c0 - 75 33 bc ee e8 47 1e d8-aa 5f 67 cf 0f 9a 3d be u3...G..._g...=.
00d0 - ce 07 ce 5d 0a a2 53 2a-55 d4 e4 48 7f 63 40 bd ...]..S*U..H.c@.

Start Time: 1658450751
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 339BEE4E7C8273768CFA5A2AD5925B19E1A8F11487B2E21F85B264B541A5557C
Session-ID-ctx:
Resumption PSK: 0ACFDF69CCD038D11604D0DCD1DE55C662DD836836C0E6B20F81A7F5A15665B29B80D2D77934557C66EE2436FFBD37
E0
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - d0 e2 8c 86 fc b0 2e 58-d7 a1 a0 b8 4a 1f 83 de .......X....J...
0010 - ae fd cb ea 25 2b a6 5f-c8 bb 1a b7 53 c7 0b f1 ....%+._....S...
0020 - f4 f8 c9 19 9c f4 fa 25-ee 6d e5 c7 13 5a 2f c7 .......%.m...Z/.
0030 - cf 16 6d d2 e0 3f 72 8c-de c5 29 2a 29 2f 8f 76 ..m..?r...)*)/.v
0040 - 90 ea 79 e0 02 03 bb 78-cb ec 7b dc 8c 5c 1a b6 ..y....x..{..\..
0050 - aa 5d a0 21 94 a4 fd 6d-65 9e a5 ca fd 59 c9 02 .].!...me....Y..
0060 - 91 d5 ac a2 c9 67 d9 bd-9c 44 2e 94 ee 06 5d 4f .....g...D....]O
0070 - 8b 1c 94 af 6e a1 71 29-1e 5c d8 9a 35 2d 26 81 ....n.q).\..5-&.
0080 - 7a 56 6e e7 76 a5 af 59-e7 66 b0 a0 bd cc 27 d5 zVn.v..Y.f....'.
0090 - 83 16 67 46 2e d8 23 2d-61 c2 e6 e5 5f af 37 b7 ..gF..#-a..._.7.
00a0 - bf 99 a0 9d 47 7b 93 e4-43 fc 22 68 96 aa 29 12 ....G{..C."h..).
00b0 - c6 a6 b5 cf 83 e4 09 12-12 9d fe 49 5b 8b dc 01 ...........I[...
00c0 - 7b 64 51 64 0a 6c a0 41-30 63 59 fc 85 3c 0d 53 {dQd.l.A0cY..<.S
00d0 - 1d 9e 0c 3b 84 d5 c2 a7-ca 07 cf 0e 03 c6 54 32 ...;..........T2

Start Time: 1658450751
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN] Dovecot DA ready.
quit

