Two certificates, same subdomain

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: certbot certonly --standalone

It produced this output: succeded

My web server is (include version): Nginx

The operating system my web server runs on is (include version): Debian 10

My hosting provider, if applicable, is: OVH recent VPS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): last version

I succeded while getting a web server certificate for both : and .com , with and without www. and postfixadmin.

Then, I got another certificate for

However, this last mail certificate doesn't seem to be recognized, at least on Qualys SS Labs test site, for which the domain appears to be instead of

Wonder if I should revoke the mail certif, then add a mail certificate to the web server certificate.

Thank you very much for your help.


1 Like

Hi @ortolojf

there is the wrong certificate.

But that's expected. certonly doesn't install the certificate and doesn't restart your server. Do both.

1 Like

Please elaborate on WHAT you're trying to do with your mail subdomain:

  • Are you trying to secure a mailserver? I.e., SMTP and/or IMAP?
  • Are you trying to secure a website with the mail subdomain? E.g. for webmail or something like that?
1 Like

Hi Sir

Did configure Postfix /Dovecot on this same server than the web server.

The new mail certif is devoted to secure mail access.

Indeed, all services nginx, postfix, dovecot, were being restarted several times.

Thank you very much.


1 Like

The SSLLabs Server check only works for mailservers, so it cannot be used for checking mailservers.

After you've run the above certbot command, you need to install the certificate for manually into Postfix and Dovecot.

Also: your Postfix and Dovecot aren't running: I only get "connection refused" errors on SMTP and IMAP ports.

Also nr 2: note that you didn't include the .com TLD in the certificate for your mail subdomain.

1 Like

Hi Sir

That's done.

fullchain.pem as general certif,

privkey.pem as private certif,

chain.pem as trusted certificate.

Addendum : I apologize, did stop postfix/dovecot one hour ago.

Both services are running now.

Thank you very much.


1 Like

Your SMTP and IMAP daemons are still offline, so I cannot test if they're properly configured.

1 Like

Hi Sir

They are online now.

Did'nt try at all to get the mail .com certificate.

Thank you.

1 Like

Only Dovecot on standard IMAP port 143 and I'm getting an error when trying to do STARTTLS. Port 993, IMAPS, isn't open.

Postfix isn't answering on port 25 nor 587 and seems to be down.

1 Like

Hi Sir

All these days, did struggle for configuring postfix/dovecot.

I'll try to get it working shortly.

Apart from config., is there a way for checking the certificate ?

Meanwhile, is it mandatory having only one certif for both web and mail servers ?

These are on the same virtual private server.

Thank you very much.

1 Like

Hi Sir

From a 'nmap -R -sV'

The 993, 995 ports are tcpwrapped,

25, 587 are not found.

I will investigate.

Thank you very much for your help;

1 Like

There are plenty of sites on the internet capable of testing mailservers for TLS.


Postfix is still down and Dovecot is erroring out when trying to do TLS:

osiris@erazer ~ $ telnet 143
Trying 2001:41d0:304:200::b328...
Connected to
Escape character is '^]'.
10 OK Begin TLS negotiation now.
* BYE [UNAVAILABLE] TLS initialization failed.
Connection closed by foreign host.
osiris@erazer ~ $ telnet 110
Trying 2001:41d0:304:200::b328...
Connected to
Escape character is '^]'.
+OK Dovecot (Debian) ready.
+OK Begin TLS negotiation now.
-ERR [SYS/TEMP] TLS initialization failed.
Connection closed by foreign host.
osiris@erazer ~ $ 

Please check your Dovecot error logs to see what's going on.

1 Like

Hi Sir

I succeded with removing the mail certificate then adding the mail subdomain to the existing certificate.

I get an A now on Qualys SSL site.

There only remains the postfix/dovecot problem.

From my initial point of view, my problem is solved.

Thank you very much Sir.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.