Cannot connect using ssl (iphone email error)

do i need to add my mail server (mail.eyethrees.net) to my cert?
i would assume so, right?
and if so, what is the proper way to do that without messing up my other certs?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

My domain is eyethrees.net
I haven’t run any command yet
so there’s no output yet
my webserver is apache 2.4.6
my OS is centos 7.7.1908
i host this myself
i can login to ssh (priv key access restricted)
i so have webmin installed but use the terminal if possible
certbot is version 1.0.0

edit: i’m going to take a walk and clear my head (back in a hour or two)

yes, or you can get another cert for that server only.

if it’s a separate machine, it’s better to get a separate cert. you can get it in any usual way with certbot.

thank you…
it is not a separate machine (everything is all on one VPS)
so would that be with the --expand flag??

1 Like

yep. remember to tell certbot all domains that should be in the cert.

even if it’s on the same machine, you can still use different certs, though

You can also attempt to use the main domain’s certificate on that server.

(Means you can connect to eyethrees.net instead of mail.eyethrees.net)

1 Like

ugh… all? i’ve got like 12

after reading this help thread i remembered i had a problem with webroot and switched to the apache

do i need to add the --apache flag again too when i use the --expand?


also i just tried to use eyethrees.net instead of mail.eyethrees.net in the iphone add account config and that didn’t work…
to do properly do this would i need to go back to my postfix and dovecot configs and switch out mail.eyethrees.net mentions for just eyethrees.net ??

all, in the cert. not all, you own. you can have multiple certs. but expanding a cert is not very different from issuing a new one, you need to list all the domains you want it valid for.

not sure i follow exactly…
so currently i have multiple certs? and i shouldn’t expand i should just add another cert?

I don’t know, but you certainly can.

This is your choice.

ok so what command should i run then?

just run certbot interactively and answer its questions. if you tell some overlapping domains, it will ask to expand, otherwise it should make a separate cert.

1 Like

ok perfect thank you

one last question… what about selecting the vhost… this is a mail server so i haven’t setup a vhost for it…

well… something is serving that login page. maybe it’s not apache, but something is.

anyhow, you should dell your mailserver where the certificate is

login page?
this is postfix/dovecot


i was just noticing this reply about the -a apache and -i apache differences
and it was suggested to just use the -a while doing a certonly
should i try that?

1 Like

you probably already have.

you should install the cert you got into your mailserver (and config certbot to reload it on renewals, with certbot install --deploy-hook something)

 [cch@server: ~]$sudo certbot certificates
 Saving debug log to /var/log/letsencrypt/letsencrypt.log
 
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 Found the following certs:
   Certificate Name: server.eyethrees.net
     Domains: alatrist.com blog.chrisheath.us chrisheath.us dominusbrand.com eyethrees.net hotttsun.com mail.eyethrees.net server.eyethrees.net www.alatrist.com www.blog.chrisheath.us www.chrisheath.us www.dominusbrand.com www.eyethrees.net www.hotttsun.com
     Expiry Date: 2020-06-05 17:36:16+00:00 (VALID: 89 days)
     Certificate Path: /etc/letsencrypt/live/server.eyethrees.net/fullchain.pem
     Private Key Path: /etc/letsencrypt/live/server.eyethrees.net/privkey.pem
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 [cch@server: ~]$

so this means i have only one cert right?