openssl s_client -connect xxxx.xxxx.com:465

CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = xxxx.xxxx.com
verify return:1
---
Certificate chain
0 s:CN = xxxx.xxxx.com
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
---
Server certificate
-----BEGIN CERTIFICATE-----
ZzMIIGpzCCBY+gAwIBAgISA1EE12lEq2L+gUKcUI6BIgleMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjA3MTgwNzQ5MzdaFw0yMjEwMTYwNzQ5MzZaMB8xHTAbBgNVBAMT
FG5jYzE3MDFkLmhlcnN0aWsuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
CgKCAgEA2okwwfKFf9vVPMUbf/AuqNQyH5tEh8E6KBIfXfkx62MlALM/ByJEDpVP
qHpl7DW6wre8VSZn5w2VJaQOvRGUuVx8HyyyJUjS6aF9/tyK0IVjnDxMFEbhP0fv
qe2NdsJ1RB2eSz6Ye+v7/g24Re4ESqn7v+TmMCyUxJQVVfYhF2XJzb84lRpB98i0
JCOT8ktRahYlX6Pn7GFt2544SWjWml7iJ0hdj0zYUM3O9rW8u0ORdQrQ7mEWAQqy
S7JoPHg1kSWzhENPUBJqG329z9Xb9NDSXaPoEl+xV7yBoI+FKVVIWZJ7RU/e4DPN
QyosGwPAGOZVFEV99KX6ELli7x3+RYxSoJsQ1Ht1isIjOmGVk/LrxMcWX//FZ+7y
uVz+dVj3t0U1xMGbk92r7/i1SVQSnahZTWtQz8QnwrK25sT8mImHQQW4pcci3jUJ
bzkTtVv2Q3Aw1+InHV219u1E+08HqTDYcqwVzp4AOE402LMxpm18F0uSKzgHhC/F
3pjyhILG2c6SkfqIOfQJ0VIPqEfZhl++CymeQL/B/QL05IbghEHzlSKHTLB/zLCG
aqFPX76MNAYB8/zbqXomSsliPw6CDLhpJ/iXZbPGAjBJywyLnh9C6xiF0CwjJwb1
u5nVh8migyjc5JIseJiBrpEuplnT7Xixy3tIh4H7YzXQ2oVDT58CAwEAAaOCAsgw
ggLEMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUUimxgOWmvDtBVPIZzWNes7YVW0Aw
HwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBH
MCEGCCsGAQUFBzABhhVodHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKG
Fmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8wgZgGA1UdEQSBkDCBjYIOY3AuaGVyc3Rp
ay5jb22CC2hlcnN0aWsuY29tghBtYWlsLmhlcnN0aWsuY29tghNtYWlsLnhkeHN0
dWRpb3MuY29tghRuY2MxNzAxZC5oZXJzdGlrLmNvbYIQc210cC5oZXJzdGlrLmNv
bYIPd3d3LmhlcnN0aWsuY29tgg54ZHhzdHVkaW9zLmNvbTBMBgNVHSAERTBDMAgG
BmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3Bz
LmxldHNlbmNyeXB0Lm9yZzCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB1AEHIyrHf
IkZKEMahOglCh15OMYsbA+vrS8do8JBilgb2AAABghB/p4cAAAQDAEYwRAIgClUZ
VeCWKvU0xBuOTuAjIbH4jCUIKrt7hpAKY0mIowQCIDP+ipfpNuKKAWUxp6OPH5RX
7D/U/TXjKsJtc/lp6bu3AHYAKXm+8J45OSHwVnOfY6V35b5XfZxgCvj5TV0mXCVd
x4QAAAGCEH+pXAAABAMARzBFAiEAmFRA9riQoLuo5QiF/DmarHJVIrElG6rp/mE+
WY6/0UsCIBXgvjSNKpbiC12WnBJOpTNURn4YzA9SCDbkvQcQze1/MA0GCSqGSIb3
DQEBCwUAA4IBAQBaRUvjQS6PUsYWktT2+2OYL6mxhjSy9hVEG8qlTI32GJQOh0DT
7jKTLNOhx3AugbW/02gb4x5yh/qR+TmOBSwAdEtBZR6PNbyCjVW1mIGEfhqOyrx+
erc1Y6T3aOvQI9BfSs3+9XRmuM9hsky4LmojMkbjqRNMaqXDh89eXpHjZzLT2Nm1
uBypapcvVFJHDhgDYO+kqiP3m9nowjcQKASWcp5GxaS6Py0f3WDFP1VgkAamN74+
HwXSrBdicIgmzNmytLN6eoAVxD+74xn93wA6ToamvxKUYjUF36kEfB/fsicZ3LI4
ksEBwGHQYsE8RblDvMukUBjlmogmVU7PMndZv
-----END CERTIFICATE-----
subject=CN = xxxx.xxxx.com

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3834 bytes and written 388 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
220 xxxx.xxxx.com ESMTP Exim 4.96 Fri, 22 Jul 2022 10:46:12 +1000
quit

My server setup is

Debian 10.12 kernel 4.19.0-20

Exim 4.96

DA 1.641

Letsencrypt 2.0.30


Thanks for your time.

 

[Erulezz]

Please put your example codes in UBB [code ] tags, much more readable.

