Cert fail when test using https://www.checktls.com/

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
I ran this command:
Check How You Get Email (Receiver Test) FREE
It produced this output:
cert fail
My web server is (include version):
The operating system my web server runs on is (include version):
Ubuntu 16.04
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.31.0

So you've got A LOT OF certificates already issued for mail.thetranslationgate.com.

However, Postfix is still using a self-signed certificate. Interestingly enough, your Dovecot is sporting one of the valid certificates.

How does Webmin control the TLS certificates used by Postfix?

Also, I would like to urge you not to issue so many certificates. There are a LOT of duplicates. This is adding unnecessary load and strain on the Let's Encrypt infrastructure. Also, you could run into rate limits.

1 Like

Thank you for your reply,
First how I know the valid one and remove the rest?
I want to keep letsencrypt infrastructure safe and performs well :slight_smile:
Webmin deal like the setting say below:
Hostnames for certificate:mail.thetranslationgate.com
Website root directory for validation file:/var/www/html
Copy new key and certificate to Webmin?:yes
SSL key size:default
Let's Encrypt server:Real
Months between automatic renewal: Only renew manually

Well, crt.sh just shows all certificates issued in the past, recent or older. It's not a representation of the certificates actually on your server. And I have no clue how the Webmin certificate management works.

That's not very much.. It doesn't specify Postfix or SMTP anywhere?

According to this thread, there should be a "Copy to Postfix" button somewhere: I need to get TLS set up on Postfix on my CentOS 5.7 server running Virtualmin 3.95 | Virtualmin

1 Like

I see the below details in /etc/postfix/main.cf


TLS parameters


The default snakeoil certificate. Comment if using a purchased

SSL certificate.



Uncomment if using a purchased SSL certificate.



So postfix is using snakeoil certificate now

I see that we need to know the paths for the certs too. So I found in:

Let's Encrypt certificate:

ssl_cert = </etc/letsencrypt/live/mail.thetranslationgate.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.thetranslationgate.com/privkey.pem

My question if I change like below, The cert issue will be solved?

Uncomment if using a purchased SSL certificate.


Most likely: yes. 

Don't forget you'll need to reload Postfix and Dovecot when the certificate has been renewed. I recon that's not something Webmin will do for you when it renews your certificate.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.