Hello, I have five domains that I’ve already gotten certificates for, and all of which are working on a single IP server (CentOS 7, Nginx) (all LetsEncrypt certs working fine via https for each domain setup via nginx), which I installed using certbot via using :
certbot certonly -a webroot --webroot-path=/home/test1/public_html -d test1.com -d www.test1.com
certbot certonly -a webroot --webroot-path=/home/test2/public_html -d test2.com -d www.test2.com
certbot certonly -a webroot --webroot-path=/home/test3/public_html -d test3.com -d www.test3.com
commands then creating symbolic links to virtual host directories for convenience.
I’ve recently installed Postfix and Dovecot, and activated SSL/TLS - STARTTLS, which works fine for a single one of those domains as I can only add a single cert and key to these… is it possible to chain these certs and keys up to get SSL working for all my domains in postfix/dovecot or not? If yes then I’d appreciate on an answer as to how…
which generates a cert but it doesn’t seem to work, as trying to access admin@test2.com, thunderbird pops up a “security exception” saying that the certificate belongs to another site (test1.com), Wrong site error.
p.s. I know how to do this with multiple IP’s that isn’t my question.
Your idea, creating a single certificate for all the names wanted, is the Right Thing™ and should work. So probably the right focus is on what went wrong.
Can you use a test such as the one at https://ssl-tools.net/mailservers to see what it says about the server which you think should be serving up the single “combined” certificate ?
Also can you say what the version of Thunderbird is ?
Certificate chain
test1.com
90 days remaining 4096 bit sha256WithRSAEncryption
Hostname Mismatch
Let's Encrypt Authority X3
1603 days remaining 2048 bit sha256WithRSAEncryption
DST Root CA X3 (Certificate is self-signed.)
1800 days remaining 2048 bit sha1WithRSAEncryption
Subject
Common Name (CN) test1.com
Alternative Names
test2.com
test3.com
test4.com
test5.com
test1.com
www.test2.com
www.test3.com
www.test4.com
www.test5.com
www.test1.com
I’m using Thunderbird 45.4.0
If the command to generate a single certificate for multiple domains I posted above is correct then perhaps I should try deleting the existing certificates and repeating…
This text from the ssl-tools.net test suggests to me that somehow the host you asked it to connect to has a different name from any of those in the certificate. Because you've chosen to hide the actual names (at least I guess you do not in fact own these unusual test1.com through test5.com domains) it's hard to draw any useful conclusion. Can you just tell us the actual names involved ?
I doubt that deleting a certificate and trying again will achieve anything unless you understand what went wrong the first time.
My server fqdn was server.test1.com, so I made a couple changes assuming what I did before was correct…
to /etc/nginx/sites-available/test1.com.conf added server_name test1.com www.test1.com server.test1.com
in /etc/named/db.test2.com (to test5.com) I had ( change the 2,3,4,5)
mail.test2.com IN A 192.168.0.1
test2.com IN MX 10 mail.test2.com
which I changed to (server.test1.com stays same for all domains)
server.test1.com IN A 192.168.0.1
test2.com IN MX 10 server.test1.com
I restarted nginx, named (bind), deleted certbot, letsencrypt etc folders just to clean stuff up, reinstalled certbot and I regenerated the key same as above adding ‘server.test1.com’
now checking dns via https://intodns.com and the mail via https://ssl-tools.net/mailservers gives no error for all domains, and no more error in Thunderbird either (had to delete and re add the mail addresses), or sending and receiving mail…
tnx, if anyone has the same problem… this is the solution.