This website is deprecated, and remains online only for historic access to old issues and docs for historic versions of Virtualmin. It has been unmaintained for several years, and should not be relied on for up-to-date information. Please visit www.virtualmin.com instead.

LE SSL certificate being used for unrelated domain in Postfix/Dovecot

4 posts / 0 new

Topic locked

Last post

#1 Mon, 09/30/2019 - 18:27

agathongroup

LE SSL certificate being used for unrelated domain in Postfix/Dovecot

Greetings,

We have a virtual server, $DOMAIN, for which LE wants to create an SSL certificate (by default) using the following domains:

$DOMAIN
www.$DOMAIN
mail.$DOMAIN

This is unusual b/c the other virtual servers on this server only default to creating an LE cert for $whatever and www.$whatever (i.e., NOT mail.$whatever). No worries, though - I'll just override this with "Domain names listed here" in the LE creation screen and specify only $DOMAIN and www.$DOMAIN.

Now, I've created mail.$DOMAIN as a separate virtual server because I want to set that up with its own site, and create an LE cert to use in Postfix/Dovecot for everyone else to use on the server. All's well.

However, when the LE cert for $DOMAIN and www.$DOMAIN gets auto-renewed, it gets installed into Postfix/Dovecot for mail.$DOMAIN despite the fact that that's not a valid alternate name on the certificate.

I cannot tell where it's getting set that mail.$DOMAIN should be included under "Domains associated with this server" as mail.$DOMAIN is most certainly not associated with the $DOMAIN virtual server (at least, not intentionally!). And I cannot tell why it would possibly be associated with the mail.$DOMAIN settings in Postfix and Dovecot once it's renewed.

This is bizarre enough that I'm not sure I'm even doing a good job of explaining the problem. That said, does anyone have an idea of what might be happening here and how I can prevent further conflicts?

Please let me know if I can elucidate any further.

Thanks! Peter

#2 Tue, 10/01/2019 - 04:29

Jfro

Peter take a look is not the solution but explains perhaps some. https://github.com/webmin/webmin/issues/1118#issuecomment-535577203

#3 Tue, 10/01/2019 - 09:34

agathongroup

Thanks for the comment, jfro - as far as I can tell this isn't related, as no error is thrown by Validate Virtual Servers. Also:

Peters-MacBook-Pro-2:~ pcg$ dig -t mx $DOMAIN +short
0 filter.agathongroup.com.

MX doesn't point to mail.$DOMAIN, but rather a spam filter service we provide.

It also doesn't explain why Vmin is getting confused and using the LE SSL cert for $DOMAIN/www.$DOMAIN in the Postfix and Dovecot config for mail.$DOMAIN, despite the fact that I've told it not to use mail.$DOMAIN for that virtual server.

Peter

#4 Thu, 10/10/2019 - 08:49

agathongroup

Anyone? I'm confused as to why Virtualmin is using the SSL certificate for $DOMAIN on email services for mail.$DOMAIN, and in fact why mail.$DOMAIN shows up in the default LE configuration for $DOMAIN in the first place. And it's causing downtime on every LE renewal, so I'm hoping someone can chime in here with something else I can check on.

Thanks, Peter

Topic locked