Email SSL Certificate

meckanix · 2 August 2020 15:19

Problem Description

Email clients are getting invalid SSL certs. I’ve configured the A record of mail.$DOMAIN, but upon an SSL check I get:
unknown: x509: certificate is valid for houndmkiii.vs.mythic-beasts.com, www.houndmkiii.vs.mythic-beasts.com, not mail.$DOMAIN

But for $DOMAIN itself, it’s fine:
The certificate currently available on $DOMAIN is OK. It is not one of the certificates affected by the Let’s Encrypt CAA rechecking problem. Its serial number is 04ccd2295f55703fba0b7476f5beda20a6e9

Do I need to do something with the config so that it uses the right SSL cert?

Any Error Messages

See above

Environment

Sympl Version [9.0/10.0]: 10.0.200127.0
Sympl Testing Version? [Yes/No]: No
Debian Version [Buster/Stretch]: Buster
Hardware Type? [Dedicated/Virtual/Pi]: VM
Hosted On? [name of hosting co]: mythic-beasts

Kelduum · 2 August 2020 15:54

At the moment, you need to use the bare domain (just example.com rather than mail.example.com) for the mail client.

Sympl only supports getting certificates for the bare domain and the www subdomain, but not the mail subdomain or any others, but that should be fixed in the next major version.

Theres a kludge to get this to work by adding an alias/symlink from mail.example.com to example.com in /srv, then forcing a new cert request with sympl-ssl --force example.com, but it’s not very elegant at present.

pcollinson · 2 August 2020 17:03

This kludge can cause problems with websites - suddenly mail… becomes a synonym for www… - and that opens up loads of problems and increases search engine and hacking access. I stopped doing this when I moved to Mythic - but am still getting bots trying to get into mail…

Might be better to have an email only separate domain for the mail. site. You can then symlink the mail directory over, and get the certificate. Will this work?

Kelduum · 8 August 2020 10:12

Maybe, but you’d probably be best off using a valid hostname for the mail clients for now - it can be any hostname for the server, as long as it has a valid SSL cert - it doesn’t have to match the mail domain.

meckanix · 8 August 2020 10:13

I will start using the server itself as the email server in the client settings rather than mail.$DOMAIN

system · 18 August 2020 10:13

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.