Hello, Ive been using lets encrypt for a few months now for a few clients domains and they all work fine. However I’m trying to migrate my mail servers and have created some new scripts that allow for web-mail.domain.com to be entered against the certificate, the script challenges and is verified aqgainst all validated Lookups for the domains and subdomains. As far as I can tell this works properly - however when visiting the domain it doesn’t appear to work for the webmail subdomain.
I’m using Varnish, Pound and Roundcube, Pound terminates the SSL for the requests (Varnish may be an unnecessary extra, however will remain for the time being) then forwards them to varnish which gets them from the back end (Round Cube). There are a number of certificates listed in pound. I’m terminating the webmail certificate here because we use servers running plesk and it doesn’t support webmail certificates (currently natively) and the method recommended in the forums seems tedious to me, as the challenge is intercepted by the webmail configuration - on that note looked at plesk source and couldn’t see how to modify the script calls for nginx or letsencrypt so moved it out to our proxies.
**SSL for domain.com and www.domain.com - works.
**SSL for webmail.domain.com - defaults to the first cert in the list of certificates.
Firstly, I’m quite sure webmail.domain.com is included in the certificate but would like to confirm this? is that possible without having it configured? Ive checked SSL checker and it doesn’t validate the webmail subdomain. It simply falls back to the first domain certificate (ourcompany.com)
Am I correct in thinking the subdomain should be part of the same certificate.
Certbot Script Information
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.domain.com
http-01 challenge for domain.com
http-01 challenge for webmail.domain.com
Waiting for verification…
Cleaning up challenges
Generating key (4096 bits): /etc/letsencrypt/keys/0011_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0011_csr-certbot.pem
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/www.domain.com-0001/fullchain.pem. Your cert
will expire on 2017-06-15. To obtain a new or tweaked version of
this certificate in the future, simply run certbot-auto again. To
non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Pound Config
ListenHTTPS
HeadRemove "X-Forwarded-Proto"
AddHeader "X-Forwarded-Proto: https"
Address 0.0.0.0
Port 443
xHTTP 0
Cert "/etc/pound/certs/companydomain.com.pem"
Cert "/etc/pound/certs/domain1.com.pem"
Cert "/etc/pound/certs/domain2.com.pem"
Cert "/etc/pound/certs/domain3.com.pem" # Includes webmail
Service
BackEnd
Address 127.0.0.1
Port 80
End
End
End
Any help, tips would be appreciated
Thank you,