SAN certificate for multiple domain mail server


#1

Hi :slightly_smiling:
First of all thank you for giving the oportunity to everyone to make the web safer without costs.

I’m have a server under virtualmin to host multiple domains on a single machine (with a single IP).

everything is working except for the email.

right now I have one certificate working on postfix and dovecot but if i want 2 or more domains with SSL connections I need a SAN certificate.

I’ve read the documentation but it doesn’t seems quite clear (at least not to me) of the result.
Here:
https://letsencrypt.readthedocs.org/en/latest/using.html#webroot

It says i can use the webroot plugin to create a multidomain certificate. I’m should be using the command:

./letsencrypt certonly --webroot -w /var/www/domain1/ -d smtp.domain1.com -d imap.domain1.com -d domain1.com -w /var/www/domain2 -d domain2.com -d imap.domain2.com -d smtp.domain2.com

As far as I understand this will get me 2 certs, one for the domain1 and 1 for domain 2 (and all of the included subdomains).

What i really need is one certificate for all of them but from what I’ve read the webroot plugin will give me an error as it needs to validate the root path of the website but, due to my configuration (I’m using apache) each domain is on it’s own path (/home/DOMAIN/public_html/).

I don’t really want to mess up the server as it’s already on production (the http part).

Could you please help me out?


#2

No, that will give you a single cert will all the names as you require.


#3

wow that was fast :slightly_smiling:

And where will it store the certificates?? under /etc/letsencrypt/live???


Outgoing mail certificate name mismatches
#4

Yes, under the domain that becomes the common name (should be the 1st one).


#5

Thank you very much :smiley:


#6

Ok, so last week i reached the 5 certificates limit and had to wait a week for it to renew. Now I’m back at it and when i run the command i get this:

archive directory exists for www.DOMAIN.com

I looked for the certs on /etc/letsencrypt/live and there was nothing there so i did a search on my server and it turns out they are being stored on /etc/letsencrypt/archive/www.DOMAIN.com/

So I tried to use those certs (weird that it put them there instead of live but tried it just in case) and when i try to access a website it says the certificate is not valid as it has been issued by happy hacker fake CA.

I’m new to all this server/certificate stuff so I’m pretty sure i messed it somewhere and i don’t really know where…

This is the command I’m using:

cd /root/letsencrypt/ && ./letsencrypt-auto certonly --email info@DOMAIN.com --agree-tos --webroot --renew-by-default -w /home/DOMAIN/public_html/ -d www.DOMAIN.com -d DOMAIN.com -d autoconfig.DOMAIN.com -w /home/DOMAIN2/public_html -d www.DOMAIN2.com -d DOMAIN2.com -d autoconfig.DOMAIN2.com --authenticator webroot

Before this i tried last week deleting all folder and certificates of the website under /etc/letsencrypt/live and the conf file under /etc/letsencrypt/renewal/

Maybe thats where i went wrong… :S

Thanks a lot :slight_smile:

I’m editing myself… So it seems that the certs i refer to a few lines above are the ones i created last week and the new ones are nowhere to be seen… so i basically have no idea where they are… I’m gonna try deleting the directories in the “archive” as well as the conf files and see what happens… hopefully i will not get a “limit reached” error :smiley:


#7

Hi @pqangel, I think we really have to figure out some way to discourage people from always deleting stuff under /etc/letsencrypt, since many people have done so and run into problems. There are, as the database people like to say, referential integrity issues, because the various things within that directory refer to one another. If you delete one but not the other, the software can get confused because it may make incorrect assumptions about files that should exist, or about where it can safely save new certificates.


#8

You are completely right about it but when you are a"n00b" like myself some times it seems like “the best and fastest” choice…

BTW doing what i just said i could successfully create the certificates but it seems i didn’t do something right as now I’m getting a not completely trusted certificate (although it’s signed by letsencrypt and everything seems right…). when i access my website (under wordpress) it says “connection is not safe, parts of this website are not secure (like images)” But I’m sure this is a theme or wordpress issue.

I’m also having a hard time with authentication and signing emails… (gmail says my mails are no signed… ) so I’ll dig around and see what I get although suggestions are welcome :smiley:


#9

The most common reason for your sight “not been trusted” when everything else looks right is because you are loading images via http not https. Try checking your domain at https://www.whynopadlock.com/


#10

It was the site logo :stuck_out_tongue:

Problem solved :smiley:

All I’ve got left is to figure out an authentication error I have on my mail server, but thats a completely different story that has nothing to do with letsencrypt.

Thank you very much.


#11

It often is the most obvious of things :slight_smile:

If you have a certificate for the server name, then that is usually sufficient ( is you use the full chain ) for configuring email for google and others to accept.


#12

the problem I have is login from a mail client to my mail server (postfix). I can login correctly using webmail and everything is ok so I guess I have an issue with the configured certificates (it says the certificate is not trusted and then gives me a SMTP authentication error)… I’ll keep digging and post the answer here just in case anyone is interested.

Thanks again :slight_smile:


#13

Just use your server name ( not domain name ) in your mail client (assuming you are using a cert with your server name on it), and all should be good. If that provides you with a suitable solution.


#14

Then this files should definitively be under /var/lib/ and not in /etc/.


#15

It turns out saslauthd wasn’t working properly (no idea why this happened…) but i restarted the service and everything is working ok now.

Thank you all for your help :smiley: