Postfix/Dovecot by email client: certificate unknown

danjde · November 15, 2016, 9:01am

Hi friends,
I've set up an email server Debian Jessie based,
all works fine, but from the client, when I try to fetch email from pergraziaricevuta.it (Apache hosted on the same VPS) the client (seamonkey/thunderbird) say me:

pop.pergraziaricevuta.it:995
the site has tried to identify themselves by providing invalid information
The certificate belongs to a different site, there may be an attempt to replace the original site

I've obtained the certificates for pergraziaricevuta.it:

ls -l /etc/letsencrypt/live/www.pergraziaricevuta.it/
totale 0
lrwxrwxrwx 1 root root 48 ott 15 09:54 cert.pem -> ../../archive/www.pergraziaricevuta.it/cert1.pem
lrwxrwxrwx 1 root root 49 ott 15 09:54 chain.pem -> ../../archive/www.pergraziaricevuta.it/chain1.pem
lrwxrwxrwx 1 root root 53 ott 15 09:54 fullchain.pem -> ../../archive/www.pergraziaricevuta.it/fullchain1.pem
lrwxrwxrwx 1 root root 51 ott 15 09:54 privkey.pem -> ../../archive/www.pergraziaricevuta.it/privkey1.pem

and for server.sio4.org:

ls -l /etc/letsencrypt/live/server.sio4.org/
totale 0
lrwxrwxrwx 1 root root 39 ott 15 18:55 cert.pem -> ../../archive/server.sio4.org/cert1.pem
lrwxrwxrwx 1 root root 40 ott 15 18:55 chain.pem -> ../../archive/server.sio4.org/chain1.pem
lrwxrwxrwx 1 root root 44 ott 15 18:55 fullchain.pem -> ../../archive/server.sio4.org/fullchain1.pem
lrwxrwxrwx 1 root root 42 ott 15 18:55 privkey.pem -> ../../archive/server.sio4.org/privkey1.pem

and set the certificates for Dovecot/Postfix:

/etc/dovecot/conf.d/10-ssl.conf:ssl_cert = </etc/letsencrypt/live/server.sio4.org/fullchain.pem
/etc/dovecot/conf.d/10-ssl.conf:ssl_key = </etc/letsencrypt/live/server.sio4.org/privkey.pem

/etc/postfix/main.cf:smtpd_tls_cert_file = /etc/letsencrypt/live/server.sio4.org/fullchain.pem
/etc/postfix/main.cf:smtpd_tls_key_file = /etc/letsencrypt/live/server.sio4.org/privkey.pem

Where I'm wrong?

Many thanks!

serverco · November 15, 2016, 9:14am

You say that for dovecot you have

so it's using the server.sio4.org certificate.

You also say

When you are trying to access pop.pergraziaricevuta.it:995 - the certificate you have told it to use is server.sio4.org ... hence you get an alert that the certificate names do not match.

If you host more than one domain, then you have several options;

set seamonkey/thinderbird to use the server name for access ( then it matches the cert)
place all the possible domain names in a single cert
set up dovecot / postfix to have multiple certs, and use the correct one ( the latest versions can do this)

danjde · November 15, 2016, 3:17pm

This solution, on a VPS with no more than 100 domain could be fine for you?

And running

certbot --expand -d example.com -d www.example.com -d foo.bar -d www.foo.bar -d mail.example.com -d webmail.foo.bar

should extend correctly all certificates, but so, on witch certificate the new domains will be incorporated?

And then (or before), should I change or delete the domains renew configurations?

many many thanks again!

serverco · November 15, 2016, 5:07pm

Yes ( although I don't speak on behalf of Let's Encrypt. I'm just a user here )

The first one on the list I believe.

That depends really if you are having separate certificates on your https domains, or if you are going to use a combined one there as well.

danjde · November 16, 2016, 8:41am

Thanks again @serverco!
My situatIon is this: all domains have now a not combined certificates.
The following steps are the correct procedure for make the FQDN domain inclusive of all domains?

remove all the renew configurations and then invoke the "expand" option for the FQDN domain.
change the certificate Apache configurations for not FQDN domains.

Could it be?

Many thanks again!

serverco · November 16, 2016, 8:44am

Correct, if you want them all combined in a single cert, that should be fine.

danjde · November 17, 2016, 9:30am

Perfect!
I've deleted all "renewal configs" "live directory content" and "archive directory content" and then run:

certbot certonly --webroot -w /var/www/letsencrypt --expand -d server.sio4.org -d sio4.org -d www.sio4.org -d site1.org -d www.site1.org -d site2.it -d www.site2.it -d site3.com -d www.site4.com

and then:

IMPORTANT NOTES:

Congratulations! Your certificate and chain have been saved at [...]

Now, I've changed all config paths (except for Apache FQDN site and dovecot/postfix, that stay the same), reload Apache, postfix and dovecot and test the email client but again the email client show me the same window message where say:

!pop.pergraziaricevuta.it:995
the site has tried to identify themselves by providing invalid information
The certificate belongs to a different site, there may be an attempt to replace the original site

But if I run:

openssl x509 -in /etc/letsencrypt/live/server.sio4.org/fullchain.pem -text

the new domains seem to be into:

X509v3 Subject Alternative Name:
DNS:cosmogonia.org, DNS:pergraziaricevuta.it, DNS:server.sio4.org, DNS:sio4.org, DNS:vini-bulgarini.com, DNS:www.cosmogonia.org, DNS:www.pergraziaricevuta.it, DNS:www.sio4.org, DNS:www.vini-bulgarini.com

I've make wrong something?

Many many thanks for your (more appreciate!) help @serverco !

serverco · November 17, 2016, 9:34am

did you include “pop.pergraziaricevuta.it” in the list of SANS ?

if I check “pergraziaricevuta.it” I get a valid cert

$ checkssl pergraziaricevuta.it:995

Domain                port  cert issued for             valid until               cert issued by                possible issues?
pergraziaricevuta.it  995   pergraziaricevuta.it (alt)  Feb 15 08:01:00 2017 GMT  Let's Encrypt Authority X3

if I check “pop.pergraziaricevuta.it” then I don’t …


Domain                    port  cert issued for  valid until               cert issued by                possible issues?
pop.pergraziaricevuta.it  995   server.sio4.org  Feb 15 08:01:00 2017 GMT  Let's Encrypt Authority X3  - possible name mismatch

danjde · November 17, 2016, 10:03am

No, I didn’t!

You’re absolutely right!

Adding “pop.pergraziaricevuta.it” to “expand” (and, of course, including its dns records on the domain dns table) has been resolved the issue!

Many many thanks!! I don’t know what I’d do without your help!!

PS
Nice your “checkssl”, where I could give it?

serverco · November 17, 2016, 10:05am

Glad you managed to get it all sorted.

you can get checkssl at https://github.com/srvrco/checkssl (it’s a simple bash script )

danjde · November 17, 2016, 10:16am

WAW!!

checkssl pop.pergraziaricevuta.it:995

Domain                    port  cert issued for                 valid until               cert issued by                possible issues?
pop.pergraziaricevuta.it  995   pop.pergraziaricevuta.it (alt)  Feb 15 08:44:00 2017 GMT  Let's Encrypt Authority X3

Many many thanks again @serverco !!

system · December 17, 2016, 10:16am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.