Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
mail.thetranslationgate.com
I ran this command:
https://www.checktls.com/
Check How You Get Email (Receiver Test) FREE
It produced this output:
cert fail
My web server is (include version):
apache2
The operating system my web server runs on is (include version):
Ubuntu 16.04
My hosting provider, if applicable, is:
aws
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Webmin
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.31.0

So you've got A LOT OF certificates already issued for mail.thetranslationgate.com.

However, Postfix is still using a self-signed certificate. Interestingly enough, your Dovecot is sporting one of the valid certificates.

How does Webmin control the TLS certificates used by Postfix?

Also, I would like to urge you not to issue so many certificates. There are a LOT of duplicates. This is adding unnecessary load and strain on the Let's Encrypt infrastructure. Also, you could run into rate limits.

Thank you for your reply,
First how I know the valid one and remove the rest?
I want to keep letsencrypt infrastructure safe and performs well
Webmin deal like the setting say below:
Hostnames for certificate:mail.thetranslationgate.com
Website root directory for validation file:/var/www/html
Copy new key and certificate to Webmin?:yes
SSL key size:default
Let's Encrypt server:Real
Months between automatic renewal: Only renew manually

Well, crt.sh just shows all certificates issued in the past, recent or older. It's not a representation of the certificates actually on your server. And I have no clue how the Webmin certificate management works.

That's not very much.. It doesn't specify Postfix or SMTP anywhere?

According to this thread, there should be a "Copy to Postfix" button somewhere: I need to get TLS set up on Postfix on my CentOS 5.7 server running Virtualmin 3.95 | Virtualmin

I see the below details in /etc/postfix/main.cf

---------------------------------

TLS parameters

---------------------------------

The default snakeoil certificate. Comment if using a purchased

SSL certificate.

smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

and

Uncomment if using a purchased SSL certificate.

smtpd_tls_cert_file=/etc/ssl/certs/example.com.crt

smtpd_tls_key_file=/etc/ssl/private/example.com.key

So postfix is using snakeoil certificate now

I see that we need to know the paths for the certs too. So I found in:
/etc/dovecot/conf.d/10-ssl.conf

Let's Encrypt certificate:

ssl_cert = </etc/letsencrypt/live/mail.thetranslationgate.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.thetranslationgate.com/privkey.pem

My question if I change like below, The cert issue will be solved?

Uncomment if using a purchased SSL certificate.

smtpd_tls_cert_file=/etc/letsencrypt/live/mail.thetranslationgate.com/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mail.thetranslationgate.com/privkey.pem

Most likely: yes. 

Don't forget you'll need to reload Postfix and Dovecot when the certificate has been renewed. I recon that's not something Webmin will do for you when it renews your certificate.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.