I forgot the mail subdomain on some 60 or so certificates! I have a few challenges I could use some help with, please

A little background first:

So, I have LONG been virtual hosting (20-ish years) a great many web and email sites for "friends and family" (not making any money off this), and have LONG been frustrated with the older just-one-cert situation for so many tools. And, certs have been expensive. BUT, in the modern era, this has changed, especially with my late discovery of LetsEncrypt.org, and so I've finally fully taken the plunge, starting of course with my (Apache) web servers.

Small note of praise here: I DEEPLY appreciate the warning emails I got for an expiring domain that wasn't auto-renewing as it should have. certbot renew is great but it can't fix some things, so, informed, I fixed something and now my renewal strategy is pretty solid. ... Honestly, I'm so stressed out / overloaded (for no bucks) that I wouldn't have caught this without those emails. So, a most sincere thanks to everyone involved with LetsEncrypt!

Now, to the issues at hand:

I just recently made a push to apply these to my Fedora Server hosted, postfix - Dovecot email environment and used the advice on how to set this up I found here, HOWEVER, my IMAP clients aren't connecting, giving errors like this:

Oct 18 17:17:06 fs1 dovecot[1248465]: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.2.12, lip=<some_ip>, TLS: SSL_read failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=

It's the same for all the domains. ... I'm not at all sure the cause for all domains is the same, but I DO KNOW that the DNS is pointing most domains to mail.FQDN and I am pretty sure I didn't think to include mail.FWDN in the certs - though I'm not certain about that... So even if this doesn't cure everything, I need to replace / update / renew more than 50 certificates.

A complicating factor is that SOME domains merged and need to share a certificate, and it's a headache to keep all this straight as I really don't even want to have to remember it all - what I'd like to do:

1) Write a script that uses some utility to dump out the domains / subdomains supported by any given certificate and then reformulate the command needed to re-create that certificate. Then;

2) Automate this for the 50+ domains that need it.

I'm stuck on point 1; I'm a reasonable BASH programmer, but I have't yet figured a simple, easy way to dump the supported domains / subdomains in any given certificate. IDK if I am going for the fullchain.pem or the privatekey.pem, etc. I PRESUME this is buried in the several dozen pages of openssl documentation, but their tools may not be the best ones?! I don't know...

Secondly, I'm not sure the best way to replace these since what I want is an in-place replacement, sort of like a renewal, so a comment or two about that would be helpful.

THANKS!

Did you have them using a cert before switching to LE?

I can't really speak with advice on your plan; as it doesn't seem clear to me.
I don't see why anyone would need more than one cert for an email server...

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it ]

rg305,

there was only one cert used before all the recent efforts - I had hoped that was clear before.

As for the plan, it's simple, I could just use some advice. The most important thing is:

How do I dump the contents of what a given certificate supports? This is actually multiple questions in one, as I said above: which cert to I run a command against, the private or the public key? etc.

And, secondly, but much less important, is: How do I most efficiently get certbot to replace the existing certs?

As for this:

I don't see why anyone would need more than one cert for an email server...

That's actually a common short-sightedness among people who have never done this. Simply, people get all freaked out over getting email from XYZ.com when the certificate says it's from ABC.com. ... Trying to explain that "it's OK!" Just Doesn't Work... People complain.

Actually, there's a growing second reason; MANY of the larger organizations ( --ahem-- GOOGLE ) actively discriminate against email that doesn't dot all the eyes and cross all the Ts, throwing email into spam that shouldn't be, for example.

Thanks or helping me clarify what I'm looking to do!

Seems like your combining multiple problems/questions and it's confusing more than it is helping.
I've run email servers for more than 20 years and I don't even understand what you mean with:

Emails come from senders (using email addresses) and pass through email service providers (who use servers they operate with FQDNs from that service domain).
No one opens an email and checks the headers to see if all the servers used in the path match the senders domain.

Are you talking about DKIM or SPF ?

