Multiple certificates: need help cleaning up and with secure SMTP

ccheath · October 22, 2023, 4:37am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: eyethrees.net

I ran this command: n/a

It produced this output: n/a

My web server is (include version): Apache/2.4.52

The operating system my web server runs on is (include version): Ubuntu 22.04

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Webmin

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.7.2

My server is running a few domains (virtualhosts).
My LE certificate is working fine for web traffic but for email it shows as 'not trusted' on my iPhone and the mail client (and other clients like thunderbird on my PC) will not send emails but they are receiving emails fine.
In my /etc/letsencrypt/live folder i have three domains listed which I guess means that certbot is renewing three certificates automatically. Only one of them is being used as far as I can tell.

Can someone help me clean that up so that there is only one certificate in my server?
What can I do to figure out what's going on with SMTP?

If I am logged into the server and run:
openssl s_client -starttls smtp -connect mail.eyethrees.net:587 (or 465)
it connects, but if I run externally I get this error:

40D7C9B7C67F0000:error:8000006F:system library:BIO_connect:Connection refused:../crypto/bio/bio_sock2.c:125:calling connect()
40D7C9B7C67F0000:error:10000067:BIO routines:BIO_connect:connect error:../crypto/bio/bio_sock2.c:127:
connect:errno=111

I'm assuming that this is the issue, but can't figure out how to fix it.

TYIA,
Chris

rg305 · October 22, 2023, 4:41am

Show:
sudo certbot certificates

Sounds like a firewall issue.

rg305 · October 22, 2023, 4:43am

Weird...
Both of these connect for me just fine:

openssl s_client -starttls smtp -connect mail.eyethrees.net:587
openssl s_client -connect mail.eyethrees.net:465

ccheath · October 22, 2023, 4:45am

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: cch.fyi
    Serial Number: 41d7843865d236fbaa1a2699db66a360c72
    Key Type: RSA
    Domains: cch.fyi blog.chrisheath.us chrisheath.us eyethrees.net mail.eyethrees.net server.eyethrees.net www.blog.chrisheath.us www.cch.fyi www.chrisheath.us www.eyethrees.net www.mail.eyethrees.net
    Expiry Date: 2024-01-11 04:43:42+00:00 (VALID: 81 days)
    Certificate Path: /etc/letsencrypt/live/cch.fyi/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/cch.fyi/privkey.pem
  Certificate Name: chrisheath.us
    Serial Number: 44b0b3b8062898388c30e59e77e297473a2
    Key Type: ECDSA
    Domains: cch.fyi blog.chrisheath.us chrisheath.us eyethrees.net mail.eyethrees.net server.eyethrees.net www.blog.chrisheath.us www.cch.fyi www.chrisheath.us www.eyethrees.net www.mail.eyethrees.net
    Expiry Date: 2024-01-10 04:37:08+00:00 (VALID: 79 days)
    Certificate Path: /etc/letsencrypt/live/chrisheath.us/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/chrisheath.us/privkey.pem
  Certificate Name: server.eyethrees.net
    Serial Number: 4e27ac1ad6660cc95f5427dd5f4685f93eb
    Key Type: RSA
    Domains: server.eyethrees.net
    Expiry Date: 2024-01-11 04:43:44+00:00 (VALID: 81 days)
    Certificate Path: /etc/letsencrypt/live/server.eyethrees.net/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/server.eyethrees.net/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

RE: firewall - yeah i thought it was firewall too... nmap shows that the port as 'filtered' which is correct (I think)

ccheath · October 22, 2023, 4:45am

only the chrisheath.us certificate should be used

rg305 · October 22, 2023, 4:46am

I think you need may to review your email certificate use.
I see a cert with a bunch of names:

DNS Name=blog.chrisheath.us
DNS Name=cch.fyi
DNS Name=chrisheath.us
DNS Name=eyethrees.net
DNS Name=mail.eyethrees.net
DNS Name=server.eyethrees.net
DNS Name=www.blog.chrisheath.us
DNS Name=www.cch.fyi
DNS Name=www.chrisheath.us
DNS Name=www.eyethrees.net
DNS Name=www.mail.eyethrees.net

SMTP doesn't really care to match server domain names with recipient domain names.
If that was a requirement, Google would likely not be in the email business.

rg305 · October 22, 2023, 4:46am

We are almost agreed on that!
Only one name needs to be used.

rg305 · October 22, 2023, 4:48am

Let's begin at the beginning.

Does this server host any web sites [or webmail access via HTTPS]?
OR
Only SMTP email only?

ccheath · October 22, 2023, 4:51am

all the sites in the chrisheath.us cert are web (HTTPS) only mail.eyethrees.net is used for email

as for removing the unused certs, sudo certbot delete --cert-name cch.fyi and sudo certbot delete --cert-name server.eyethrees.net, right?

ccheath · October 22, 2023, 4:53am

mail.eyethrees.net is webmail and IMAP/SMTP (and webmail works, but that's because you're on the server already at that point)

rg305 · October 22, 2023, 4:57am

Slow down a bit.
The first two certs are not entirely identical.
The names my be the same, but the types are not.
ECDSA/RSA

The third cert doesn't seem to be needed, so that one could go.
Then you can create a new [separate] cert for the name "mail.eyethrees.net" and use that for SMTP.

ccheath · October 22, 2023, 5:00am

slowing down... that's why i'm here...

rg305 · October 22, 2023, 5:00am

For which name:port does that happen?
When it happens, check which names the cert being used covers.

ccheath · October 22, 2023, 5:02am

when i try to configure my outgoing SMTP server
mail.eyethrees.net:587
(also for 465)
it is also saying that the name is cch.fyi

ccheath · October 22, 2023, 5:04am

same as when i inspect the cert in a browser, although under inspection the certificate's serial number matches the chrisheath.us cert in certbot

rg305 · October 22, 2023, 5:04am

That is just the issued to/subject name.
You need to check the SAN field.
Which should include the name: mail.eyethrees.net
[as shown by the certbot certificates output above]

So, I'm a bit confused about why that error is happening at all.

rg305 · October 22, 2023, 5:05am

Are you up for some testing?

ccheath · October 22, 2023, 5:06am

definitely

rg305 · October 22, 2023, 5:07am

As a test: Configure it to use the subject name ~~[provided that resolves to the same IP - I haven't checked]~~:
cch.fyi:587

I checked, the IPs are the same

ccheath · October 22, 2023, 5:10am

the iPhone app takes forever "verifying" but then fails...
in thunderbird I can change the setting and try to send an email and immediately get the error.

Sending of the message failed.
The message could not be sent because connecting to Outgoing server (SMTP) cch.fyi failed. The server may be unavailable or is refusing SMTP connections. Please verify that your Outgoing server (SMTP) settings are correct and try again.

iPhone is still 'verifying' but it will fail

Topic		Replies	Views
Multiple SSL with a single mail server? Help	8	852	July 27, 2023
Root certificate not trusted by trust provider Help	27	3057	September 4, 2022
Multiple SSLs on same domain Help	2	362	February 7, 2023
Difficulties with seperate certificates for multiple domains Help	17	1633	April 24, 2020
HTTPS fine, SMTP not Help	10	1535	December 5, 2019

Multiple certificates: need help cleaning up and with secure SMTP

Related topics