Trouble Securing Managed Mailserver with a Valid Certificate

I just followed the tutorial "Securing your ISPConfig 3 managed mailserver with a valid Let's Encrypt SSL certificate." (I did not set up the renewal script.) Everything went fine except that dovecot will not restart.
I am trying to set up a certificate for mail.hugheshome.net
The certificate checks out at the tool suggested in the tutorial https://www.sslshopper.com/ssl-checker.html
The symlinks look okay to me. Postfix starts but dovecot exits with error 89.


I am stuck and would be grateful for help.

 

Did you just now install that server and ISPConfig? How?
Using ISPConfig auto-installer should create and configure the certificates. If you followed the Perfect Server Guide the certificates should be OK if done correctly.
Maybe following instructions from that "Securing your ISPConfig 3 managed mailserver with a valid Let's Encrypt SSL certificate." broke the certificate system?

 

Ah! That's possible. Thanks. I thought the tutorial was something to follow after the server was set up, if the mail subdomain did not have a certificate!
I had followed the Perfect Server Guide, and all has been well for several months, except that mail.hugheshome.net did not have a certificate. To solve the missing certificate problem, I followed the "Securing your ISPConfig 3 managed mailserver with a valid Let's Encrypt SSL certificate" tutorial.
The initial problem, I think, is that I did not create a site for mail.hugheshome.net -- only the main site, hugheshome.net site. I thought that would be enough.
Now that I have the mail. site set up separately (as mentioned in the tutorial) and have run the update script, all is well.
---
BTW, How should I have set up the mail subdomain using ispconfig. Should I create it as a "site" under the Site tab or as a subdomain, using the Site tab and then the Websites>website for subdomain menu item?

 

Thanks till. This is a site created by a reseller. It was originally set up as suggested in the tutorial you linked. The problem, when I set it up like that, is that the certificate the email client sees is the over all server certificate.
So, the server is server.example.com and the reseller site and email is reseller.com. If the mail client, Thunderbird, is told to fetch and send email from server.example.com, it will do so without a problem. BUT some recipient sites say there is a problem with emails sent on behalf of [email protected] from server.example.com.
I thought that since reseller.com had a certificate, all would be well, but apparently, the mail client fetches the server.example.com certificate creating a misalignment issue.

 

Thanks again!
Your explanation of the problem with using mail.reseller.com. I didn't know that. I guess I'll need to look for some other source of the delivery problems. And, I'll return to the original setup. (The spf, dkim, and dmarc for server.com are all okay. Same for reseller.com. At least according to the dmarcian report.)
I really appreciate your help. The explanation you provided helped now and will help in the future.

 

Okay. I have had an spf record for server.yourdomain.com. I've added a dmarc record.
Thanks again!

 

I'm having similar issue. Everything has been great for several years but after the upgrade to 3.2 now the subdomain mail.domain.com renews but imap won't use it. Postfix will see the new certificate. Nothing was changed. Testing with key and cert shows they match. Reverting to old certificate it works but shows expired certificate.... weird. Bought a Certigo certificate, issued using the CSR generated by ispconfig3.2 and applied it ... it won't work while using the ispconfig fields. Copied the data according the fields like I've always done but while it accepts the data it copies it into the correct locations on the server but imap won't work. Postfix no problem. The certificates are symlinked to the correct files and shared by postfix and dovecot... I'm puzzled! I've invested many hours... and had to manually assign the letsencrypt certificate to both postfix and dovecot. I'd like to use sectigo because I'd not have to worry for about a year. Our other servers run fine using old ispconfig with certbot.... only the one with acme.sh is giving this problem... any hints would be very much appreciated... some times thinking too much gets exhausting and gives no results... I'm at that point. Thanks!

 

Btw, did anyone was successful upgrading from a ispconfig3.2.12p1 using certbot to ispconfig3.2 using acme.sh? I've installations using certbot that are running great but I'm afraid upgrading to the latest ispconfig will break the certificates. Will it overwrite and re-issue? That would be great! Thanks

 

Understood... but will the latest ispconfig3.3 upgrade and keep certbot or present a prompt to keep certboot? I understood with my tests that 3.3 sets acme.sh as default.
Many thanks till

 

Thanks... Really appreciate your help!

 

Will the ispconfig_update.sh --use-certbot work for the update too? Instead of fresh install? Couldn't find info about this detail. Thanks

 

Thanks. You completely clarified it....