 

[e0f]

Thanks Erulezz and my apologies I should of added this to my original post.


for the tip, I couldn't edit my orginal post for some reason (no edit button) so have updated it below.

Hi There,

I was hoping for some help if possible as I am experiencing difficulties with my letsencrypt certificates for the domains hosted on the server. From my tests using openssl it looks like the certificate has applied to dovecot and exim and the ssl letsencrypt certificates for apache have applied successfully but for the life of me can not gmail app using SSL/TLS to use the letencrypt certificates. The error I get when in the gmail app is "certificate not valid - the gmail app can't guarantee the security of this email address. Your messages would be at risk"

I have read some of the DA threads about letsencryptand from what I understand when you generate a domain certificate (/usr/loca/directadmin/scripts/letsencrypt.sh request example.com 4096) DA should generate the associated certificates based on the A name records contents in the DNS zone for each domain so should have a www (which it does) mail,stmp,ftp etc. When this had completed I also restarted exim (service exim restart) just incase exim needed to rereead the config files.

I have rebuilt exim and letsencrypt by

./build update
./build exim
./build letsencrypt
./build rewrite_confs (this seems related to apache)

I can see the key,cert and combined cert in the DA users domain directory

ls -al /usr/local/directadmin/data/users/xxxx/domains/*.cert*

-rw-r----- 1 diradmin access 2220 Jul 22 09:24 /usr/local/directadmin/data/users/xxxx/domains/xxxx.com.cert
-rw-r----- 1 diradmin access 4047 Jul 22 09:24 /usr/local/directadmin/data/users/xxxx/domains/xxxx.com.cert.
combined
-rw-r----- 1 diradmin access 11 Jul 22 09:24 /usr/local/directadmin/data/users/xxxx/domains/xxxx.com.cert.
creation_time

ls -al /usr/local/directadmin/data/users/xxxx/domains/*.key
-rw-r----- 1 diradmin access 3247 Jul 22 09:24 /usr/local/directadmin/data/users/xxxx/domains/xxxx.com.key

I have looked at the exim.conf.variables and can see the lines

tls_on_connect_ports=465

tls_certificate=${if exists{/etc/virtual/snidomains}{${lookup{$tls_in_sni}nwildlsearch{/etc/virtual/snidomains}{${
if exists{/usr/local/directadmin/data/users/${extract{1}{:}{$value}}/domains/${extract{2}{:}{$value}}.cert.combine
d}{/usr/local/directadmin/data/users/${extract{1}{:}{$value}}/domains/${extract{2}{:}{$value}}.cert.combined}{/etc
/exim.cert}}}{/etc/exim.cert}}}{/etc/exim.cert}}
tls_privatekey=${if exists{/etc/virtual/snidomains}{${lookup{$tls_in_sni}nwildlsearch{/etc/virtual/snidomains}{${i
f exists{/usr/local/directadmin/data/users/${extract{1}{:}{$value}}/domains/${extract{2}{:}{$value}}.key}{/usr/loc
al/directadmin/data/users/${extract{1}{:}{$value}}/domains/${extract{2}{:}{$value}}.key}{/etc/exim.key}}}{/etc/exi
m.key}}}{/etc/exim.key}}
openssl_options=+no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1 +cipher_server_preference
tls_require_ciphers=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-
RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-
AES128-GCM-SHA256
tls_dhparam = /etc/exim_dh.pem
tls_dh_max_bits = 4096

In some of the posts on letsencrypt in the DA forum some of the posters made mention of a san_config file but as some of these posts were fairly old I was unsure if this was still required. If it is I presume I add it this config to /usr/loca/directadmin/conf/

Some of the threads I have read include

Let's Encrypt For Domains | Directadmin Docs

DirectAdmin Knowledge Base

docs.directadmin.com

https://forum.directadmin.com/threa...crypt-certificate-for-exim-and-dovecot.52802/

DirectAdmin 1.50.0 has been released

So, how do I get the updated script? http://help.directadmin.com/item.php?id=408

forum.directadmin.com

My DA conf file has the following settings.

