LetsEncrypt and Yandex.Mail for domain

TranceCat · February 14, 2017, 11:28pm

I currently have a website running on a DigitalOcean for bergenmakers.no. Setting up certificates worked well.
There’s subdomain mail.bergenmakers.no that is served by yandex.com through their Yandex.Mail for domain.
After adding certificates I can’t reach mail.bergenmakers.no anymore. Chrome, Safari and Firefox say that my connection is not private.
All of them point out that domain uses HSTS, but that didn’t help me to find answer to my problem.

Did anyone have this problem? maybe with GSuit/Google apps for domain?

leader · February 14, 2017, 11:52pm

mail.domain on Yandex is not actually supposed to be accessed via HTTPS directly. It just bounces you to https://mail.yandex.tld/parameters, which has appropriate Yandex certs. So trying to access https://mail.domain will give you an error (certificate served will contain Yandex names but not your domain). I don’t think it would be any different elsewhere, unless some other service actually allows you to upload your own cert to the server that provides such hosted mail service. If you are serving HSTS header including subdomains, this might cause an issue I believe. In that case you could remove subdomains from it to resolve this.

TranceCat · February 14, 2017, 11:56pm

Thank you for the answer. This is my current setup:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam /etc/ssl/certs/dhparam.pem;

leader · February 15, 2017, 12:00am

Keep in mind that just commenting it out rather than changing it to NOT include subdomains and hitting your server again may additionally require doing something like http://classically.me/blogs/how-clear-hsts-settings-major-browsers

TranceCat · February 15, 2017, 12:05am

Thank you for the clarification. I will try changing it and see how it goes.

system · March 17, 2017, 12:05am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.