Varnish, Pound, RoundCube and Lets Encrypt


Hello, Ive been using lets encrypt for a few months now for a few clients domains and they all work fine. However I’m trying to migrate my mail servers and have created some new scripts that allow for to be entered against the certificate, the script challenges and is verified aqgainst all validated Lookups for the domains and subdomains. As far as I can tell this works properly - however when visiting the domain it doesn’t appear to work for the webmail subdomain.

I’m using Varnish, Pound and Roundcube, Pound terminates the SSL for the requests (Varnish may be an unnecessary extra, however will remain for the time being) then forwards them to varnish which gets them from the back end (Round Cube). There are a number of certificates listed in pound. I’m terminating the webmail certificate here because we use servers running plesk and it doesn’t support webmail certificates (currently natively) and the method recommended in the forums seems tedious to me, as the challenge is intercepted by the webmail configuration - on that note looked at plesk source and couldn’t see how to modify the script calls for nginx or letsencrypt so moved it out to our proxies.

**SSL for and - works.
**SSL for - defaults to the first cert in the list of certificates.

Firstly, I’m quite sure is included in the certificate but would like to confirm this? is that possible without having it configured? Ive checked SSL checker and it doesn’t validate the webmail subdomain. It simply falls back to the first domain certificate (

Am I correct in thinking the subdomain should be part of the same certificate.

Certbot Script Information
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for
http-01 challenge for
http-01 challenge for
Waiting for verification…
Cleaning up challenges
Generating key (4096 bits): /etc/letsencrypt/keys/0011_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0011_csr-certbot.pem

 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/ Your cert
   will expire on 2017-06-15. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot-auto again. To
   non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:
   Donating to EFF:          

Pound Config

        HeadRemove "X-Forwarded-Proto"
        AddHeader "X-Forwarded-Proto: https"
        Port    443
        xHTTP           0
        Cert "/etc/pound/certs/"
        Cert "/etc/pound/certs/"
        Cert "/etc/pound/certs/"
        Cert "/etc/pound/certs/" # Includes webmail

                        Port    80

Any help, tips would be appreciated
Thank you,


Still not sure why, but checked the lets encrypt logs and all domains/sub domains where validating correctly, however the generated certificate in pound which would work for the parent domain and www. variation would not work for webmail, however I created a certificate by itself (almost identical method, just two less domains in the lets encrypt call) and this once added to pound validates correctly.

Is only a little more work to validate the domains, but wondering should this be expected or should I be able to compound the domains and sub domains into a single file.


hi @nate1

A) what is the client you are using and what are the commands
B) can you draw a network diagram of how the components interact
C) Can you paste screenshots of whats actually not working

This should all help in suggesting areas for attention



A) what is the client you are using and what are the commands - Certbot?

Command is in a bash script called with parameters

sudo /etc/letsencrypt/certbot-auto certonly --standalone --agree-tos --domains ${domains} --email ${email_address} --preferred-challenges http-01 --http-01-port 8000 --renew-by-default --rsa-key-size 4096

Domains =,,

I’ve checked the logs and all challenges are working.

B) can you draw a network diagram of how the components interact

https -> pound (SSL Termination) [This is where the issue is] -> Varnish -> Web Server Backend

Pound simply listens on 443, assigns a certificate and then does what its told this works in most circumstances, would be nice and tidy if I only needed one certificate per domain name.

C) Can you paste screenshots of whats actually not working
The SSL Certificate isn’t including against the SSL certificate that was requested. Ive done this for just as its own certificate and works fine, however included with the other & it won’t work but they both do.


The issue may be with Webroot

But the files aren’t hosted on the server…


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.