enable_ssl_sni=1
ssl=1
mail_sni=1
letsencrypt=1

When i try openssl

openssl s_client -connect xxxx.xxxx.com.au:993

CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = xxxx.xxxx.com
verify return:1
---
Certificate chain
0 s:CN = xxxx.xxxx.com
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
---
Server certificate
-----BEGIN CERTIFICATE-----
ZMIIGpzCCBY+gAwIBAgISA1EE12lEq2L+gUKcUI6BIgleMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjA3MTgwNzQ5MzdaFw0yMjEwMTYwNzQ5MzZaMB8xHTAbBgNVBAMT
FG5jYzE3MDFkLmhlcnN0aWsuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
CgKCAgEA2okwwfKFf9vVPMUbf/AuqNQyH5tEh8E6KBIfXfkx62MlALM/ByJEDpVP
qHpl7DW6wre8VSZn5w2VJaQOvRGUuVx8HyyyJUjS6aF9/tyK0IVjnDxMFEbhP0fv
qe2NdsJ1RB2eSz6Ye+v7/g24Re4ESqn7v+TmMCyUxJQVVfYhF2XJzb84lRpB98i0
JCOT8ktRahYlX6Pn7GFt2544SWjWml7iJ0hdj0zYUM3O9rW8u0ORdQrQ7mEWAQqy
S7JoPHg1kSWzhENPUBJqG329z9Xb9NDSXaPoEl+xV7yBoI+FKVVIWZJ7RU/e4DPN
QyosGwPAGOZVFEV99KX6ELli7x3+RYxSoJsQ1Ht1isIjOmGVk/LrxMcWX//FZ+7y
uVz+dVj3t0U1xMGbk92r7/i1SVQSnahZTWtQz8QnwrK25sT8mImHQQW4pcci3jUJ
bzkTtVv2Q3Aw1+InHV219u1E+08HqTDYcqwVzp4AOE402LMxpm18F0uSKzgHhC/F
3pjyhILG2c6SkfqIOfQJ0VIPqEfZhl++CymeQL/B/QL05IbghEHzlSKHTLB/zLCG
aqFPX76MNAYB8/zbqXomSsliPw6CDLhpJ/iXZbPGAjBJywyLnh9C6xiF0CwjJwb1
u5nVh8migyjc5JIseJiBrpEuplnT7Xixy3tIh4H7YzXQ2oVDT58CAwEAAaOCAsgw
ggLEMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUUimxgOWmvDtBVPIZzWNes7YVW0Aw
HwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBH
MCEGCCsGAQUFBzABhhVodHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKG
Fmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8wgZgGA1UdEQSBkDCBjYIOY3AuaGVyc3Rp
ay5jb22CC2hlcnN0aWsuY29tghBtYWlsLmhlcnN0aWsuY29tghNtYWlsLnhkeHN0
dWRpb3MuY29tghRuY2MxNzAxZC5oZXJzdGlrLmNvbYIQc210cC5oZXJzdGlrLmNv
bYIPd3d3LmhlcnN0aWsuY29tgg54ZHhzdHVkaW9zLmNvbTBMBgNVHSAERTBDMAgG
BmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3Bz
LmxldHNlbmNyeXB0Lm9yZzCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB1AEHIyrHf
IkZKEMahOglCh15OMYsbA+vrS8do8JBilgb2AAABghB/p4cAAAQDAEYwRAIgClUZ
VeCWKvU0xBuOTuAjIbH4jCUIKrt7hpAKY0mIowQCIDP+ipfpNuKKAWUxp6OPH5RX
7D/U/TXjKsJtc/lp6bu3AHYAKXm+8J45OSHwVnOfY6V35b5XfZxgCvj5TV0mXCVd
x4QAAAGCEH+pXAAABAMARzBFAiEAmFRA9riQoLuo5QiF/DmarHJVIrElG6rp/mE+
WY6/0UsCIBXgvjSNKpbiC12WnBJOpTNURn4YzA9SCDbkvQcQze1/MA0GCSqGSIb3
DQEBCwUAA4IBAQBaRUvjQS6PUsYWktT2+2OYL6mxhjSy9hVEG8qlTI32GJQOh0DT
7jKTLNOhx3AugbW/02gb4x5yh/qR+TmOBSwAdEtBZR6PNbyCjVW1mIGEfhqOyrx+
erc1Y6T3aOvQI9BfSs3+9XRmuM9hsky4LmojMkbjqRNMaqXDh89eXpHjZzLT2Nm1
uBypapcvVFJHDhgDYO+kqiP3m9nowjcQKASWcp5GxaS6Py0f3WDFP1VgkAamN74+
HwXSrBdicIgmzNmytLN6eoAVxD+74xn93wA6ToamvxKUYjUF36kEfB/fsicZ3LI4
skEBwGHQYsE8RblDvMukUBjlmogmVU7PMndZv
-----END CERTIFICATE-----
subject=CN = xxxx.xxxx.com

