mail.domain.com not using correct SSL (LetsEncrypt)

[seb_dev]

Hi all,

so I am able to create SSL with LetsEncrypt in DirectAdmin. However, all emails seems to be using the SSL from the main SSL instead of the domain that has been set as default. We see this when trying to add an email to Outlook and is giving an error that it is using an SSL certificate where the domain is not listed.

fyi enable_ssl_sni and mail_sni are enabled in directadmin.conf.

Best regards,
Seb

 

[Active8]

Did you generate an certificate for mail.domain.com ?
Its also handy to generate an certificate for smtp.domain.com and pop.domain.com also to be safe.

 

[Richard G]

Its also handy to generatate an certificate for smtp.domain.com and pop.domain.com also to be safe.

In that case they have to exist in DA. But DA does not create them by default.

Maybe better is to create a wildcard cert, which would contain these too if created or brought over from cP conversion.

@seb_dev Here you can check if indeed a certificate is created and valid for your mail.domain.com or whatever you need for mail.

crt.sh | Certificate Search

Free CT Log Certificate Search Tool from Sectigo (formerly Comodo CA)

crt.sh

 

[Active8]

In that case they have to exist in DA. But DA does not create them by default.

Mine does

 

[Richard G]

Mine does

Then you created a custom thingie for it.

 

[Active8]

Nope, it was always there in my DNS

 

[Richard G]

always there in my DNS

Ah indeed, you are correct. Hasn't been there for a very long time, only mail and imap was present.
So this is probably updated fairly recently, within the last year I guess. Good to know.

 

[seb_dev]

Did you generate an certificate for mail.domain.com ?
Its also handy to generate an certificate for smtp.domain.com and pop.domain.com also to be safe.

Hi thanks for your answer.

for every domain that is on my VPS I selected almost every option (domain.com, www.domain.com, mail.domain.com. The problem is, even after generating all these certificates, the mail still uses the main ssl for the hostname and not for the specific domains.

 

[zEitEr]

The problem is, even after generating all these certificates, the mail still uses the main ssl for the hostname and not for the specific domains.

There is no a virtual host for mail.domain.com by default. Hence all requests to it over HTTPS are processed by a default virtual host which uses a certificate for the hostname. There are several possible solutions:

1. add each mail.domain.com into the default certificate
2. redirect all requests to mail.domain.com to the hostname
3. customize templates or use hooks to get mail.domain.com auto-created

These forums and help pages already have instructions on how to complete all the mentioned options. You are welcome to find them by yourself. Or probably somebody have them in bookmarks and can share links.

 

[seb_dev]

@zEitEr Thanks for your input.

I got to a solution after finding out my cURL version was very outdated. I didn't know cURL was taken out of custombuild so without knowing it reverted to version 7.29 or something like that. Now after updating to cURL 7.86 and creating ssl for hostname including all the mail.domain.com versions for different domains it works for me. Also needed to make sure none of my domains were in maintenance mode (else it could not reach the .well-known/acme-challenge folder)