Postfix/Dovecot by email client: certificate unknown


#1

Hi friends,
I’ve set up an email server Debian Jessie based,
all works fine, but from the client, when I try to fetch email from pergraziaricevuta.it (Apache hosted on the same VPS) the client (seamonkey/thunderbird) say me:

pop.pergraziaricevuta.it:995
the site has tried to identify themselves by providing invalid information
The certificate belongs to a different site, there may be an attempt to replace the original site

I’ve obtained the certificates for pergraziaricevuta.it:

ls -l /etc/letsencrypt/live/www.pergraziaricevuta.it/
totale 0
lrwxrwxrwx 1 root root 48 ott 15 09:54 cert.pem -> …/…/archive/www.pergraziaricevuta.it/cert1.pem
lrwxrwxrwx 1 root root 49 ott 15 09:54 chain.pem -> …/…/archive/www.pergraziaricevuta.it/chain1.pem
lrwxrwxrwx 1 root root 53 ott 15 09:54 fullchain.pem -> …/…/archive/www.pergraziaricevuta.it/fullchain1.pem
lrwxrwxrwx 1 root root 51 ott 15 09:54 privkey.pem -> …/…/archive/www.pergraziaricevuta.it/privkey1.pem

and for server.sio4.org:

ls -l /etc/letsencrypt/live/server.sio4.org/
totale 0
lrwxrwxrwx 1 root root 39 ott 15 18:55 cert.pem -> …/…/archive/server.sio4.org/cert1.pem
lrwxrwxrwx 1 root root 40 ott 15 18:55 chain.pem -> …/…/archive/server.sio4.org/chain1.pem
lrwxrwxrwx 1 root root 44 ott 15 18:55 fullchain.pem -> …/…/archive/server.sio4.org/fullchain1.pem
lrwxrwxrwx 1 root root 42 ott 15 18:55 privkey.pem -> …/…/archive/server.sio4.org/privkey1.pem

and set the certificates for Dovecot/Postfix:

/etc/dovecot/conf.d/10-ssl.conf:ssl_cert = </etc/letsencrypt/live/server.sio4.org/fullchain.pem
/etc/dovecot/conf.d/10-ssl.conf:ssl_key = </etc/letsencrypt/live/server.sio4.org/privkey.pem

/etc/postfix/main.cf:smtpd_tls_cert_file = /etc/letsencrypt/live/server.sio4.org/fullchain.pem
/etc/postfix/main.cf:smtpd_tls_key_file = /etc/letsencrypt/live/server.sio4.org/privkey.pem

Where I’m wrong? :slight_smile:

Many thanks!


#2

You say that for dovecot you have

so it’s using the server.sio4.org certificate.

You also say

When you are trying to access pop.pergraziaricevuta.it:995 - the certificate you have told it to use is server.sio4.org … hence you get an alert that the certificate names do not match.

If you host more than one domain, then you have several options;

  1. set seamonkey/thinderbird to use the server name for access ( then it matches the cert)
  2. place all the possible domain names in a single cert
  3. set up dovecot / postfix to have multiple certs, and use the correct one ( the latest versions can do this)

#3

This solution, on a VPS with no more than 100 domain could be fine for you?

And running

certbot --expand -d example.com -d www.example.com -d foo.bar -d www.foo.bar -d mail.example.com -d webmail.foo.bar

should extend correctly all certificates, but so, on witch certificate the new domains will be incorporated?

And then (or before), should I change or delete the domains renew configurations?

many many thanks again! :slight_smile:


#4

Yes ( although I don’t speak on behalf of Let’s Encrypt. I’m just a user here )

The first one on the list I believe.

That depends really if you are having separate certificates on your https domains, or if you are going to use a combined one there as well.


#5

Thanks again @serverco!
My situatIon is this: all domains have now a not combined certificates.
The following steps are the correct procedure for make the FQDN domain inclusive of all domains?

  1. remove all the renew configurations and then invoke the “expand” option for the FQDN domain.
  2. change the certificate Apache configurations for not FQDN domains.

Could it be?

Many thanks again!


#6

Correct, if you want them all combined in a single cert, that should be fine.


#7

Perfect!
I’ve deleted all “renewal configs” “live directory content” and “archive directory content” and then run:

certbot certonly --webroot -w /var/www/letsencrypt --expand -d server.sio4.org -d sio4.org -d www.sio4.org -d site1.org -d www.site1.org -d site2.it -d www.site2.it -d site3.com -d www.site4.com

and then:

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at […]

Now, I’ve changed all config paths (except for Apache FQDN site and dovecot/postfix, that stay the same), reload Apache, postfix and dovecot and test the email client but again the email client show me the same window message where say:

!pop.pergraziaricevuta.it:995
the site has tried to identify themselves by providing invalid information
The certificate belongs to a different site, there may be an attempt to replace the original site

But if I run:

openssl x509 -in /etc/letsencrypt/live/server.sio4.org/fullchain.pem -text

the new domains seem to be into:

X509v3 Subject Alternative Name:
DNS:cosmogonia.org, DNS:pergraziaricevuta.it, DNS:server.sio4.org, DNS:sio4.org, DNS:vini-bulgarini.com, DNS:www.cosmogonia.org, DNS:www.pergraziaricevuta.it, DNS:www.sio4.org, DNS:www.vini-bulgarini.com

I’ve make wrong something? :grin:

Many many thanks for your (more appreciate!) help @serverco ! :wink:


#8

did you include “pop.pergraziaricevuta.it” in the list of SANS ?

if I check “pergraziaricevuta.it” I get a valid cert

$ checkssl pergraziaricevuta.it:995

Domain                port  cert issued for             valid until               cert issued by                possible issues?
pergraziaricevuta.it  995   pergraziaricevuta.it (alt)  Feb 15 08:01:00 2017 GMT  Let's Encrypt Authority X3

if I check “pop.pergraziaricevuta.it” then I don’t …


Domain                    port  cert issued for  valid until               cert issued by                possible issues?
pop.pergraziaricevuta.it  995   server.sio4.org  Feb 15 08:01:00 2017 GMT  Let's Encrypt Authority X3  - possible name mismatch

#9

No, I didn’t! :innocent:

You’re absolutely right!

Adding “pop.pergraziaricevuta.it” to “expand” (and, of course, including its dns records on the domain dns table) has been resolved the issue!

Many many thanks!! I don’t know what I’d do without your help!!

PS
Nice your “checkssl”, where I could give it? :slight_smile:


#10

Glad you managed to get it all sorted.

you can get checkssl at https://github.com/srvrco/checkssl (it’s a simple bash script )


#11

WAW!!

checkssl pop.pergraziaricevuta.it:995

Domain                    port  cert issued for                 valid until               cert issued by                possible issues?
pop.pergraziaricevuta.it  995   pop.pergraziaricevuta.it (alt)  Feb 15 08:44:00 2017 GMT  Let's Encrypt Authority X3

Many many thanks again @serverco !! :wink:


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.