Multiple SSL with a single mail server?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://mail.longervision.com

I ran this command: N/A

It produced this output: N/A

My web server is (include version): https://mail.longervision.com

The operating system my web server runs on is (include version): Ubuntu 22.04

My hosting provider, if applicable, is: Digital Ocean Droplet

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): I'm NOT using any control panel.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.6.0

Actually, my problems is:
I'm running a single mail server instance at https://mail.longervision.com
I actually have multiple domains running on the same Digital Ocean droplet. I also generate multiper certificates for https://mail.longervision.ca and https://mail.longervision.us .

However, when I tried to login my Thunderbird with postfix other than longervision.com , I met the following ERROR message: Add Security Exception. Even if I can click on that Confirm Security Exception, when I tried to send out a message, I still got another ERROR message:

Thunderbird_SendMessageError734×163 18.4 KB

I believe my issue is just this one: Multiple domain and SSL · Issue #2087 · mailcow/mailcow-dockerized · GitHub .

Can anybody please help to take a look?

Thank you very much..

Hello @jiapei100, welcome to the Let's Encrypt community.

For Port 465

• mail.longervision.com the certificate is fine https://decoder.link/sslchecker/mail.longervision.com/465
• mail.longervision.us the certificate "Doesn't match Common Name or/and SANs " https://decoder.link/sslchecker/mail.longervision.us/465
• mail.longervision.ca also the certificate "Doesn't match Common Name or/and SANs " https://decoder.link/sslchecker/mail.longervision.ca/465

All there have the same Common Name and SANs information:

Common Name: 	mail.longervision.com
SANs: 	        DNS:mail.longervision.com
                Total number of SANs: 1

For Port 443 each has a matching Common Name or/and SANs

• https://decoder.link/sslchecker/mail.longervision.com/443
• https://decoder.link/sslchecker/mail.longervision.us/443
• https://decoder.link/sslchecker/mail.longervision.ca/443

Here are lists of issued certificates:

• https://crt.sh/?q=mail.longervision.com
• crt.sh | mail.longervision.us
• crt.sh | mail.longervision.ca

@Bruce5051
Thank you so much Bruce... Can you please take a further look at this picture:

1367×847 117 KB

That is what I configured in my mailcow.conf . I should have multiple SANs, rather than just Total number of SANs: 1 ... Sad...

Inside my /etc/nginx/sites-available/, I can tell there is ONLY 1 single mail.longervision.com, but there is NEITHER mail.longervision.ca NOR mail.longervision.us .

⋊> /e/n/sites-available ls mail.*                                                                                                                                                                                                                                            16:28:57
mail.longervision.com*
⋊> /e/n/sites-available ll ../sites-enabled/mail.*                                                                                                                                                                                                                           16:29:03
lrwxrwxrwx 1 root root 48 Jun 19  2020 ../sites-enabled/mail.longervision.com -> /etc/nginx/sites-available/mail.longervision.com*

That is to say, I used this command sudo certbot --nginx -d mail.longervision.ca and sudo certbot --nginx -d mail.longervision.us, which generated certificates into a single file /etc/nginx/sites-available/mail.longervision.com . Is that the correct way of such configuration?

And if the answer is Yes. the ONLY problem is going to be from within that particular file /etc/nginx/sites-available/mail.longervision.com .

Thank you Bruce..

Hi @jiapei100, sorry I know nothing of mailcow nor of Digital Ocean droplet.
Kindly wait to see if there are more knowledgeable Let's Encrypt community volunteers willing to assist.

Looking at the configuration file, it looks like ADDITIONAL_SERVER_NAMES only refers to certificates for the web UI.

Maybe try configure ADDITIONAL_SAN to use a static list of domains, rather than the wildcard you have now. That will remove one confounding factor and might make troubleshooting a bit easier.

I suggest this only because your docker-compose logs don't show any attempts whatsoever to issue certificates for your other domains. Making this change and restarting the docker-compose unit might trigger the certificate requests you are looking for.

Tried... Still the same.. Not the solution to my issue... Anyway, thank you

To which port are you connecting?

And why do you need to connect to your mail service via more than one name?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.