Let's Encrypt for email issues - Perfect Server Automated ISPConfig 3 Installation (Ubuntu 22.04)

Hello Team,

I'm big fan of the "Perfect Server Automated ISPConfig 3 Installation Ubuntu 22.04" however I noticed that for email (SMTP/IMAP) I often get errors (in Thunderbird client) regarding the certificate, I'm not entirely sure why is that since the certificate seems to be extended fine, the validity seems to be fine as well. The SSL certificate for website works fine. So now pretty much every 90 days (maybe in some cycle it works fine - not 100% sure) when let's encrypt issues a new certificate I have to "add exception" into my Thunderbird.

If you guys have any idea how to debug this (ie how to check that the certificate is actually issued fine?) I'm all for it however I would be perfectly happy (maybe even happier since the issuance is under my control and is valid for 10 years or whatever I choose to set it to) to just use use the self-signed certificate.

Is there any way to force the self-signed certificate just for email (smtp/imap/pop3) and leave the let's encrypt only for the website (https)?

Somehow I feel like back in the day when I did the installation manually (ie https://www.howtoforge.com/tutorial...pd-bind-postfix-doveot-and-ispconfig/#g0.0.12 ) the email certificate was always self-signed but maybe I remember it wrong...

Thank you all in advance.

 

Thank you for the quick followup.

On the server with ISPConfig3 it's Ubuntu 22.04, on client where the Thunderbird runs it's Ubuntu 20.04, Thunderbird version 102.11.0 (64-bit).

 

Use this to make sure certificate is issued or renewed: https://forum.howtoforge.com/threads/lets-encrypt-error-faq.74179/
Examine in Thunderbird what certificate it is using. If it is old expired certificate and not the new certificate on server, try restarting dovecot and postfix on your e-mail server. Examine certificate in Thunderbird again.
If that does not help, maybe the symlinks for certificate files are wrong?
Is the e-mail server using as mailname what

Code:

hostname -f

shows?

 

A few more clarifications / tests I have done:
1 - This domain (let's call it example.com) has active website and also has email attached to it. The website certificate is fine (www.example.com and variation without www).

2 - I checked the logs and in /root/.acme.sh/acme.sh.log there is record from 2023-06-23 on certificate file creation.
Please do tell me what to check specifically looking at https://forum.howtoforge.com/threads/lets-encrypt-error-faq.74179/ it's not very clear what I'm looking for.

3 - In /var/log/ispconfig/acme.log there is a record for example.com and www.example.com, interestingly enough no mention of mail.example.com which I typically use for the incoming and outgoing server.
I thought using mail.example.com is best practice (there might be situation where the webserver is different IP than the mailserver) and that ISPConfig would issue certificate automatically. if the best practice (or least headache) is something else please do let me know.
Using example.com (without the mail.example.com) as incoming/outgoing server also leads to certificate errors.
My MX record is pointed to mail.example.com

4 - When I setup my Thunderbird incoming/outgoing servers (smtp/imap) for domain example.com using the server's common name (ie. server1.company.com), which is the same domain I use to visit the ISPConfig administration (https://server1.company.com:8080/login/), then there is no certificate error/mismatch and all works fine.

I could stick to this I suppose and mark this as solved unfortunately the issue is that instead of upgrading the Linux installation I move my websites and emails between servers every time there is a new OS release (ie when upgrading from Ubuntu 20.04 to Ubuntu 22.04 I would use a new clean installation, use the ISPConfig migration tool and cancel/delete the old Ubuntu 20.04 installation later).
This seemed as best practice when I did upgrade long time ago: https://forum.howtoforge.com/threads/upgrading-debian-8-jessie-to-debian-9-stretch.83023/

Not using the mail.example.com as SMTP/IMAP server will lead to reconfiguration on all my devices which is annoying (I would have to switch the incoming/outgoing settings from server1.company.com to server2.company each time I do upgrade to new OS and decommission the old server).

5 - As for:

Code:

hostname -f

it shows server1.company.com which is fine and matches the setup I tried for note #4 above.

Bottom line:
* I would assume that I need somehow tell ISPConfig and acme that I want certificate for that subdomain mail.example.com (that is used solely for email) and that is the core issue of all this?
* At the same time though I find it surprising though that if I use example.com as incoming/outgoing server I still get errors when the website certificate is fine, it's just matter of different ports...

 

I install ISPConfig server with hostname mail.mydomain.com, and use that name as e-mail server in Thunderbird for incoming and outgoing. ISPConfig creates certificate for the hostname and uses that certificate for services like dovecot and postfix. I find this most straightforward and reliable way.
It is possible to set certificates in other ways, see old discussions on this Forum.

 

Yes that is smart way to do it. I wish I have thought of that.

Doesn't solve though multiple email domains. You don't want to have as the server something for project1 while it's referring to project2.

 

Back to the original question - Yes it is Ubuntu 22.04.

As I discovered the certificate is not issued for mail.example.com. Is there any way to force ISPConfig as soon the domain is added to the email tab in the administration panel to ask for the proper certificate? I don't want to issue the certificates manually (if it's even possible).