A little background first:
So, I have LONG been virtual hosting (20-ish years) a great many web and email sites for "friends and family" (not making any money off this), and have LONG been frustrated with the older just-one-cert situation for so many tools. And, certs have been expensive. BUT, in the modern era, this has changed, especially with my late discovery of LetsEncrypt.org, and so I've finally fully taken the plunge, starting of course with my (Apache) web servers.
Small note of praise here: I DEEPLY appreciate the warning emails I got for an expiring domain that wasn't auto-renewing as it should have. certbot renew is great but it can't fix some things, so, informed, I fixed something and now my renewal strategy is pretty solid. ... Honestly, I'm so stressed out / overloaded (for no bucks) that I wouldn't have caught this without those emails. So, a most sincere thanks to everyone involved with LetsEncrypt!
Now, to the issues at hand:
I just recently made a push to apply these to my Fedora Server hosted, postfix - Dovecot email environment and used the advice on how to set this up I found here, HOWEVER, my IMAP clients aren't connecting, giving errors like this:
Oct 18 17:17:06 fs1 dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.2.12, lip=<some_ip>, TLS: SSL_read failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=
It's the same for all the domains. ... I'm not at all sure the cause for all domains is the same, but I DO KNOW that the DNS is pointing most domains to mail.FQDN and I am pretty sure I didn't think to include mail.FWDN in the certs - though I'm not certain about that... So even if this doesn't cure everything, I need to replace / update / renew more than 50 certificates.
A complicating factor is that SOME domains merged and need to share a certificate, and it's a headache to keep all this straight as I really don't even want to have to remember it all - what I'd like to do:
1) Write a script that uses some utility to dump out the domains / subdomains supported by any given certificate and then reformulate the command needed to re-create that certificate. Then;
2) Automate this for the 50+ domains that need it.
I'm stuck on point 1; I'm a reasonable BASH programmer, but I have't yet figured a simple, easy way to dump the supported domains / subdomains in any given certificate. IDK if I am going for the fullchain.pem or the privatekey.pem, etc. I PRESUME this is buried in the several dozen pages of openssl documentation, but their tools may not be the best ones?! I don't know...
Secondly, I'm not sure the best way to replace these since what I want is an in-place replacement, sort of like a renewal, so a comment or two about that would be helpful.