mail.domain.com not using user LE certificate

crenet

Verified User
Joined
Sep 23, 2019
Messages
92
Hi,

This is my first default/basic DA server setup, using the default setup and getting a lot of issues to make things working.

I am troubleshooting in the last 7 days, already post in other forum categories and I did not get any help.

Some time ago I use DA and DirectAdmin forum was very active and helpful.

I really hope that somebody could help me with this DA issue.

1 - Let's Encrypt wildcard issue

I tried to install Let's Encrypt wildcard but I get an error because DA script do not allow me to add the LE activation record m my external DNS.

This seem to be a DA limitation because PLESK allow users to set the LE activation record for wildcard on external DNS server.

Plesk guide
https://docs.plesk.com/en-US/obsidia...encrypt.79603/

"Whether the Let’s Encrypt extension adds the DNS record automatically or you do it manually, it can take some time before it propagates. We recommend that you check that the DNS record was added before going to the next step. Here is how you can do it:"

So how can DA users know which TXT record should we add for complete certificate validation ?

2 - mail.domain.com user LE certificate issue:

Email client says the mail server do not have a secure connection.

Any ideas why mail.domain.com in not using user LE certificate ?

Please help me to fix it.

Thanks

ls -la /etc/dovecot/conf/sni/
total 12
drwxr-xr-x 2 mail mail 4096 Nov 10 12:00 .
drwxr-xr-x 3 root root 4096 Nov 10 11:55 ..
-rw-r--r-- 1 root root 1056 Nov 10 18:03 domain.com.conf

cat /etc/dovecot/conf/sni/domain.com.conf
local_name domain.com {
ssl_cert = </usr/local/directadmin/data/users/user/domains/domain.com.cert.combined
ssl_key = </usr/local/directadmin/data/users/user/domains/domain.com.key
}
local_name ftp.domain.com {
ssl_cert = </usr/local/directadmin/data/users/user/domains/domain.com.cert.combined
ssl_key = </usr/local/directadmin/data/users/user/domains/domain.com.key
}
local_name mail.domain.com {
ssl_cert = </usr/local/directadmin/data/users/user/domains/domain.com.cert.combined
ssl_key = </usr/local/directadmin/data/users/user/domains/domain.com.key
}
local_name webmail.domain.com {
ssl_cert = </usr/local/directadmin/data/users/user/domains/domain.com.cert.combined
ssl_key = </usr/local/directadmin/data/users/user/domains/domain.com.key
}
local_name www.domain.com {
ssl_cert = </usr/local/directadmin/data/users/user/domains/domain.com.cert.combined
ssl_key = </usr/local/directadmin/data/users/user/domains/domain.com.key
}

cat /etc/virtual/snidomains
domain.com:user:domain.com
ftp.domain.com:user:domain.com
mail.domain.com:user:domain.com
webmail.domain.com:user:domain.com
www.domain.com:user:domain.com

>openssl s_client -showcerts -connect mail.domain.com:465

CONNECTED(00000005)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = host.domain.com
verify return:1

>openssl s_client -showcerts -servername domain.com -connect domain.com:465
CONNECTED(00000005)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = domain.com
verify return:1

Checking DA settings:

./build version
2.0.0 (rev: 2268)

./directadmin c | grep ^letsencrypt=
letsencrypt=1

./directadmin c | grep ^enable_ssl_sni=
enable_ssl_sni=1

./directadmin c | grep ^ssl=
ssl=1

./directadmin c | grep ^hsts=
hsts=0

./directadmin c | grep ^force_hostname=
force_hostname=my.hostname.com

./directadmin c | grep ^ssl_redirect_host=
ssl_redirect_host=my.hostname.com

./build options
Apache: 2.4.41
mod_ruid2: no
ModSecurity: no
htscanner: no
Dovecot: 2.3.8
Dovecot configuration: yes
AWstats: no
Exim: 4.92.3
exim.conf update: yes, release 4.5
BlockCracking: no
Easy Spam Fighter: no
SpamAssassin: no
ClamAV: no
MySQL: 5.7.27
MySQL backup: yes
MySQL backup directory: /usr/local/directadmin/custombuild/mysql_backups
MySQL compress backups: no
PHP (default): 7.3 as php-fpm
PHP (additional): 7.2 as php-fpm
phpMyAdmin: 4.9.1-all-languages
ProFTPD: no
Pure-FTPd: 1.0.49
RoundCube webmail: 1.4.0
Replace "php.ini" with './build all' and './build php_ini': no
Cron for notifications and (or) updates: yes
Cron frequency: daily
Auto notifications: yes
Auto notifications email address: admin@domain.com
Run "clean" every time: yes
Run "clean_old_webapps" every time: yes
Run "clean_old_tarballs" every time: yes
Show texts in bold: yes
SquirrelMail: no
Zend Guard Loader: no
ionCube loader: no
Suhosin: no
 

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
8,329
Location
LT, EU
"openssl s_client -showcerts -connect mail.domain.com:465" test is for hostname certificate, it doesn't use SNI, so, it's not a valid test to test it for the domain :) It's equivalent to "openssl s_client -showcerts -connect YOUR_IP:465". If you want to specify domain for the cert, you need to add servername to the command.
 

crenet

Verified User
Joined
Sep 23, 2019
Messages
92
Hi Martynas,

Many thanks for you tip.
I do not know what happen but without fixing anything now mail.domain.com gets the user LE certificate

Thanks a lot.
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,853
Location
GMT +7.00
Hello,

Yes, your issue has been resolved, and certificates are fine, just the same I wrote you in PM.
 

mkm8b

New member
Joined
Nov 29, 2019
Messages
2
Hello,

I have the same problem as crenet. How can I solve the problem that mail.domain.com uses the user's SSL certificate (Let's Encrypt)?

Thank you very much.
 
Top