certificate delivered for another domain

Discussion in 'Installation/Configuration' started by kmchen, Apr 10, 2019.

Tags:
  1. kmchen

    kmchen Member

    Hi,

    On a debian9/ispconfig3 server I got all letsencrypt domains correctly generated for https domains

    But for mail I followed instructions https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/ and verified symbolic links for both dovecot and postfix indicated :
    Code:
    root@ks307144:/etc/postfix# ll smtpd.*
    lrwxrwxrwx 1 root root   48 janv. 21 15:55 smtpd.cert -> /usr/local/ispconfig/interface/ssl/ispserver.crt
    -rw-r--r-- 1 root root 1736 janv. 19 10:20 smtpd.cert-190121155541.bak
    lrwxrwxrwx 1 root root   48 janv. 21 15:55 smtpd.key -> /usr/local/ispconfig/interface/ssl/ispserver.key
    -rw------- 1 root root 3272 janv. 19 10:20 smtpd.key-190121155541.bak
    
    but when I test on https://ssl4less.fr/ssl-tools/check-ssl-certificate.html any domain like mail.example.com, all domains are in error and I see certificates generated for example.com and www.example.com but nothing for mail.example.com

    Thanks for help
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Is mail.example.com included in the certificate you generated? What shows
    Code:
    hostname
    hostname -f 
    on that host? Is this a multiserver setup?
     
  3. kmchen

    kmchen Member

    Hi,

    Thanks for replying.

    No mail.example.com does not seem to be included in the certicate. I did not generate it myself but via ispconfig, in each websites/domains configurations. How should I verify this ?

    hostname is the server's name: ks307144.kimsufi.com

    No this is a single server setup
     
  4. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    My guess is the website you created for this is not mail.example.com? If you need mail.... certificate, the website needs to be that FQDN. But @ahrasis is best authority on this.
    But that howto you followed does work, I have created certificates for my servers using that. But I used mail.mydomain.tld as the website, because that FQDN is the one I needed certificate for. Then I just use the same FQDN for logging in to ISPConfig.
     
  5. kmchen

    kmchen Member

    But I need mail certificate on every domains. I can't create mail certificates on only one domain, is it ?
    I remember I succeded, on anterior installation of that server, to make a global certificate including all domains with Letsencrypt but I don't know how to manage that with ISPCONFIG.
     
    Last edited: Apr 11, 2019
  6. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    I needed the ceritificate for mail.mydomain.tld to use with Postfix. The websites I have on my server get ceritificates with the usual ISPConfig method of turning it on in the website settings.
    All the domains I host have MX record mail.mydomain.tld, so getting certificate for that is enough for e-mail use.
    You can create certificate for mail host for every domain you have, but then there is problem with current version of Postfix, it then needs an IP-addresss for each of those domains.
     
  7. kmchen

    kmchen Member

    How did I get to make it work on my old install though ?

    Here are the notes I kept in case it might help. The hostname at that time was ns1.webologix.com. Do you think that might be done with ISPCONFIG ?

     
  8. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    In old install you did not use ISPConfig to make the certificates.
    Getting several FQDNs to the same certificate works with ISPConfig. Create alias domains and let them be added to the website certificate. But Let's Encrypt has upper limit 100, so more than 100 domain names can not be included to one LE certificate.
     
  9. kmchen

    kmchen Member

    Could you be a little more precise on this ?

    I understand that I should create an alias (not a subdomain right ?) in Ispconfig's website let say "mail.example.com" and then how do I "let them be added" to the website certificate ?
     
  10. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  11. kmchen

    kmchen Member

    Great. It works now. Thanks a lot Taleman
     
  12. kmchen

    kmchen Member

  13. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Check what certificate Thunderbird sees. Is Thunderbird old version?
     
  14. kmchen

    kmchen Member

    I upgraded to thunderbird 60. Nothing changed. Certificate informations reported by thunderbird says "cn ks307144.kimsufi.com" whitch is the mail server's FQDN, not mail.example.com as expected and reported by https://ssl4less.fr/ssl-tools/check-ssl-certificate.html
     
  15. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    That is expected (arguably "correct," though entirely undesirable, as your issue demonstrates), there is only one ssl certificate served by the mail server and very few hostnames will typically be included in the certificate. You can create a certificate with more names in it (up to 100 names total for letsencrypt), which can help, and that's about the best you can do right now without a very custom configuration/setup. I haven't read the above referenced tutorial in a while but iirc, you add additional names to the certificate by adding aliases to the vhost which requested the certificate (so eg. add mail.example.com as an alias to the vhost, and make sure it has the same ip address in DNS). It should improve in time/future ISPConfig releases.

    Most likely that is testing/reporting the web server certificate on port 443, a very different critter than the ssl certificate served by the postfix/dovecot mail services.
     
  16. kmchen

    kmchen Member

    Even if I ask for mail.example.com ?

    I did use the alias system in ispconfig to include mail server in certificate and I see mail.example.com listed in the https://ssl4less.fr/ssl-tools/check-ssl-certificate.html results

    I tried another online tester for, let's say mail.webologix.com so you can see the real results https://www.sslshopper.com/ssl-checker.html#hostname=mail.webologix.com
    It looks OK too
     
  17. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    yes, that site seems to test port 443 by default .. you could search around and see if you can test mail ports (25, 110, 143, 465, 587, 993, 995), and maybe it could do that for you as well.

    Then you probably just need to arrange for that certificate to get put in place for postfix/dovecot, and the latter services restarted. Try running through the tutorial again and checking each step.

    The response on that page confirms it is checking port 443, where it finds the apache web server:
     
  18. kmchen

    kmchen Member

    Well, I tested with https://www.checktls.com/TestReceiver that shows that the problem is about hostname, as we expected with Taleman at begining of this post:

    Cert Hostname DOES NOT VERIFY (mail.webologix.com != ks307144.kimsufi.com | DNS:ks307144.kimsufi.com)
    So email is encrypted but the host is not verified

    I thought Alias usage would solve that but no.
    So I come back to the starting point: as that server serves several domains how do I manage that the ISPCONFIG generated certificate that Postfix presents covers ALL hosted domains ?
     
  19. till

    till Super Moderator Staff Member ISPConfig Developer

    It does not and it shall not do that. The postfix cert is for the hostname only. The ssl check you used is therefore useless as it presents you a wrong result, you have to check for the hostname and not for a hosted domain.
     
  20. kmchen

    kmchen Member

    Then I defined the hostname ks307144.kimsufi.com as mail server in thunderbird account instead of mail.webologix.com and it does not ask me for exception anymore.
    That solution is OK for me but now I don't understand what the definition of mail.webologix.com as alias was for ?
    Furthermore, I was able to use mail.anyhosteddomain.com as mail servers for any hosted domain by merging all subdomains in one certificate with letsencrypt as described in post #7 of that discussion. This is not possible with ispconfig ?
     

Share This Page