Two certificates, same subdomain

ortolojf · March 20, 2021, 11:46am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mail.pronostics-courses.fr

I ran this command: certbot certonly --standalone mail.pronostics-courses.fr

It produced this output: succeded

My web server is (include version): Nginx

The operating system my web server runs on is (include version): Debian 10

My hosting provider, if applicable, is: OVH recent VPS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): last version

I succeded while getting a web server certificate for both : pronostics-courses.fr and .com , with and without www. and postfixadmin.

Then, I got another certificate for mail.pronostics-courses.fr.

However, this last mail certificate doesn't seem to be recognized, at least on Qualys SS Labs test site, for which the domain appears to be pronostics-courses.fr instead of mail.pronostics-courses.fr

Wonder if I should revoke the mail certif, then add a mail certificate to the web server certificate.

Thank you very much for your help.

JO

JuergenAuer · March 20, 2021, 11:57am

Hi @ortolojf

there is the wrong certificate.

But that's expected. certonly doesn't install the certificate and doesn't restart your server. Do both.

Osiris · March 20, 2021, 12:03pm

Please elaborate on WHAT you're trying to do with your mail subdomain:

Are you trying to secure a mailserver? I.e., SMTP and/or IMAP?
Are you trying to secure a website with the mail subdomain? E.g. for webmail or something like that?

ortolojf · March 20, 2021, 12:07pm

Hi Sir

Did configure Postfix /Dovecot on this same server than the web server.

The new mail certif is devoted to secure mail access.

Indeed, all services nginx, postfix, dovecot, were being restarted several times.

Thank you very much.

JO

Osiris · March 20, 2021, 12:12pm

The SSLLabs Server check only works for mailservers, so it cannot be used for checking mailservers.

After you've run the above certbot command, you need to install the certificate for mail.pronostics-courses.fr manually into Postfix and Dovecot.

Also: your Postfix and Dovecot aren't running: I only get "connection refused" errors on SMTP and IMAP ports.

Also nr 2: note that you didn't include the .com TLD in the certificate for your mail subdomain.

ortolojf · March 20, 2021, 12:15pm

Hi Sir

That's done.

fullchain.pem as general certif,

privkey.pem as private certif,

chain.pem as trusted certificate.

Addendum : I apologize, did stop postfix/dovecot one hour ago.

Both services are running now.

Thank you very much.

0

Osiris · March 20, 2021, 12:16pm

Your SMTP and IMAP daemons are still offline, so I cannot test if they're properly configured.

ortolojf · March 20, 2021, 12:25pm

Hi Sir

They are online now.

Did'nt try at all to get the mail .com certificate.

Thank you.

Osiris · March 20, 2021, 12:29pm

Only Dovecot on standard IMAP port 143 and I'm getting an error when trying to do STARTTLS. Port 993, IMAPS, isn't open.

Postfix isn't answering on port 25 nor 587 and seems to be down.

ortolojf · March 20, 2021, 12:38pm

Hi Sir

All these days, did struggle for configuring postfix/dovecot.

I'll try to get it working shortly.

Apart from config., is there a way for checking the mail.pronostics-courses.fr certificate ?

Meanwhile, is it mandatory having only one certif for both web and mail servers ?

These are on the same virtual private server.

Thank you very much.

ortolojf · March 20, 2021, 1:03pm

Hi Sir

From a 'nmap -R -sV pronostics-courses.fr'

The 993, 995 ports are tcpwrapped,

25, 587 are not found.

I will investigate.

Thank you very much for your help;

Osiris · March 20, 2021, 1:04pm

There are plenty of sites on the internet capable of testing mailservers for TLS.

No.

Postfix is still down and Dovecot is erroring out when trying to do TLS:

osiris@erazer ~ $ telnet mail.pronostics-courses.fr 143
Trying 2001:41d0:304:200::b328...
Connected to mail.pronostics-courses.fr.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot (Debian) ready.
10 STARTTLS
10 OK Begin TLS negotiation now.
* BYE [UNAVAILABLE] TLS initialization failed.
Connection closed by foreign host.
osiris@erazer ~ $ telnet mail.pronostics-courses.fr 110
Trying 2001:41d0:304:200::b328...
Connected to mail.pronostics-courses.fr.
Escape character is '^]'.
+OK Dovecot (Debian) ready.
CAPA
+OK
CAPA
TOP
UIDL
RESP-CODES
PIPELINING
AUTH-RESP-CODE
STLS
USER
SASL PLAIN LOGIN
.
STLS
+OK Begin TLS negotiation now.
-ERR [SYS/TEMP] TLS initialization failed.
Connection closed by foreign host.
osiris@erazer ~ $

Please check your Dovecot error logs to see what's going on.

ortolojf · March 20, 2021, 5:32pm

Hi Sir

I succeded with removing the mail certificate then adding the mail subdomain to the existing certificate.

I get an A now on Qualys SSL site.

There only remains the postfix/dovecot problem.

From my initial point of view, my problem is solved.

Thank you very much Sir.

system · April 19, 2021, 5:33pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certificate and nginx Help	16	973	May 29, 2022
Subdomain IP is different than webserver IP and can't validate Help	5	409	August 30, 2023
Another Mail Server with same IP Address Help	7	744	June 23, 2019
Contact to support via email Help	14	768	October 6, 2022
Certbot --help incomprehensible Help	34	1604	December 29, 2020

Two certificates, same subdomain

Related topics