ACME.SH Help DNS alias mode

MacEncrypt · October 18, 2022, 11:29pm

My domain is:
Multi
I ran this command:
havnt ran any command yet
It produced this output:
not listed
My web server is (include version):
NA
The operating system my web server runs on is (include version):
DEBIAN
My hosting provider, if applicable, is:
CLOUDFLARE
I can login to a root shell on my machine (yes or no, or I don't know):
YES
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
NO
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): acme.sh version 3.0.1

We have several domains using a singular domain to send email some have their own MX record some use the main hosts record.
example : mastermx.examplehost.com (the main servers MX record and DNS hosted with cloudflare)
other domains that use the mailhost to send and receive emails such as hostedemail.othercompany.com completely.differentdomain.com nothingtodo.withmastermx.com
What im finding is the certificate is listing all domain names as alternatives -
Using mastermx.examplehost.com as the MX record for completely.differentdomain.com (adding mastermx.examplehost.com as the MX in cloudflare for the completely.differentdomain.com DNS) some programs like outlook do not like this and complain "Target principal name is incorrect" on the SSL verification and fails.
Is there a way to use acme.sh to renew say mastermx.example.com without showing alternative DNS names in the certificate ? If only for privacy I think this is the incorrect way to do it?
If all domains DNS are hosted with cloudflare is there a simpler way to do this under one domain name than 6 standalone dns alias's that show up on the cert....sorry if this is rambling above its a bit greek to me !

_az · October 19, 2022, 12:25am

If your mail server has SNI support, you can configure it with 4 different certificates with one domain name each.

One potential hiccup there though, is this:

If the version of Outlook that is producing this error is really old (which I suspect it is, if it's complaining about certificate SANs), it might not support SNI, in which case, this plan wouldn't work. From there, your next choice would be to have 1 dedicated IP address for each of your certificates.

This is all assuming that the issue is really caused by Outlook requiring the domain to match the certificate CN, and not by something else.

MacEncrypt · October 19, 2022, 12:39am

Thankyou for your reply ! the outlook version is actually current (365) on a PC - the macs do not have this issue on outlook or any other mail reader ! would it be possible to ahave all domains just use mastermx.examplehost.com as their MX record thus hiding their domain from the cert and having a singular host to renew every three months ?

_az · October 19, 2022, 12:48am

TBH I don't think a current version Outlook should have any complaint about SAN certificates, assuming everything is set up correctly. But obviously it's hard to verify that with fake domain names.

If you can simplify things by using an identical MX record for every domain and having a certificate with only that one domain, that would probably work great.

rg305 · October 19, 2022, 3:55am

Sounds like you might need to put a proxy in front of that webmail system.

MacEncrypt · October 19, 2022, 10:04pm

Why is that ? prior to the past month all the domains played happily on all devices !

system · November 18, 2022, 10:05pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.