Troubles with email offering server hostname SSL cert instead of user domain SSL cert

C

CanadaGuy

Verified User
Joined
Nov 14, 2019
Messages
158
I've seen a few posts, but none seem as "simple" as my issue. The mail server is offering the Let's Encrypt certificate for the DA server hostname (server.example.com) instead of the certificate for the mail domain (mail.example.com).

This seems like a pretty simple configuration error I've probably made. How do I get the mail server to offer the correct certificate?
 
And I think I found my issue...after first creating the Let's Encrypt certs, I didn't rebuild the conf files. Did I do things "correctly" by going to:
CustomBuild 2.0
Update Software Configuration
and click submit for Exim and Dovecot?
 
Same issue here. When I check my domains in sslcheck.nl I get noticed that the given domain name (mediacs.nl) doesn't match the cert domain name (server.mediacs.nl)
 
Some background information: my vps provider said I had to add this to my directadmin.conf to enable let's encrypt:

SSL=1
carootcert=/usr/local/directadmin/conf/carootcert.pem
force_hostname=server.jedomein.nl
ssl_redirect_host=server.jedomein.nl
enable_ssl_sni=1
mail_sni=1
letsencrypt=1

and use this command (so that the cert doesnt get assigned to 'localhost'):
cd /usr/local/directadmin/scripts
./letsencrypt.sh request_single server.jedomein.nl

OK, I get a ssl lock in de addressbar when logged in directadmin. But I really wanted the ssl for the domains on this server to work, and that doesn't.
 

Attachments

  • 2019-12-11 sslcheck.nl naam komt niet overeen.JPG
    2019-12-11 sslcheck.nl naam komt niet overeen.JPG
    52 KB · Views: 11
I have installed DA a few dozen times trying to understand the SSL situation. Most of what your provider told you isn't required since it is default now. Those instructions also mix the requirements for server hostname certificates and hosted domain certificates.

When I first install the server I use the following to set up a self-signed cert for the server so that credentials aren't sent in the clear (IMO it should be automatic for DA by default):

Code: 
/usr/bin/openssl req -x509 -sha256 -newkey rsa:4096 -keyout /usr/local/directadmin/conf/cakey.pem -out /usr/local/directadmin/conf/cacert.pem -days 9000 -nodes
chown diradmin:diradmin /usr/local/directadmin/conf/cakey.pem
chmod 400 /usr/local/directadmin/conf/cakey.pem

cd /usr/local/directadmin
./directadmin set ssl 1 restart

After a restart, I can login to the DA server by IP address, accept the self signed cert, and continue to create another admin account or add the domain. After the domain is added, and DNS is resolving for the server hostname, I follow the steps here for a Let's Encrypt cert for my server:


After this, you can go to User mode, SSL Management, select the domain, then chose the Let's Encrypt cert type (wildcard or specific domains). NOTE: this is for hosted domains only not the server hostname (that was accomplished earlier). After that completes, you can go and rebuild the conf files for Exim and Dovecot which should then pick up the right certs.

It is important that various forms of DNS and test caching can mess with you, so check only when you think everything is right, otherwise cached results of an incomplete setup may be returned.
 
I'm sorry, I don't understand what youre trying to say.
And I can't understand what exim dovecot mailservices have to do with this?
I'm primarily concerned with the certificates of the domains on my server, as shown in the attachment image.
 
In order to stop confusing other users and get a help please do not report your issue in threads where the same issues are undertaken from another point of view. Here the subject is discussed in relation to mail services: exim, dovecot.
 
OK, I think I will have to start a new thread:
Troubles LE offering server hostname SSL cert instead of user domain SSL cert
 
mediacs said:
I'm sorry, I don't understand what youre trying to say.
And I can't understand what exim dovecot mailservices have to do with this?
I'm primarily concerned with the certificates of the domains on my server, as shown in the attachment image.
Click to expand...
Okay, so you're only concerned with WWW instead of mail. Maybe you should specify the service you're having trouble with instead of "domain" since one domain can handle many services.

In that case, then maybe emphasize needs to be put on the fact that your server hostname has one certificate setup, while the hosted domains each have their own. After you configure the server hostname for SSL correctly (the first part of my response), then for each domain, you need to activate Let's Encrypt or upload your own certificate from Account Manager - SSL Certificates, and select the appropriate setting.

In my case, for the original thread I started, my WWW was working fine after configuration, and my mail certificates were incorrect.
 
Thanks, I'm in the wrong forum section, sorry for that, I'll make a new thread..
 
You must log in or register to reply here.
Back
Top