ok so following: https://www.howtoforge.com/securing...server-with-a-valid-lets-encrypt-certificate/ When it gets to the alias section I added domain imap.mycompanyA.com for parent mx1.mycompanyA.com, no prob but is this where I add imap.mycompanyB.com and so on for the hosted email domains? eg: imap.mycompanyB.com for parent mx1.mycompanyA.com Just need confirmation as I just love dealing with certificates (yuk) PS: when site was created I seen the LE come thru my firewall properly PS: Even worse I forgot to point the firewall at new email server, ugh, now what? ugh! Jim..
I asume you want to add extra hostnames in your ispc's system certificate located in /usr/local/ispconfig/interface/ssl? Keep things simple and just add them in the certificate's config file. It's located in /root/.acme.sh/<systemhostname>/<systemhostname>.conf Code: Le_Alt='imap.mycompanyB.tld,imap.mycompanyC.tld' When you're done adding do a force renew. Code: acme.sh --renew --force -d <systemhostname> Services (that should already be using the certificate, like postfix and dovecot) will be reloaded automaticallty after renewal was successful. But do you really want to expose to the world with that one cerificate who all your customers are?!? Go the sni way in postfix and dovecot and create separate certificates for each company. It's officially not supported in ispc but does work. Though it will require some manual work editing postfix and dovecot config files. Plenty to find online on how to enable/configure sni in postfix and dovecot.
I recently installed a new mailserver node which will be going into production soon. On that server both postfix and dovecot have sni enabled. Since webmail runs on the same server can use the webserver (running Nginx) to create certificates. For each customer I create a website mail.companyA.tld and aliases webmail.companyA.tld / autodiscover.companyA.tld / autoconfig.companyA.tld / imap.companyA.tld / pop3.companyA.tld / smtp.companyA.tld and enable ssl. For autodiscover and autoconfig I created snippets that will generate and return desired imap/pop3/smtp settings to the client. The snippets only respond to https://autoconfig.companyA.tld/mail/[email protected] GET and https://autodiscover.companyA.tld/autodiscover/autodiscover.xml POST (autodiscover.json will be added soon). Accompanied by a SRV record for autodiscover and a TXT record for autoconfig in the company's dns zone. Any other webrequest is redirected to https://webmail.companyA.tld which is proxied to roundcube. In postfix a sni map is created in which mail.companyA.tld and smtp.companyA.tld pointing to the created website certificate will be added. In dovecot I created a folder for sni config files from which every company's config file will be loaded. In the config file mail.companyA.tld may be used by all protocols, imap.companyA.tld may only be used by the imap protocol and (you probably guessed it already) pop3.companyA.tld may only be used by the pop3 protocol. All hostnames again are pointing to the created website certificate. For now it involves quite a lot of manual work but I'm working on a script to automate it all. To alter postfix's sni map and create a sni config file for dovecot and before that making use of ispc's rest api to do the website creation, aliases, ssl and necessary directives.
my webmail is on another - roundcube, still testing it but with certs it's an issue to test, i'll start with all in 1, since 1 of the hosted is me again anyways, the other is just a buddy I do it for
well that was an epic fail, after the symlinks I did the systemctl restart postfix, systemctl restart dovecot commands and dovecot failed, did some reversals and got the orig cert back and postfix/dovecot running. (lots of dr. google with info from logs to get it back). lots of humming and hawing and hours later it hit me. the mx1.mycompanya.com.csr.conf is pretty much emtpy. time for some more dr. google to see exact layout and what data to put in it.
i edited the mx1.mycompanya.com.conf so it reads: Le_Alt='imap.mycompanyB.tld,imap.mycompanyC.tld' now I get: Please install idn to process IDN names. looked at the acme log and am confused as hell now
Apparently you used non-ASCII characters in the hostnames? That's what's causing that message according to google ai.
net_ecc say whut! something (file) must be corrupted then because I did no such thing. I am thinking I should delete the /.acme.sh/mycompany.net_ecc folder then rerun the ispc install script and make sure I do the certicate thing there again. is it too early to have a drink yet, the sun will be up soon
This is your ispconfig system certificate right? (Btw you're missing /root at the beginning of the path) If so, you can follow these steps. Skipping the webserver parts if it's running properly. As rerunning the install script (or rather the update script) doesn't allow you to add extra hostnames. You would have to try that manually afterwards.
hang tight, so i renamed the _ecc folder and ran: acme.sh --issue --nginx -d mx1.mycompanya.net got a cert then edited the /mycompanya.net_ecc/mx1.mycompanya.net.conf and added the 2 entries for Le_Alt='imap.mycompanyB.ca,imap.mycompanyC.com' then rerun the --force and error comes back, it's not liking the Le_Alt change
How do you edit the file? Seems like the editor is putting extra stuff in there. Just use vi or vim or something similar from te command line.
