IMAP SSL Domain Cert Missing

Discussion in 'General' started by robin99, Jan 19, 2021.

  1. robin99

    robin99 New Member

    Hi,

    ISPConfig Verison: 3.2.2
    OS: Debian 9.0
    Using Postfix and Dovecot

    When connecting to IMAP/POP3 using Outlook it comes up as certificate invalid.

    Looking in the SSL certificate issued there is a lot of the domains in there but a lot are also missing from the "Subject Alternative Name".

    Any ideas what to check as SSL and LetsEncrypt are turned on for all the domains, have gone through the Debug process for ISPConfig and cleared any errors as there was some CAA records for one of the domains that were causing errors, not sure where the CAA records came from but they were do to with letsencrypt, deleted them as none of the other domains have them and the errors went away.

    So I am bit lost now where to look or what to check for, the SSL certificate says it was issues on the 14th Jane 2021, so maybe it needs a refresh but which script to run to get it refreshed?

    Thanks
    Robin
     
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    When checking the cert in your web browser, is it valid for that domain?
     
  3. robin99

    robin99 New Member

    Yes it is working fine in a web browser for that domain.
    It says certificate valid and is issued to the correct domain.
     
  4. robin99

    robin99 New Member

    So for the master domain it seems to add them to that in /etc/letsencrypt/renewal/domain.com.conf
    The linked domains are also listed on the master domain under "Dependent sub- / aliasdomains"

    But the domain that is not working with SSL is missing from here and the others aswell.
    Wonder where it picks this information up from or how it can be refreshed.
     
  5. robin99

    robin99 New Member

    It has also added back in the DNS records that I deleted previously under the CAA field of:

    domain.com 0 issue "letsencrypt.org"
    none.domain.com 0 issue "letsencrypt.org"

    But only to this one domain and not to any others.
     
  6. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    I believe that is the normal behavior, when you enable letsencrypt for a site it will add a CAA record for it if the domain is an active dns zone. (I don't know what happens when the dns zone and website are under different clients offhand.)
     
  7. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    No, the CAA records should not be added afaik.
     
  8. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    CAA is mainly used for dns challenge.
     
  9. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Not too long ago I was going through hosted domains, intending to add CAA records, and most of them already had them set - those domains had letsencrypt certificates issued. I just now checked my dns template, and there is no CAA record there, so I believe it was added when enabling Lets Encrypt. I'm looking for a live domain now I can test that with.

    [Edit]: confirmed, I found a site with no SSL, verified there was no CAA record, I enabled Let's Encrypt and it added a CAA record to DNS.
     
  10. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Alright, didn't know that :)
     
  11. robin99

    robin99 New Member

    Still not been able to resolve this if anyone has any ideas?
     
  12. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    So you created a website (domain.com) and add other hostnames you want included in your mail certificate as alias domains?

    If there is a domain not showing in the ui, you simply need to add it like the others?

    Once you have the alias domain added, you can use the letsencrypt error faq to troubleshoot why it wouldn't be added in the certificate, if that is the case.
     
  13. TonyG

    TonyG Active Member

    To recap, all the certs seem OK but Outlook still says the cert is invalid? I just dealt with that.
    All of this depends on the version of Windows and the version of Outlook. If any of this doesn't seem to work on your system, please research for your system specifics using this as a general guide. I just did a walk through on Windows 8 with Office 2010.

    Open the Windows>Run and execute certmgr.msc. This opens Certficates for the current user.
    Look in folders: Other People\Certificates, Trusted People\Certificates
    You may find an old cert for your host. Right click and Delete it.
    Not there?
    Right click on the top tree node: Certificates - Current User, then Find Certificates.
    The Find In should be "All certificate stores".
    In the Contains box, enter minimal unique text for the host, like just the foo.com part.
    The Look In Field should be Issued To.
    Click Find Now.
    If you get a hit, right click and Delete.
    Restart the system then check Outlook again.
     
  14. robin99

    robin99 New Member

    Thanks for the pointers TonyG

    Looks like I forgot to say thanks to Jesse for the pointers that got it working as it is all fine now that I added the mail.domain.com as a subdomain of the main server domain so that it is added to the SSL certificate that is used for the mail server.
     
  15. TonyG

    TonyG Active Member

    Glad you got it sorted out. As you go through this process, please post back here if you have any cert issues with Postfix or Dovecot. The detail for this isn't in the Perfect server because it's a non-standard config to use mail.domain.tld on a server where ISPConfig is hosted as something like main.domain.tld. I had to set Postfix and Dovecot to point to the .cert/.key for mail.domain.tld where they were originally pointing at the default. HTH
     

Share This Page