creating letsencrypt records for email subdomains like mail, imap, etc.?

Discussion in 'Installation/Configuration' started by JustAnotherUser, Dec 30, 2025.

  1. JustAnotherUser

    JustAnotherUser New Member

    Hello.
    Is it possible to have the system fetch ssl certs from letsencrypt for email domains? for example i'd like mail.domain.com imap.domain.com, etc.
    Each time i add a domain it should add these certs.

    Anyone know what i might be missing? I'm running the latest ispconfig 3.3 on debian 12
     
    JustAnotherUser, Dec 30, 2025
    #1
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    No, not automatically.
     
    till, Dec 30, 2025
    #2
  3. JustAnotherUser

    JustAnotherUser New Member

    So how is this done in larger environments with different clients and domains? Does everyone just use the system servers?

    Thanks.
     
    JustAnotherUser, Dec 30, 2025
    #3
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Larger environments use a single mail server name that all clients use to connect to the server. So the client does not use imap.his-own-domain.tld but instead imap.your-hosting-company.tld. Using different client domains makes no sense on a large scale setups as postfix would have to load hundreds or even thousands of different certificates and you would have constant trouble with cert renewals and even reach limits from LE.
     
    till, Dec 30, 2025
    #4
  5. JustAnotherUser

    JustAnotherUser New Member

    and to do the le cert for the main name you add subdomains in the main server cert for things like imap, mail, etc?
     
    JustAnotherUser, Dec 30, 2025
    #5
  6. BenM

    BenM Member

    Hello,

    I know ISPConfig automatically creates certificates for port 8080 (interface), mail, and FTP. Is it possible to permanently add a Subject Alternative Name (SAN) to the Common Name certificate?

    I want to use this to simplify automatic email account setup on devices. In Outlook, the outgoing server is often set to smtp.domain, but that does not match serverx.domain and therefore causes a certificate mismatch.

    I managed to make this work by adding the following:

    • In serverx.domain.csr.conf:
      subjectAltName=DNS:serverx.domain,DNS:smtp.domain

    • In serverx.domain.conf:
      Le_Alt='smtp.domain'
    Then I ran:


    acme.sh --issue \
    -d serverx.domain \
    -d smtp.domain \
    --keylength 4096 \
    --webroot /usr/local/ispconfig/interface/acme \
    --force
    SUCCESS=1 /usr/local/ispconfig/server/scripts/letsencrypt_renew_hook.sh

    Because this did not update the certificate in the correct location, I also updated the interface certificate in /usr/local/ispconfig/interface/ssl/:


    acme.sh --install-cert -d serverx.domain \
    --key-file /usr/local/ispconfig/interface/ssl/ispserver.key \
    --fullchain-file /usr/local/ispconfig/interface/ssl/ispserver.crt \
    --reloadcmd "SUCCESS=1 /usr/local/ispconfig/server/scripts/letsencrypt_renew_hook.sh"

    This produces the expected result:


    openssl x509 -in /usr/local/ispconfig/interface/ssl/ispserver.crt -noout -ext subjectAltName

    Output:

    • DNS:serverx.domain

    • DNS:smtp.domain
     
    Last edited: Jan 23, 2026
    BenM, Jan 23, 2026
    #6
  7. remkoh

    remkoh Well-Known Member HowtoForge Supporter

    This was all you had to do.
    And afterwards do a force renew with acme.sh from the command line.
    Nothing else needed to be done as other settings in the conf file should have been correct already.
    Now I'm not so sure.
     
    remkoh, Jan 23, 2026
    #7
  8. BenM

    BenM Member

    After an ISPconfig update with ssl renew its gone. So i think there in more to be done two make this work.
     
    Last edited: Jan 23, 2026
    BenM, Jan 23, 2026
    #8

Share This Page