So some background to this before I list the information required - sorry it’s quite a long one.
1 : I host all my own
2 : I operate 2 domains on a single server (Apache2 - Virtuals)
3 : I operate an Email server - again it hosts the same 2 domains - I do not and will not run a web server on this box
I have successfully sorted the web server - no issues.
I tried to copy the certs from the web server - failed
I generated a temporary web site on the mail server and generated certs for the domains - this worked fine - BUT - the e-mail clients that I use reject these certificates as not belonging to the domain - which they clearly do - the mail client is including the mail. in the comparison I think. So I tried to generate a ‘server specific’ and what follows is the result. Bear in mind my public DNS records are routed internally to a destination - they are not 1:1 address’s - the internal network has its own ‘private’ network and domain to which all servers belong, this has both DHCP and DNS functional (yes another domain but we don’t expose it publicly currently - number36.xyz). I am not a fan of the hosts file hacking that seems prevalent although I suspect this is because most of those using it aren’t running any kind of name server.
I tried a cert with subdomains on the main site, this didn’t work either, the clients seemed unable to get past the top tier domain - although mail.theplasticshed.co.uk was in the list of subdomains it was ignored.
I then tried to do a wildcard cert, this didn’t work either - the email clients still bitched about it, but I’d prefer something that can be auto-renewed anyhow.
So - how do I generate a certificate (non wildcard because the email clients won’t accept that either) - the clients are Thunderbird and TheBat (the latter is preferred for security reasons).
The email servers public name is mail, its internal name is mail … it handles mail for both domains via postfix and dovecot (and a few other bits n pieces) … well it will if I ever get things sorted (things are currently hosted in a pair of Kerio boxes but they’re well past their sell by and I want to start utilising DKIM)
The error shown in Thunderbird isn’t easy to show but basically the ‘add security exception’ pops up and states that the certificate belongs to a different site - the Server location is shown as mail.theplasticshed.co.uk:993 The certificate viewer clearly shows that the common name for issued to is theplasticshed.co.uk
mail is not a subdomain it is a device name - the web box works just fine this way -i.e. no www part, what am I missing here ?
The error that is shown by TheBat is
08/05/2019, 15:20:39: IMAP - Certificate S/N: 04B3DC9CA8625F7E57EC5D0291E567243529, algorithm: RSA (2048 bits), issued from 5/8/2019 1:10:11 PM to 8/6/2019 1:10:11 PM, for 1 host(s): theplasticshed.co.uk.
08/05/2019, 15:20:39: IMAP - Owner: theplasticshed.co.uk.
08/05/2019, 15:20:39: IMAP - Issuer: US, Let’s Encrypt, Let’s Encrypt Authority X3.
!08/05/2019, 15:20:39: IMAP - TLS handshake failure. The server host name (“xx.xxx.xx.232”) does not match the certificate.
Well of course it doesn’t because that’s not a host name !!!
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: theplasticshed.co.uk
I ran this command: sudo certbot certonly -d mail.theplasticshed.co.uk
It produced this output:How would you like to authenticate with the ACME CA?
1: Apache Web Server plugin (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
Select the appropriate number [1-3] then [enter] (press ‘c’ to cancel): 1
Plugins selected: Authenticator apache, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mail.theplasticshed.co.uk
Enabled Apache rewrite module
Waiting for verification…
Cleaning up challenges
Failed authorization procedure.
My web server is (include version): Apache2
The operating system my web server runs on is (include version): Ubuntu 19.04
My hosting provider, if applicable, is: Me
I can login to a root shell on my machine (yes or no, or I don’t know): Sure can
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you’re using Certbot): 0.31.0