With SNI on, i still get invalid certificate

webunity

Verified User
Joined
Sep 23, 2014
Messages
41
I have enabled letsencrypt ssl for my mailserver; this all works flawlessly. The output of https://ssl-tools.net/mailservers/webunity.nl is this:

Common Name (CN)
pyrus.webunity.nl

Alternative Names
mail.webunity.nl
pyrus.webunity.nl
webunity.nl
www.webunity.nl

My mailserver runs on my main IP (141.138.194.220) which is also my shared IP of my sites for which i want to enable SNI for.
So following the remarks in this thread, i've done: /usr/local/directadmin/directadmin c | grep sni

which shows this:
enable_ssl_sni=1
mail_sni=0

If i now enable let's encrypt via the DA control panel, e.g. https://assistant.vdhoven.info/ and i browse to it, i get the certificate invalid error; where the certificate is pointing to pyrus.webunity.nl. So my assumption is that somehow the current SSL certificate from DA is being served by apache by default.

Now my question is, if i follow the mail_sni setup in the thread mentioned above, will it 'automagically' start working? Or will my mailserver be screwed (and customer start complaining).

By the way; i've setup my mailserver with Let's encrypt using this setup: https://help.directadmin.com/item.php?id=645
which basically created the /usr/local/directadmin/conf/ca.san_config

The contents are:
[ req_distinguished_name ]
CN = pyrus.webunity.nl
[ req ]
distinguished_name = req_distinguished_name
[SAN]
subjectAltName=DNS:pyrus.webunity.nl, DNS:webunity.nl, DNS:www.webunity.nl, DNS:mail.webunity.nl


But i am guessing i don't need that anymore and that can be 'deleted' somehow?
 
Last edited:

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,255
Location
GMT +7.00
Hello,

There is always a chance things will go wrong. And even the feature works for many of us, nobody will guarantee that you won't run into an issue. Even I personally can guarantee only what I do myself.

Anyway you please feel free to try and follow the steps, and let us know your results. You can always roll back changes.
 

dagservice

Verified User
Joined
Aug 27, 2015
Messages
9
Did you follow the section "TASK QUEUE" too? Something like
echo "action=rewrite&value=mail_sni&domain=vdhoven.info" >> /usr/local/directadmin/data/task.queue
 
Top