Cannot connect using ssl (iphone email error)

My domain is
I haven’t run any command yet
so there’s no output yet
my webserver is apache 2.4.6
my OS is centos 7.7.1908
i host this myself
i can login to ssh (priv key access restricted)
i so have webmin installed but use the terminal if possible
certbot is version 1.0.0

edit: i’m going to take a walk and clear my head (back in a hour or two)

yes, or you can get another cert for that server only.

if it’s a separate machine, it’s better to get a separate cert. you can get it in any usual way with certbot.

thank you…
it is not a separate machine (everything is all on one VPS)
so would that be with the --expand flag??

1 Like

yep. remember to tell certbot all domains that should be in the cert.

even if it’s on the same machine, you can still use different certs, though

You can also attempt to use the main domain’s certificate on that server.

(Means you can connect to instead of

1 Like

ugh... all? i've got like 12

after reading this help thread i remembered i had a problem with webroot and switched to the apache

do i need to add the --apache flag again too when i use the --expand?

also i just tried to use instead of in the iphone add account config and that didn't work...
to do properly do this would i need to go back to my postfix and dovecot configs and switch out mentions for just ??

all, in the cert. not all, you own. you can have multiple certs. but expanding a cert is not very different from issuing a new one, you need to list all the domains you want it valid for.

not sure i follow exactly…
so currently i have multiple certs? and i shouldn’t expand i should just add another cert?

I don’t know, but you certainly can.

This is your choice.

ok so what command should i run then?

just run certbot interactively and answer its questions. if you tell some overlapping domains, it will ask to expand, otherwise it should make a separate cert.

1 Like

ok perfect thank you

one last question… what about selecting the vhost… this is a mail server so i haven’t setup a vhost for it…

well… something is serving that login page. maybe it’s not apache, but something is.

anyhow, you should dell your mailserver where the certificate is

login page?
this is postfix/dovecot

i was just noticing this reply about the -a apache and -i apache differences
and it was suggested to just use the -a while doing a certonly
should i try that?

1 Like

you probably already have.

you should install the cert you got into your mailserver (and config certbot to reload it on renewals, with certbot install --deploy-hook something)

 [cch@server: ~]$sudo certbot certificates
 Saving debug log to /var/log/letsencrypt/letsencrypt.log
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 Found the following certs:
   Certificate Name:
     Expiry Date: 2020-06-05 17:36:16+00:00 (VALID: 89 days)
     Certificate Path: /etc/letsencrypt/live/
     Private Key Path: /etc/letsencrypt/live/
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 [cch@server: ~]$

so this means i have only one cert right?


how to install a cert in a mailserver goes beyond my knowledge, though.

1 Like

thanks… i’m going to try and use as my mail server and see how that goes