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3834 bytes and written 388 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 62971EFAF293D303590BD569203D9924F765A1101EF99053A05F6FE8EDEF1B84
Session-ID-ctx:
Resumption PSK: AF1C8A8F8C8C26645A213B8AEBF56B2022256BDA19DBA6DA8EA88244C4A418088643863CD4D79829AF54F5F8EE770B
AA
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - d0 e2 8c 86 fc b0 2e 58-d7 a1 a0 b8 4a 1f 83 de .......X....J...
0010 - 7f 2b f6 fe 29 e5 9b 5e-3f f9 0d 78 ac cb 29 da .+..)..^?..x..).
0020 - a6 88 6e 26 56 dd c3 92-9c 75 3d 3f 95 5e fc 2b ..n&V....u=?.^.+
0030 - 4d 91 69 01 7f d8 2e f9-b8 5e 18 f7 50 0d c3 27 M.i......^..P..'
0040 - 89 46 45 97 e0 6c 1d 7d-ad 1a 73 8c 35 e2 d6 19 .FE..l.}..s.5...
0050 - 96 8a 0b 52 60 3a ce 8e-c1 a2 ea 45 39 2d 08 81 ...R`:.....E9-..
0060 - ea 09 1b 90 7a 45 68 06-d2 7c 97 f0 0e 68 a4 ef ....zEh..|...h..
0070 - 2f c9 53 61 7c 8f a0 3e-e5 08 1c ea a6 78 d4 ed /.Sa|..>.....x..
0080 - c4 d9 44 63 2e 74 2e 1b-34 e5 10 44 7b a7 4b 3d ..Dc.t..4..D{.K=
0090 - a9 0f 3b eb 5e a3 84 aa-75 c3 98 3a 08 e7 e2 b3 ..;.^...u..:....
00a0 - 95 42 22 48 22 67 cf 7f-a2 cf bf 9a 6e 44 67 ba .B"H"g......nDg.
00b0 - 28 51 8f 53 8d f0 a8 76-a4 3f 1f e8 37 ca 3d 38 (Q.S...v.?..7.=8
00c0 - 75 33 bc ee e8 47 1e d8-aa 5f 67 cf 0f 9a 3d be u3...G..._g...=.
00d0 - ce 07 ce 5d 0a a2 53 2a-55 d4 e4 48 7f 63 40 bd ...]..S*U..H.c@.

