Hi, On a debian9/ispconfig3 server I got all letsencrypt domains correctly generated for https domains But for mail I followed instructions https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/ and verified symbolic links for both dovecot and postfix indicated : Code: root@ks307144:/etc/postfix# ll smtpd.* lrwxrwxrwx 1 root root 48 janv. 21 15:55 smtpd.cert -> /usr/local/ispconfig/interface/ssl/ispserver.crt -rw-r--r-- 1 root root 1736 janv. 19 10:20 smtpd.cert-190121155541.bak lrwxrwxrwx 1 root root 48 janv. 21 15:55 smtpd.key -> /usr/local/ispconfig/interface/ssl/ispserver.key -rw------- 1 root root 3272 janv. 19 10:20 smtpd.key-190121155541.bak but when I test on https://ssl4less.fr/ssl-tools/check-ssl-certificate.html any domain like mail.example.com, all domains are in error and I see certificates generated for example.com and www.example.com but nothing for mail.example.com Thanks for help
Is mail.example.com included in the certificate you generated? What shows Code: hostname hostname -f on that host? Is this a multiserver setup?
Hi, Thanks for replying. No mail.example.com does not seem to be included in the certicate. I did not generate it myself but via ispconfig, in each websites/domains configurations. How should I verify this ? hostname is the server's name: ks307144.kimsufi.com No this is a single server setup
My guess is the website you created for this is not mail.example.com? If you need mail.... certificate, the website needs to be that FQDN. But @ahrasis is best authority on this. But that howto you followed does work, I have created certificates for my servers using that. But I used mail.mydomain.tld as the website, because that FQDN is the one I needed certificate for. Then I just use the same FQDN for logging in to ISPConfig.
But I need mail certificate on every domains. I can't create mail certificates on only one domain, is it ? I remember I succeded, on anterior installation of that server, to make a global certificate including all domains with Letsencrypt but I don't know how to manage that with ISPCONFIG.
I needed the ceritificate for mail.mydomain.tld to use with Postfix. The websites I have on my server get ceritificates with the usual ISPConfig method of turning it on in the website settings. All the domains I host have MX record mail.mydomain.tld, so getting certificate for that is enough for e-mail use. You can create certificate for mail host for every domain you have, but then there is problem with current version of Postfix, it then needs an IP-addresss for each of those domains.
How did I get to make it work on my old install though ? Here are the notes I kept in case it might help. The hostname at that time was ns1.webologix.com. Do you think that might be done with ISPCONFIG ?
In old install you did not use ISPConfig to make the certificates. Getting several FQDNs to the same certificate works with ISPConfig. Create alias domains and let them be added to the website certificate. But Let's Encrypt has upper limit 100, so more than 100 domain names can not be included to one LE certificate.
Could you be a little more precise on this ? I understand that I should create an alias (not a subdomain right ?) in Ispconfig's website let say "mail.example.com" and then how do I "let them be added" to the website certificate ?
https://www.howtoforge.com/community/threads/how-to-use-lets-encrypt-for-aliasdomain.76535/ https://www.howtoforge.com/community/threads/setup-lets-encrypt-for-aliasdomain.76903/ And aliasdomain, not subdomain.
I'm afraid it half works in fact. mail.example.com passes https://ssl4less.fr/ssl-tools/check-ssl-certificate.html tests but the MUA (thunderbird) still asks for certificate exception when connect to the server.
I upgraded to thunderbird 60. Nothing changed. Certificate informations reported by thunderbird says "cn ks307144.kimsufi.com" whitch is the mail server's FQDN, not mail.example.com as expected and reported by https://ssl4less.fr/ssl-tools/check-ssl-certificate.html
That is expected (arguably "correct," though entirely undesirable, as your issue demonstrates), there is only one ssl certificate served by the mail server and very few hostnames will typically be included in the certificate. You can create a certificate with more names in it (up to 100 names total for letsencrypt), which can help, and that's about the best you can do right now without a very custom configuration/setup. I haven't read the above referenced tutorial in a while but iirc, you add additional names to the certificate by adding aliases to the vhost which requested the certificate (so eg. add mail.example.com as an alias to the vhost, and make sure it has the same ip address in DNS). It should improve in time/future ISPConfig releases. Most likely that is testing/reporting the web server certificate on port 443, a very different critter than the ssl certificate served by the postfix/dovecot mail services.
Even if I ask for mail.example.com ? I did use the alias system in ispconfig to include mail server in certificate and I see mail.example.com listed in the https://ssl4less.fr/ssl-tools/check-ssl-certificate.html results I tried another online tester for, let's say mail.webologix.com so you can see the real results https://www.sslshopper.com/ssl-checker.html#hostname=mail.webologix.com It looks OK too
yes, that site seems to test port 443 by default .. you could search around and see if you can test mail ports (25, 110, 143, 465, 587, 993, 995), and maybe it could do that for you as well. Then you probably just need to arrange for that certificate to get put in place for postfix/dovecot, and the latter services restarted. Try running through the tutorial again and checking each step. The response on that page confirms it is checking port 443, where it finds the apache web server:
Well, I tested with https://www.checktls.com/TestReceiver that shows that the problem is about hostname, as we expected with Taleman at begining of this post: Cert Hostname DOES NOT VERIFY (mail.webologix.com != ks307144.kimsufi.com | DNS:ks307144.kimsufi.com) So email is encrypted but the host is not verified I thought Alias usage would solve that but no. So I come back to the starting point: as that server serves several domains how do I manage that the ISPCONFIG generated certificate that Postfix presents covers ALL hosted domains ?
It does not and it shall not do that. The postfix cert is for the hostname only. The ssl check you used is therefore useless as it presents you a wrong result, you have to check for the hostname and not for a hosted domain.
Then I defined the hostname ks307144.kimsufi.com as mail server in thunderbird account instead of mail.webologix.com and it does not ask me for exception anymore. That solution is OK for me but now I don't understand what the definition of mail.webologix.com as alias was for ? Furthermore, I was able to use mail.anyhosteddomain.com as mail servers for any hosted domain by merging all subdomains in one certificate with letsencrypt as described in post #7 of that discussion. This is not possible with ispconfig ?