Hi friends,
I've set up an email server Debian Jessie based,
all works fine, but from the client, when I try to fetch email from pergraziaricevuta.it (Apache hosted on the same VPS) the client (seamonkey/thunderbird) say me:
pop.pergraziaricevuta.it:995
the site has tried to identify themselves by providing invalid information
The certificate belongs to a different site, there may be an attempt to replace the original site
I've obtained the certificates for pergraziaricevuta.it:
ls -l /etc/letsencrypt/live/www.pergraziaricevuta.it/
totale 0
lrwxrwxrwx 1 root root 48 ott 15 09:54 cert.pem -> ../../archive/www.pergraziaricevuta.it/cert1.pem
lrwxrwxrwx 1 root root 49 ott 15 09:54 chain.pem -> ../../archive/www.pergraziaricevuta.it/chain1.pem
lrwxrwxrwx 1 root root 53 ott 15 09:54 fullchain.pem -> ../../archive/www.pergraziaricevuta.it/fullchain1.pem
lrwxrwxrwx 1 root root 51 ott 15 09:54 privkey.pem -> ../../archive/www.pergraziaricevuta.it/privkey1.pem
When you are trying to access pop.pergraziaricevuta.it:995 - the certificate you have told it to use is server.sio4.org ... hence you get an alert that the certificate names do not match.
If you host more than one domain, then you have several options;
set seamonkey/thinderbird to use the server name for access ( then it matches the cert)
place all the possible domain names in a single cert
set up dovecot / postfix to have multiple certs, and use the correct one ( the latest versions can do this)
Thanks again @serverco!
My situatIon is this: all domains have now a not combined certificates.
The following steps are the correct procedure for make the FQDN domain inclusive of all domains?
remove all the renew configurations and then invoke the "expand" option for the FQDN domain.
change the certificate Apache configurations for not FQDN domains.
Congratulations! Your certificate and chain have been saved at [...]
Now, I've changed all config paths (except for Apache FQDN site and dovecot/postfix, that stay the same), reload Apache, postfix and dovecot and test the email client but again the email client show me the same window message where say:
!pop.pergraziaricevuta.it:995
the site has tried to identify themselves by providing invalid information
The certificate belongs to a different site, there may be an attempt to replace the original site
$ checkssl pergraziaricevuta.it:995
Domain port cert issued for valid until cert issued by possible issues?
pergraziaricevuta.it 995 pergraziaricevuta.it (alt) Feb 15 08:01:00 2017 GMT Let's Encrypt Authority X3
Domain port cert issued for valid until cert issued by possible issues?
pop.pergraziaricevuta.it 995 server.sio4.org Feb 15 08:01:00 2017 GMT Let's Encrypt Authority X3 - possible name mismatch
checkssl pop.pergraziaricevuta.it:995
Domain port cert issued for valid until cert issued by possible issues?
pop.pergraziaricevuta.it 995 pop.pergraziaricevuta.it (alt) Feb 15 08:44:00 2017 GMT Let's Encrypt Authority X3