Well if that worked just do it again. Only this time use command Code: acme.sh --issue -d mx1.mycompanya.net -d imap.mycompanyb.ca -d imap.mycompanyc.com -w "/usr/local/ispconfig/interface/acme" --always-force-new-domain-key --keylength ec-256 --key-file "/usr/local/ispconfig/interface/ssl/ispserver.key" --fullchain-file "/usr/local/ispconfig/interface/ssl/ispserver.crt" --renew-hook "letsencrypt_renew_hook.sh" This will give you a new ispconfig system certificate as how it should be, but with extra hostnames. (the ecdsa kind, since you mentioned your previous certificate was in folder mycompanya.net_ecc) Do a force renew afterwards to have the renewal hook run too Code: acme.sh --renew --force -d mx1.mycompanya.net
i finally got the certificate done but the system sent me email for each of the alias'd (imap,smtp,mail): mx1.mycompanya.net - 16.11.2025-18:44 - WARNING - Could not verify domain smtp.mycompanya.net, so excluding it from let's encrypt request. if I "nslookup smtp.mycompanya.net 8.8.8.8" I get proper response. Still got some figuring to do because when I did the test sslchecker it showed all of them. And webmail works but can not send outside (bounce back) might be the dkim (something in mail.log. done for the day, look at more tomorrow, my brain hurts
Hmm, just looked and I thought the certwas good, played around some more, still only mycompanya.net on cert but when i look at le.log: [Thu Nov 20 04:41:32 AM UTC 2025] Found cert chain [Thu Nov 20 04:41:32 AM UTC 2025] _end_n='23' [Thu Nov 20 04:41:32 AM UTC 2025] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/........' [Thu Nov 20 04:41:32 AM UTC 2025] Cert success. [Thu Nov 20 04:41:32 AM UTC 2025] Your cert is in: /root/.acme.sh/webmail.mycompanya.net_ecc/webmail.mycompanya.net.cer [Thu Nov 20 04:41:32 AM UTC 2025] Your cert key is in: /root/.acme.sh/webmail.mycompanya.net_ecc/webmail.mycompanya.net.key [Thu Nov 20 04:41:32 AM UTC 2025] The intermediate CA cert is in: /root/.acme.sh/webmail.mycompanya.net_ecc/ca.cer [Thu Nov 20 04:41:32 AM UTC 2025] And the full-chain cert is in: /root/.acme.sh/webmail.mycompanya.net_ecc/fullchain.cer [Thu Nov 20 04:41:32 AM UTC 2025] Your pre-generated key for future cert key changes is in: /root/.acme.sh/webmail.mycompanya.net_ecc/webmail.mycompanya.net.key.next [Thu Nov 20 04:41:32 AM UTC 2025] Installing key to: /usr/local/ispconfig/interface/ssl/ispserver.key [Thu Nov 20 04:41:32 AM UTC 2025] Installing full chain to: /usr/local/ispconfig/interface/ssl/ispserver.crt [Thu Nov 20 04:41:32 AM UTC 2025] _on_issue_success [Thu Nov 20 04:41:32 AM UTC 2025] '' does not contain 'dns' --- only mycompanya still but if i copy that link in log and download that, save as cer I can view it and see all 3 in it. Looks like it's just not installing (apache2 restarted, rebooted, nadda).
Never ever had any problems even remotely like this. Only thing I can think of is a dns or firewall issue preventing LE to validate the other hostnames and therefor excluding them in the certificate.
nope, it's me, certificates and me have never gotten along since their inception (yes i'm old). So i'm thinking: wget cert from link mv old iscpserver to .old cp new to iscpserver double check syn links restart apache
