How to set up SSL for dovecot's virtualmin?

4 posts / 0 new
Last post
#1 Fri, 09/07/2018 - 09:09
jurassic

How to set up SSL for dovecot's virtualmin?

I have a domain.com virtual server in virtualmin. For using IMAP in secure mode, I need a SSL certificate.

Since MX DNS register needs to be a subdomain, I created mx.domain.com

Now I'd need to add mx.domain.com to the SSL, so I tried to create a sub-virtual server (I also tried with an alias virtual server), with "mx.domain.com"

Now I go to the Manage SSL Certificates > Letsencrypt and I see both to request (domain.com and mx.domain.com)

But when I request it I see:

ssl.CertificateError: hostname 'mx.domain.com' doesn't match either of 'domain.com', 'www.domain.com' DNS-based validation failed : Failed to request certificate : mx.domain.com challenge did not pass: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.mx.domain.com

Why is that ?

Web "mx.domain.com" is working and pointing to the domain.com site (so the sub-virtual server is correctly created) And mx.domain.com points to the same IP of domain.com

Fri, 09/07/2018 - 18:53
Joe
Joe's picture

There's a couple of ways to handle it. The simplest is to just use a primary domain on your Virtualmin server for all mail services, and use the certificate for it in both Dovecot and Postfix. This is what I recommend, for now.

STARTTLS supports name-based virtual hosting of mail servers, and Dovecot has support for that. Our support for it in Virtualmin exists but is relatively new (so new I don't even know off-hand what goes into enabling it). I'll have to poke around and get back to you...

--

Check out the forum guidelines!

Thu, 09/13/2018 - 10:57
KitchM

Hey there, jurassic. This is easily fixed. Just go to your virtual server and select Server Configuration>Manage SSL Certificates. Go to the Let's Encrypt tab. Select Domain Names Listed here, if the ones already listed are not what you want. You can add everything, if you want to by putting in

domain.tld
www.domain.tld
mail.domain.tld
ftp.domain.tld
m.domain.tld
localhost.domain.tld
autoconfig.domain.tld
autodiscover.domain.tld

and just substitute your domain for domain.tld. This list is just about everything you'll ever need.

Next, under Check connectivity first, select to just skip the tests. Then when you press the Request Certificate button, just wait for the new cert. You should be good to go.

Good luck!

Thu, 09/13/2018 - 22:45 (Reply to #5)
Freddy63
Freddy63's picture

Hello jurassic,

@KitchM's list is really helpful. But you'll need to create DNS record for each hostname in your DNS manager if DNS is managed elsewhere.

And you didn't need to create mx.domain.com. Virtualmin creates mail.domain.com which you can use. I have a Virtualmin Mail Server tutorial if you want step-by-step instructions.

Topic locked