Start Time: 1658450751
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 339BEE4E7C8273768CFA5A2AD5925B19E1A8F11487B2E21F85B264B541A5557C
Session-ID-ctx:
Resumption PSK: 0ACFDF69CCD038D11604D0DCD1DE55C662DD836836C0E6B20F81A7F5A15665B29B80D2D77934557C66EE2436FFBD37
E0
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - d0 e2 8c 86 fc b0 2e 58-d7 a1 a0 b8 4a 1f 83 de .......X....J...
0010 - ae fd cb ea 25 2b a6 5f-c8 bb 1a b7 53 c7 0b f1 ....%+._....S...
0020 - f4 f8 c9 19 9c f4 fa 25-ee 6d e5 c7 13 5a 2f c7 .......%.m...Z/.
0030 - cf 16 6d d2 e0 3f 72 8c-de c5 29 2a 29 2f 8f 76 ..m..?r...)*)/.v
0040 - 90 ea 79 e0 02 03 bb 78-cb ec 7b dc 8c 5c 1a b6 ..y....x..{..\..
0050 - aa 5d a0 21 94 a4 fd 6d-65 9e a5 ca fd 59 c9 02 .].!...me....Y..
0060 - 91 d5 ac a2 c9 67 d9 bd-9c 44 2e 94 ee 06 5d 4f .....g...D....]O
0070 - 8b 1c 94 af 6e a1 71 29-1e 5c d8 9a 35 2d 26 81 ....n.q).\..5-&.
0080 - 7a 56 6e e7 76 a5 af 59-e7 66 b0 a0 bd cc 27 d5 zVn.v..Y.f....'.
0090 - 83 16 67 46 2e d8 23 2d-61 c2 e6 e5 5f af 37 b7 ..gF..#-a..._.7.
00a0 - bf 99 a0 9d 47 7b 93 e4-43 fc 22 68 96 aa 29 12 ....G{..C."h..).
00b0 - c6 a6 b5 cf 83 e4 09 12-12 9d fe 49 5b 8b dc 01 ...........I[...
00c0 - 7b 64 51 64 0a 6c a0 41-30 63 59 fc 85 3c 0d 53 {dQd.l.A0cY..<.S
00d0 - 1d 9e 0c 3b 84 d5 c2 a7-ca 07 cf 0e 03 c6 54 32 ...;..........T2

Start Time: 1658450751
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN] Dovecot DA ready.
quit

