LE SSL certificate being used for unrelated domain in Postfix/Dovecot

4 posts / 0 new
Last post
#1 Mon, 09/30/2019 - 18:27
agathongroup

LE SSL certificate being used for unrelated domain in Postfix/Dovecot

Greetings,

We have a virtual server, $DOMAIN, for which LE wants to create an SSL certificate (by default) using the following domains:

$DOMAIN
www.$DOMAIN
mail.$DOMAIN

This is unusual b/c the other virtual servers on this server only default to creating an LE cert for $whatever and www.$whatever (i.e., NOT mail.$whatever). No worries, though - I'll just override this with "Domain names listed here" in the LE creation screen and specify only $DOMAIN and www.$DOMAIN.

Now, I've created mail.$DOMAIN as a separate virtual server because I want to set that up with its own site, and create an LE cert to use in Postfix/Dovecot for everyone else to use on the server. All's well.

However, when the LE cert for $DOMAIN and www.$DOMAIN gets auto-renewed, it gets installed into Postfix/Dovecot for mail.$DOMAIN despite the fact that that's not a valid alternate name on the certificate.

I cannot tell where it's getting set that mail.$DOMAIN should be included under "Domains associated with this server" as mail.$DOMAIN is most certainly not associated with the $DOMAIN virtual server (at least, not intentionally!). And I cannot tell why it would possibly be associated with the mail.$DOMAIN settings in Postfix and Dovecot once it's renewed.

This is bizarre enough that I'm not sure I'm even doing a good job of explaining the problem. That said, does anyone have an idea of what might be happening here and how I can prevent further conflicts?

Please let me know if I can elucidate any further.

Thanks! Peter

Tue, 10/01/2019 - 04:29
Jfro

Peter take a look is not the solution but explains perhaps some. https://github.com/webmin/webmin/issues/1118#issuecomment-535577203

Tue, 10/01/2019 - 09:34
agathongroup

Thanks for the comment, jfro - as far as I can tell this isn't related, as no error is thrown by Validate Virtual Servers. Also:

Peters-MacBook-Pro-2:~ pcg$ dig -t mx $DOMAIN +short
0 filter.agathongroup.com.

MX doesn't point to mail.$DOMAIN, but rather a spam filter service we provide.

It also doesn't explain why Vmin is getting confused and using the LE SSL cert for $DOMAIN/www.$DOMAIN in the Postfix and Dovecot config for mail.$DOMAIN, despite the fact that I've told it not to use mail.$DOMAIN for that virtual server.

Peter

Thu, 10/10/2019 - 08:49
agathongroup

Anyone? I'm confused as to why Virtualmin is using the SSL certificate for $DOMAIN on email services for mail.$DOMAIN, and in fact why mail.$DOMAIN shows up in the default LE configuration for $DOMAIN in the first place. And it's causing downtime on every LE renewal, so I'm hoping someone can chime in here with something else I can check on.

Thanks, Peter

Topic locked