Hi,
When you use domain specific ssl certs for services like dovecot for a domain and if this one use domain override for letsencryp ( not using all the domains of the vhost but only some ) the configuration in dovecot/webmin etc... is the main domain and not the domains of the letsencrypt overrides.
For exemple i have a dummy domain 000-site-par-defaut.fr for the default domain with an alias that is the fqdn.
The letsencrypt domain list is overriden to the fqdn and not 000-site-par-defaut.fr+fqdn by default. But when i ask for the domain certificate in dovecot and others the configuration is
local_name 000-site-par-defaut.fr {
ssl_cert = </home/zero00-site-par-defaut/ssl.combined
ssl_key = </home/zero00-site-par-defaut/ssl.key
}
and not
local_name fqdn {
ssl_cert = </home/zero00-site-par-defaut/ssl.combined
ssl_key = </home/zero00-site-par-defaut/ssl.key
}
in webmin it is
ipkey_000-site-par-defaut.fr,*.000-site-par-defaut.fr=/home/zero00-site-par-defaut/ssl.key ipcert_000-site-par-defaut.fr,*.000-site-par-defaut.fr=/home/zero00-site-par-defaut/ssl.cert ipextracas_000-site-par-defaut.fr,*.000-site-par-defaut.fr=/home/zero00-site-par-defaut/ssl.ca
and not
ipkey_fqdn=/home/zero00-site-par-defaut/ssl.key ipcert_fqdn=/home/zero00-site-par-defaut/ssl.cert ipextracas_fqdn=/home/zero00-site-par-defaut/ssl.ca
therefor the domain will never have the good certificate.
the issue here is that virtualmin ignore the domain override AND the aliases when configuring domain certificate in webmin/dovecot etc...
I think it should use the domain override list for the configuration and not only the servername.
best regards, Ghislain AQUEOS.
Comments
Submitted by gadnet@aqueos.com on Wed, 12/30/2020 - 04:19 Comment #1
Submitted by gadnet@aqueos.com on Wed, 12/30/2020 - 04:21 Comment #2
Submitted by gadnet@aqueos.com on Wed, 12/30/2020 - 04:24 Comment #3
When you use domain specific ssl certs for services like dovecot for a domain and if this one use domain override for letsencryp ( not using all the domains of the vhost but only some ) the configuration in dovecot/webmin etc... is the main domain and not the domains of the letsencrypt overrides.
Submitted by JamieCameron on Wed, 12/30/2020 - 23:44 Comment #4
Do you have an actual alias domains setup in Virtualmin for
fqdn, or was it just the hostname the Lets Encrypt cert was issued for?Submitted by gadnet@aqueos.com on Thu, 12/31/2020 - 02:06 Comment #5
i have a dummy domain setup as a normal virtualserver, to that i add a simple alias that is the real fqdn (of course not the "fqdn" string ;p ), letsencrypt is setup to be limited to the fqdn only but the daemon configuration is only put for the main domain, not any alias and certainly not the one in the letsencrypt domain list :)
therefor it will never be matched.
regards, Ghislain
Submitted by gadnet@aqueos.com on Thu, 12/31/2020 - 02:10 Comment #6
Main dummy one: 000-site-par-defaut.frDétails du serveur virtuel
Nom de domaine 000-site-par-defaut.fr
Créé le 06/11/2017 par root
Nom d'administrateur Unix zero00-site-par-defaut Groupe Unix 000-site-par-defaut
Quota total pour ce serveur 19.99 Gio Quota pour l'utilisateur Unix 20 Gio
Adresse IP 127.0.0.1 (Partagé par tous les serveurs)
Plan de compte Plan de base Adresse mail de contact zero00-site-par-defaut@000-site-par-defaut.fr
Répertoire utilisateur /home/zero00-site-par-defaut
Description site par defaut ne pas toucher
ID de domaine 150998780827309
and the real on for the fqdn:
Détails du serveur virtuelNom de domaine ****fqdn****
Créé le 13/06/2018 par root
Nom d'administrateur Unix zero00-site-par-defaut Plan de compte Plan de base
Alias du serveur 000-site-par-defaut.fr
Description **fqdn***
ID de domaine 152891059721869
in letsencrypt i have:
use only for this domain : fqdn
in service certificate: "yes" for 3 services.
regards, ghislain.
ps: sry for the little difference in the text the virtualmin is in french...
Submitted by JamieCameron on Fri, 01/01/2021 - 22:42 Comment #7
Ok I see what you mean now - I'll look into what's causing this, and update this ticket once it's fixed.
Submitted by JamieCameron on Sat, 01/02/2021 - 15:46 Comment #8
Ok, this will be fixed in the next Virtualmin release, by including all alias domains in the Dovecot config as well.
Submitted by gadnet@aqueos.com on Mon, 01/04/2021 - 02:23 Comment #9
thanks a lot for looking at it so quickly. Have a great day !
Ghislain.