openssl s_client -connect xxxx.xxxx.com:465

CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = xxxx.xxxx.com
verify return:1
---
Certificate chain
0 s:CN = xxxx.xxxx.com
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
---
Server certificate
-----BEGIN CERTIFICATE-----
ZzMIIGpzCCBY+gAwIBAgISA1EE12lEq2L+gUKcUI6BIgleMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjA3MTgwNzQ5MzdaFw0yMjEwMTYwNzQ5MzZaMB8xHTAbBgNVBAMT
FG5jYzE3MDFkLmhlcnN0aWsuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
CgKCAgEA2okwwfKFf9vVPMUbf/AuqNQyH5tEh8E6KBIfXfkx62MlALM/ByJEDpVP
qHpl7DW6wre8VSZn5w2VJaQOvRGUuVx8HyyyJUjS6aF9/tyK0IVjnDxMFEbhP0fv
qe2NdsJ1RB2eSz6Ye+v7/g24Re4ESqn7v+TmMCyUxJQVVfYhF2XJzb84lRpB98i0
JCOT8ktRahYlX6Pn7GFt2544SWjWml7iJ0hdj0zYUM3O9rW8u0ORdQrQ7mEWAQqy
S7JoPHg1kSWzhENPUBJqG329z9Xb9NDSXaPoEl+xV7yBoI+FKVVIWZJ7RU/e4DPN
QyosGwPAGOZVFEV99KX6ELli7x3+RYxSoJsQ1Ht1isIjOmGVk/LrxMcWX//FZ+7y
uVz+dVj3t0U1xMGbk92r7/i1SVQSnahZTWtQz8QnwrK25sT8mImHQQW4pcci3jUJ
bzkTtVv2Q3Aw1+InHV219u1E+08HqTDYcqwVzp4AOE402LMxpm18F0uSKzgHhC/F
3pjyhILG2c6SkfqIOfQJ0VIPqEfZhl++CymeQL/B/QL05IbghEHzlSKHTLB/zLCG
aqFPX76MNAYB8/zbqXomSsliPw6CDLhpJ/iXZbPGAjBJywyLnh9C6xiF0CwjJwb1
u5nVh8migyjc5JIseJiBrpEuplnT7Xixy3tIh4H7YzXQ2oVDT58CAwEAAaOCAsgw
ggLEMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUUimxgOWmvDtBVPIZzWNes7YVW0Aw
HwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBH
MCEGCCsGAQUFBzABhhVodHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKG
Fmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8wgZgGA1UdEQSBkDCBjYIOY3AuaGVyc3Rp
ay5jb22CC2hlcnN0aWsuY29tghBtYWlsLmhlcnN0aWsuY29tghNtYWlsLnhkeHN0
dWRpb3MuY29tghRuY2MxNzAxZC5oZXJzdGlrLmNvbYIQc210cC5oZXJzdGlrLmNv
bYIPd3d3LmhlcnN0aWsuY29tgg54ZHhzdHVkaW9zLmNvbTBMBgNVHSAERTBDMAgG
BmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3Bz
LmxldHNlbmNyeXB0Lm9yZzCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB1AEHIyrHf
IkZKEMahOglCh15OMYsbA+vrS8do8JBilgb2AAABghB/p4cAAAQDAEYwRAIgClUZ
VeCWKvU0xBuOTuAjIbH4jCUIKrt7hpAKY0mIowQCIDP+ipfpNuKKAWUxp6OPH5RX
7D/U/TXjKsJtc/lp6bu3AHYAKXm+8J45OSHwVnOfY6V35b5XfZxgCvj5TV0mXCVd
x4QAAAGCEH+pXAAABAMARzBFAiEAmFRA9riQoLuo5QiF/DmarHJVIrElG6rp/mE+
WY6/0UsCIBXgvjSNKpbiC12WnBJOpTNURn4YzA9SCDbkvQcQze1/MA0GCSqGSIb3
DQEBCwUAA4IBAQBaRUvjQS6PUsYWktT2+2OYL6mxhjSy9hVEG8qlTI32GJQOh0DT
7jKTLNOhx3AugbW/02gb4x5yh/qR+TmOBSwAdEtBZR6PNbyCjVW1mIGEfhqOyrx+
erc1Y6T3aOvQI9BfSs3+9XRmuM9hsky4LmojMkbjqRNMaqXDh89eXpHjZzLT2Nm1
uBypapcvVFJHDhgDYO+kqiP3m9nowjcQKASWcp5GxaS6Py0f3WDFP1VgkAamN74+
HwXSrBdicIgmzNmytLN6eoAVxD+74xn93wA6ToamvxKUYjUF36kEfB/fsicZ3LI4
ksEBwGHQYsE8RblDvMukUBjlmogmVU7PMndZv
-----END CERTIFICATE-----
subject=CN = xxxx.xxxx.com

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3834 bytes and written 388 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
220 xxxx.xxxx.com ESMTP Exim 4.96 Fri, 22 Jul 2022 10:46:12 +1000
quit

My server setup is

Debian 10.12 kernel 4.19.0-20
Exim 4.96
DA 1.641
Letsencrypt 2.0.30


Thanks for your time.

 

[SupermanInNY]

Where you able to resolve this issue?
I'm also experiencing similar problem (I posted it in https://forum.directadmin.com/threa...-the-certificate-doesnt-match-the-host.66637/ )
I noticed that if we the server's hostname SSL, then it can connect.
What about your server. If you push instead of 'mail.yourclientsdomain.com' the server's hostname.. does it work for you?

 

[e0f]

Thanks for the reply. I have had no luck in sorting this out. The workaround I have used for my other personal domains is to add my domains to the SAN for the primary domain on the server but this is not suitable for the other clients domains hosted on this server it sounds like you have done a similar thing for your domains.

 

[DBD2]

Hello.
I also had same like SupermanInNY, I contacted support for my server.
They suggested:

cd /usr/local/directadmin/custombuild
./build update
./build exim_conf

Now it works ok.

 

[e0f]

Thanks for the advice DBD2. I am pretty sure I tried that before also and retried again last night but still have the same issue.