I couldn't respond to a thread (posts <2) or create this post (you have links), so you linux heads out there will have to substitute _ for _ (something for the Howto admins to consider)... anyway
I am running an ispconfig mail server with 2 different domains. I have got certificates for each domain from letsencrypt (certbot) and domain1 is running nicely. No issues with web pages or email on domain1, and the thunderbird client doesn't ask for an "exception". domain2 has a problem - the website is all nicely ssl enabled, but the users have problems with thunderbird (email) saying "wrong certificate". When I run in a terminal openssl s_client -showcerts -connect domain2_xxx:993 I get the cert for domain1. I have added, in etc_dovecot_conf.d_10-ssl.conf local_name domain1_xxx { ssl_cert = <etc_letsencrypt_live_domain1_xxx_fullchain.pem ssl_key = <_etc_letsencrypt_live_domain1_xxx_privkey.pem } local_name domain2_xxx { ssl_cert = <etc_letsencrypt_live_domain2_xxx_fullchain.pem ssl_key = <etc_letsencrypt_live_domain2_xxx_privkey.pem } If I swap the certificates in etc_dovecot_dovecot.conf the domain2 works and domain1 doesn't. So the cert is xxxing from etc_dovecot_dovecot.conf and not from etc_dovecot_conf.d_10-ssl.conf. So, local_name is not working! I have tried local_name in dovecot.conf and the dovecot won't even restart. Any help would be GREATLY appreciated. There is very little on the internet about this, and, after a day of searching_testing, none of it works. Regards and Cheers to you all.
And this issue with "links" when you're trying to post... where is the "link"? I had none in my post... what constitutes a link, and where has the post broken the rules? It's just wrong to have to put _ instead of / or whatever. What are the rules?
You need to request both domains in one cert. Have a look here: https://www.howtoforge.com/communit...l-port-8080-with-lets-encrypt-free-ssl.75554/ However, I prefer meanwhile the acme.sh client because it also supports dns-01 and has no dependencies. I just think it's more reliable than certbot: https://www.howtoforge.com/communit...utomated-dns-01-challenge-for-ispc-3-1.74850/
@sjau, Thanks for your quick response. I am using ispconfig3, and the purpose of this is to be a web provider, like cpanel. Ergo, you start with one client and evolve to 16. You can't keep getting new certificates. cpanel has it's limitations as the clients are always asked to do a "security exception", but we are hearing that this is resolved in dovecot2. It's just that no one knows how to implement it.
@sjau, Thanks for your quick response. I am using ispconfig3, and the purpose of this is to be a web provider, like cpanel. Ergo, you start with one client and evolve to 16. You can't keep getting new certificates. cpanel has it's limitations as the clients are always asked to do a "security exception", but we are hearing that this is resolved in dovecot2. It's just that no one knows how to implement it.
By the way, your very good point on acme is well taken, but it's not relevant on an ispconfig install to keep getting a new top level cert every time you get a new client. For my application, The best ever how-to is Howto on howto, and it's the "Perfect Server". Unfortunately, the advice here doesn't work
Dovecot supports SNI, implementation appears quite simple and is described at https://wiki.dovecot.org/SSL/DovecotConfiguration - you may want to automate the config with a script though, if you add/remove clients very often. But that's just dovecot (receiving); once you have that working you'll likely find clients still get a warning about the certificate, as postfix (sending) does not support SNI. Solutions (which would also work with dovecot, if you wanted to implement those), both of which are not built-in to ispconfig, you'd have to set these up yourself, are: 1) obtain a single certificate with multiple hostnames (including client domain names like mail.client1.tld) to use for postfix (and dovecot), or 2) use a different ip address for each client and have postfix (and dovecot) serve a different certificate depending on the ip address. Limitations on "1" are the number of names in a certificate (100 I believe), and obviously a limitation on "2" is the number of available ip addresses. You could combine those as well, so eg. each ip address serves up a certificate with < 100 names in it. Of course working out the setup is up to you, not built into ispconfig.