1 IP multiple domains postfix dovecot SSL/TLS / STARTTLS possible?


#1

Hello, I have five domains that I’ve already gotten certificates for, and all of which are working on a single IP server (CentOS 7, Nginx) (all LetsEncrypt certs working fine via https for each domain setup via nginx), which I installed using certbot via using :

certbot certonly -a webroot --webroot-path=/home/test1/public_html -d test1.com -d www.test1.com
certbot certonly -a webroot --webroot-path=/home/test2/public_html -d test2.com -d www.test2.com
certbot certonly -a webroot --webroot-path=/home/test3/public_html -d test3.com -d www.test3.com

commands then creating symbolic links to virtual host directories for convenience.

ln -s /etc/letsencrypt/live/test1.com/*.pem /home/test1/
ln -s /etc/letsencrypt/live/test2.com/*.pem /home/test2/
ln -s /etc/letsencrypt/live/test3.com/*.pem /home/test3/

I’ve recently installed Postfix and Dovecot, and activated SSL/TLS - STARTTLS, which works fine for a single one of those domains as I can only add a single cert and key to these… is it possible to chain these certs and keys up to get SSL working for all my domains in postfix/dovecot or not? If yes then I’d appreciate on an answer as to how…

I tried this using the following command

certbot certonly --rsa-key-size 4096 --email sample@test.com --webroot -w /home/test1/public_html -d test1.com -d www.test1.com -w /home/test2/public_html -d test2.com -d www.test2.com -w /home/test3/public_html -d test3.com -d www.test3.com

which generates a cert but it doesn’t seem to work, as trying to access admin@test2.com, thunderbird pops up a “security exception” saying that the certificate belongs to another site (test1.com), Wrong site error.

p.s. I know how to do this with multiple IP’s that isn’t my question.


#2

Your idea, creating a single certificate for all the names wanted, is the Right Thing™ and should work. So probably the right focus is on what went wrong.

Can you use a test such as the one at https://ssl-tools.net/mailservers to see what it says about the server which you think should be serving up the single “combined” certificate ?

Also can you say what the version of Thunderbird is ?


#3

https://ssl-tools.net/mailservers shows the following

Certificate chain
    test1.com
        90 days remaining 4096 bit sha256WithRSAEncryption 
        Hostname Mismatch 
            Let's Encrypt Authority X3
            1603 days remaining 2048 bit sha256WithRSAEncryption 
                DST Root CA X3 (Certificate is self-signed.)
                1800 days remaining 2048 bit sha1WithRSAEncryption 

Subject

Common Name (CN)   test1.com

Alternative Names 
        test2.com
        test3.com
        test4.com
        test5.com 
        test1.com 
        www.test2.com
        www.test3.com
        www.test4.com
        www.test5.com 
        www.test1.com 

I’m using Thunderbird 45.4.0

If the command to generate a single certificate for multiple domains I posted above is correct then perhaps I should try deleting the existing certificates and repeating…


#4

This text from the ssl-tools.net test suggests to me that somehow the host you asked it to connect to has a different name from any of those in the certificate. Because you’ve chosen to hide the actual names (at least I guess you do not in fact own these unusual test1.com through test5.com domains) it’s hard to draw any useful conclusion. Can you just tell us the actual names involved ?

I doubt that deleting a certificate and trying again will achieve anything unless you understand what went wrong the first time.


#5

Solved it.

My server fqdn was server.test1.com, so I made a couple changes assuming what I did before was correct…

to /etc/nginx/sites-available/test1.com.conf added
server_name test1.com www.test1.com server.test1.com

in /etc/named/db.test2.com (to test5.com) I had ( change the 2,3,4,5)

mail.test2.com    IN  A  192.168.0.1
test2.com  IN MX 10 mail.test2.com

which I changed to (server.test1.com stays same for all domains)

server.test1.com IN A 192.168.0.1
test2.com IN MX 10 server.test1.com 

I restarted nginx, named (bind), deleted certbot, letsencrypt etc folders just to clean stuff up, reinstalled certbot and I regenerated the key same as above adding ‘server.test1.com

certbot certonly --rsa-key-size 4096 --email sample@test.com 
--webroot -w /home/test1/public_html  -d server.test1.com -d test1.com -d www.test1.com -w 
/home/test2/public_html -d test2.com -d www.test2.com -w 
/home/test3/public_html -d test3.com -d www.test3.com

now checking dns via https://intodns.com and the mail via https://ssl-tools.net/mailservers gives no error for all domains, and no more error in Thunderbird either (had to delete and re add the mail addresses), or sending and receiving mail…

tnx, if anyone has the same problem… this is the solution.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.