Hello, i just installed ISPConfig 3.2.10 on Ubuntu 22.04 using autoinstall. Everything went ok. I configured several websites/domains and now I need to reissue mail server Let's encrypt certificate stored in /usr/local/ispconfig/interface/ssl/ispserver.crt/key and generated by autoinstall. Website's domain certificates were automatically regenerated by ISPConfig (also in /root/.acme.sh/ispconfig.host.com/), but they are not passed to /usr/local/ispconfig/interface/ssl/ispserver.[crt,key] Thanks for help. Best Regards, Stanislav
Website domains are not and shall not be passed to the main system cert. The main system cert contains the system hostname only.
In case you want to use alternate names for e.g. the mail system, you can use this guide: https://www.howtoforge.com/securing...server-with-a-valid-lets-encrypt-certificate/
Hi, yes, i agree. What I'm trying to do is to pass DNS aliases to the system cert to serve users with their own domain hostnames, aka. [mail|imap|pop3|smtp].userdomain.com. Instead pointing them to "ispconfig.host.com:[25,143,587,993]". When they are listed in altenative DNS name and passed to postfix/dovecot, no email client will complain when accessing TLS/SSL using [mail|imap|pop3|smtp].userdomain.com Best Regards, Stanislav
The problem with your approach is that it is very limited in regard to the number of domains (3.g. you can have max 100 (sub) domains in a LE cert) and that's why hosters typically do not use this. So better use a subdomain of your own domain and tell your users to use that for their mail client configuration.
it would be nice to have SNI for both pure-ftpd and postfix so that it's an option to use customers own domains. it should be possible now (at least for debian/ubuntu) now that postfix officially supports sni and pure-ftpd now includes the pure-certd binary in with the default repo install files. i know that will require some code changes. (and some db changes) so that the certs are available / configured when the mailserver and webserver are separate machines. the reason being it could simplify management for hosters. no more calls from clients when they try to connect to ftp using their own website name and get cert warnings.. no more asking what to put as pop3/imap/smtp host for mail clients, (even when they're told in the email/page when they order/create the mailbox) or asking why they can't use their own domains. and mailclients should be able to autoconfigure since they try to use the mail domain name by default. (and microsoft have broken autoconfigure for outlook on non-exchange servers)
