Wrong lets encrypt ...
 
Notifications
Clear all

Wrong lets encrypt certificate exposed for a virtualhost

3 Posts
3 Users
1 Reactions
471 Views
(@manu67a)
Joined: 10 months ago
Posts: 2
Topic starter  

Hi All,

I'm coming from Zimbra OSE V8.8.15 and want to migrate to Carbonio CE.

So I deployed a V24.1.0, installed a first domain, got the certificate for it from lets encrypt using the GUI. All looks fine so far.

Now adding a second email domain, I created a virtualhost and get a new let's encrypt domain for that new domain.

Restarting the proxy, all looks good on the web UI presenting the proper certificate. The original domain and as alternate name the second domain.

Now If I configure (IMAPS) the 2nd domain to my Iphone, I get an alert that the certificate does not match.

Looking at the certificate itself, it indeed shows only the original domain and not the alternate 2nd domain.

Would really appreciate your feedback on that.

Many thanks.

Manny

 


   
Quote
(@anahuac)
Joined: 2 years ago
Posts: 328
 

You got it right. Carbonio doesn't do SNI for IMAP/POP/SMTP protocols, meaning only the main domain can be used without getting certificates alerts on the e-mail clients trying to connect.

The only possible solution is to issue a single "root certificate" for both domains.

I explain more about this issue here: https://www.anahuac.eu/lets-encrypt-on-carbonio-system-root-with-acme-sh/

Telegram: @CarbonioMail


   
manu67a reacted
ReplyQuote
(@qubaq)
Joined: 2 years ago
Posts: 4
 

But the problem is, that IMAP and POP use virtual domain cerificate and only SMTP use root certificate.

For example if my main server is mx.example.com and virtual domain in mail.example.com and I want to configure Outlook or Thunerbird using mx.example.com as both IMAP and SMTP server I got the certificate error for IMAP. It says that cerificate is for mail.example.com and not for mx.example.com. And adding more virtual domains makes more mess - the last added certificate for virtual domain appears as IMAP certificate in Outlook. So you never know which cerificate for IMAP (or POP3) is the right one...

I had to remove all my virtual domains to get root certificate working for all my mail domains, but it prevents me from using different webmail addresses for different domains. 🙁 

 

Please help


   
ReplyQuote