Multiple certificates: need help cleaning up and with secure SMTP

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: eyethrees.net

I ran this command: n/a

It produced this output: n/a

My web server is (include version): Apache/2.4.52

The operating system my web server runs on is (include version): Ubuntu 22.04

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Webmin

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.7.2


My server is running a few domains (virtualhosts).
My LE certificate is working fine for web traffic but for email it shows as 'not trusted' on my iPhone and the mail client (and other clients like thunderbird on my PC) will not send emails but they are receiving emails fine.
In my /etc/letsencrypt/live folder i have three domains listed which I guess means that certbot is renewing three certificates automatically. Only one of them is being used as far as I can tell.

  1. Can someone help me clean that up so that there is only one certificate in my server?

  2. What can I do to figure out what's going on with SMTP?

If I am logged into the server and run:
openssl s_client -starttls smtp -connect mail.eyethrees.net:587 (or 465)
it connects, but if I run externally I get this error:

40D7C9B7C67F0000:error:8000006F:system library:BIO_connect:Connection refused:../crypto/bio/bio_sock2.c:125:calling connect()
40D7C9B7C67F0000:error:10000067:BIO routines:BIO_connect:connect error:../crypto/bio/bio_sock2.c:127:
connect:errno=111

I'm assuming that this is the issue, but can't figure out how to fix it.

TYIA,
Chris

1 Like

Show:
sudo certbot certificates

Sounds like a firewall issue.

2 Likes

Weird...
Both of these connect for me just fine:

openssl s_client -starttls smtp -connect mail.eyethrees.net:587
openssl s_client -connect mail.eyethrees.net:465
2 Likes
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: cch.fyi
    Serial Number: 41d7843865d236fbaa1a2699db66a360c72
    Key Type: RSA
    Domains: cch.fyi blog.chrisheath.us chrisheath.us eyethrees.net mail.eyethrees.net server.eyethrees.net www.blog.chrisheath.us www.cch.fyi www.chrisheath.us www.eyethrees.net www.mail.eyethrees.net
    Expiry Date: 2024-01-11 04:43:42+00:00 (VALID: 81 days)
    Certificate Path: /etc/letsencrypt/live/cch.fyi/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/cch.fyi/privkey.pem
  Certificate Name: chrisheath.us
    Serial Number: 44b0b3b8062898388c30e59e77e297473a2
    Key Type: ECDSA
    Domains: cch.fyi blog.chrisheath.us chrisheath.us eyethrees.net mail.eyethrees.net server.eyethrees.net www.blog.chrisheath.us www.cch.fyi www.chrisheath.us www.eyethrees.net www.mail.eyethrees.net
    Expiry Date: 2024-01-10 04:37:08+00:00 (VALID: 79 days)
    Certificate Path: /etc/letsencrypt/live/chrisheath.us/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/chrisheath.us/privkey.pem
  Certificate Name: server.eyethrees.net
    Serial Number: 4e27ac1ad6660cc95f5427dd5f4685f93eb
    Key Type: RSA
    Domains: server.eyethrees.net
    Expiry Date: 2024-01-11 04:43:44+00:00 (VALID: 81 days)
    Certificate Path: /etc/letsencrypt/live/server.eyethrees.net/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/server.eyethrees.net/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

RE: firewall - yeah i thought it was firewall too... nmap shows that the port as 'filtered' which is correct (I think)

only the chrisheath.us certificate should be used

I think you need may to review your email certificate use.
I see a cert with a bunch of names:

DNS Name=blog.chrisheath.us
DNS Name=cch.fyi
DNS Name=chrisheath.us
DNS Name=eyethrees.net
DNS Name=mail.eyethrees.net
DNS Name=server.eyethrees.net
DNS Name=www.blog.chrisheath.us
DNS Name=www.cch.fyi
DNS Name=www.chrisheath.us
DNS Name=www.eyethrees.net
DNS Name=www.mail.eyethrees.net

SMTP doesn't really care to match server domain names with recipient domain names.
If that was a requirement, Google would likely not be in the email business.

2 Likes

We are almost agreed on that!
Only one name needs to be used.

2 Likes

Let's begin at the beginning.

Does this server host any web sites [or webmail access via HTTPS]?
OR
Only SMTP email only?

2 Likes

all the sites in the chrisheath.us cert are web (HTTPS) only mail.eyethrees.net is used for email

as for removing the unused certs, sudo certbot delete --cert-name cch.fyi and sudo certbot delete --cert-name server.eyethrees.net, right?

mail.eyethrees.net is webmail and IMAP/SMTP (and webmail works, but that's because you're on the server already at that point)

Slow down a bit.
The first two certs are not entirely identical.
The names my be the same, but the types are not.
ECDSA/RSA

The third cert doesn't seem to be needed, so that one could go.
Then you can create a new [separate] cert for the name "mail.eyethrees.net" and use that for SMTP.

2 Likes

slowing down... that's why i'm here...

1 Like

For which name:port does that happen?
When it happens, check which names the cert being used covers.

2 Likes

when i try to configure my outgoing SMTP server
mail.eyethrees.net:587
(also for 465)
it is also saying that the name is cch.fyi

same as when i inspect the cert in a browser, although under inspection the certificate's serial number matches the chrisheath.us cert in certbot

That is just the issued to/subject name.
You need to check the SAN field.
Which should include the name: mail.eyethrees.net
[as shown by the certbot certificates output above]

So, I'm a bit confused about why that error is happening at all.

2 Likes

Are you up for some testing?

2 Likes

definitely

As a test: Configure it to use the subject name [provided that resolves to the same IP - I haven't checked]:
cch.fyi:587

I checked, the IPs are the same

2 Likes

the iPhone app takes forever "verifying" but then fails...
in thunderbird I can change the setting and try to send an email and immediately get the error.

Sending of the message failed.
The message could not be sent because connecting to Outgoing server (SMTP) cch.fyi failed. The server may be unavailable or is refusing SMTP connections. Please verify that your Outgoing server (SMTP) settings are correct and try again.

iPhone is still 'verifying' but it will fail