Renewed certificate reported as expired

Wait, what did that command exactly? I run it, reloaded postfix, and the problem seems to be gone!

1 Like

From the man page I've just read again (for the third time...):

When the -F option is given, the value must specify one or more filenames separated by comma and/or white‐space; postmap(1) will concatenate the file content (with a newline character inserted between files) and will store the base64-encoded result instead of the value.

So it actually reads the contents of the files. So it really is a cache of some sorts.

Seems to me you'll need to put postmap -F hash:/etc/postfix/sni in a deploy hook in certbot.

But good news it worked! Because I can't even get tls_server_sni_maps working at all. :pensive:

Jul 9 18:09:53 server postfix/smtpd[23582]: warning: key at index 1 in SNI data for example.com does not match next certificate

Luckily I can go back to legacy TLS now you've got things working :grin:

2 Likes

Just tested the solution on my second server, where the same problem showed up. It works! Many many thanks for your patience and your time! That was a big burden for me, You helped me a lot. :slight_smile:

Let me know when I can give you more infos about my tls_server_sni_maps config. It worked out of the box, following the above guide.

1 Like

Thanks. Might take you up on that one day, but not now :grimacing: I hate it when software acts strangely and if Postfix were a physical object, it was probably flying out the window about now. Besides, it works nicely now. At the moment I have one A/AAAA hostname for my Postfix and changing everything into different SNI's would be a DNS hassle too. Also, how many SMTP clients are actually using SNI? Could you perhaps see that in your logs? If a lot of SMTP clients don't even get the correct certificate, it's no use.

2 Likes

But what would be the alternative when you host several domains on one server?

1 Like

I just specify the same hostname for all the different MX records in the DNS for all the domains.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.