As for the cert names used: If you used certbot, you can just use certbot certificates to list all the cert info and then grep the lines with the info you want.

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it ]

I will very soon, time permitting, be going there, yes, but I haven't yet.

I REALLY don't see why this is confusing:

How do I use a CLI based tool to see what's inside a given certificate - what it supports, domain / subdomain wise? If you can answer that, DO SO PLEASE!

Sure, the simplest way is using the ACME client used to obtain them.
But I don't know which one you used.
So...
Which ACME client do you use?

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it ]

Too many acronyms; what' ACME?

"To obtain them" I used cerbot, as described above...

There are 500 words above - sorry if I missed that.

Then let's start with:
certbot certificates
Which should show us plenty of information on all the certs on that system.

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it ]

Thank you, rg305, that's VERY helpful.

I'm 100% certain I can process that data in a shell script and formulate the necessary commands.

I did get this error though - not to side-track the conversation, but if you know how to address this... To wit:

Attempting to parse the version 1.6.0 renewal configuration file found at /etc/letsencrypt/renewal/somedomain.conf with version 1.0.0 of Certbot. This might not work.

Ideas on that?

And, as for the rest, I presume I can figure out from certbot's documentation the command to get it to renew / replace the certs...

That sounds like you might have multiple versions of certbot installed.

Please show:
which certbot
certbot --version
find / -name certbot

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it ]

1. /bin/certbot .. This is the same (via a link, I presume) as /usr/bin/certbot

2. 1.0.0

3. To my surprise:

/etc/sysconfig/certbot
/usr/bin/certbot
/usr/lib/python3.7/site-packages/certbot
/usr/share/licenses/certbot
/usr/share/doc/certbot

Interestingly, I did a

$ dnf update certbot

and got version 1.3.0, not version 1.6.0!

Please show:
ls -l /bin/certbot
crontab -l | grep certb
find / -name certbot-auto

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it ]

ls -l /bin/certbot
lrwxrwxrwx. 1 root root 18 Mar 5 2020 /bin/certbot -> /usr/bin/certbot-3

2. no crontab for root

The entry you're worried about is in cron.daily and it runs:

certwatch - a bash script that in turn runs:
/usr/bin/certwatch

3. ... No response from the third command, it found nothing.

I'm not looking for jobs - I'm looking for clues to which certbot is being run and why you have multiple versions...
Please show:
ls -l /usr/bin/certb*

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it ]

Keep in mind, I just updated it:

lrwxrwxrwx. 1 root root 18 Mar 5 2020 /usr/bin/certbot -> /usr/bin/certbot-3
-rwxr-xr-x. 1 root root 382 Mar 5 2020 /usr/bin/certbot-3

I'm 100% sure you're chasing a cloud of smoke; NEVER was there another version of certbot on this box.

Instead, remember that WAY UP TOP I said that one domain didn't update correctly, and I fixed it - by running "certbot update" on another occasion; what's to look for is why that one file was different, and that's going to be in some other code, I suspect.

hmm...
Ok then I suppose that explains it.
So all point to /usr/bin/certbot-3
And that shows version 1.3.0 (not 1.6.0)
So that doesn't explain how/where the 1.6.0 entry came from.
We can ignore that if you like.

Is there anything else that needs to be addressed at this time?

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it ]

I'm about to try and figure out the certbot command format to most easily update / replace the old certs with new ones; if you happen to know that right off the top of your head, that would be useful!

If you want to use the same certname, that can help with keeping things tidy.
[presuming you have multiple certs]
certbot \
--certname FIRSTCERTNAME \
-d FIRST,SET,OF,DOMAINS \
-a AUTHENTICATIONMETHOD \
-i INSTALLATIONMETHOD \
--keep-until-expiring

Of course that is my best guess at what I know almost nothing about (your actual situation).
So take that as version 0.01 of what you might actually end up doing.

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it ]

Thanks, rg305, yes, that looks like exactly the form I'll be following. You've been a great help!

Best of luck to you and
Cheers from Miami

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it ]