Mutiple Sites Using SSL

Discussion in 'Installation/Configuration' started by Dave Jury, Jul 24, 2017.

  1. Dave Jury

    Dave Jury New Member

    I couldn't respond to a thread (posts <2) or create this post (you have links), so you linux heads out there will have to substitute _ for _ (something for the Howto admins to consider)... anyway
     
  2. Dave Jury

    Dave Jury New Member

    I am running an ispconfig mail server with 2 different domains. I have got certificates for each domain from letsencrypt (certbot) and domain1 is running nicely. No issues with web pages or email on domain1, and the thunderbird client doesn't ask for an "exception".

    domain2 has a problem - the website is all nicely ssl enabled, but the users have problems with thunderbird (email) saying "wrong certificate". When I run in a terminal
    openssl s_client -showcerts -connect domain2_xxx:993
    I get the cert for domain1.

    I have added, in etc_dovecot_conf.d_10-ssl.conf
    local_name domain1_xxx {
    ssl_cert = <etc_letsencrypt_live_domain1_xxx_fullchain.pem
    ssl_key = <_etc_letsencrypt_live_domain1_xxx_privkey.pem
    }
    local_name domain2_xxx {
    ssl_cert = <etc_letsencrypt_live_domain2_xxx_fullchain.pem
    ssl_key = <etc_letsencrypt_live_domain2_xxx_privkey.pem
    }

    If I swap the certificates in etc_dovecot_dovecot.conf the domain2 works and domain1 doesn't. So the cert is xxxing from etc_dovecot_dovecot.conf and not from etc_dovecot_conf.d_10-ssl.conf. So, local_name is not working! I have tried local_name in dovecot.conf and the dovecot won't even restart.

    Any help would be GREATLY appreciated. There is very little on the internet about this, and, after a day of searching_testing, none of it works.

    Regards and Cheers to you all.
     
  3. Dave Jury

    Dave Jury New Member

    And this issue with "links" when you're trying to post... where is the "link"? I had none in my post... what constitutes a link, and where has the post broken the rules? It's just wrong to have to put _ instead of / or whatever. What are the rules?
     
  4. sjau

    sjau Local Meanie Moderator

    Dave Jury likes this.
  5. Dave Jury

    Dave Jury New Member

    @sjau,
    Thanks for your quick response. I am using ispconfig3, and the purpose of this is to be a web provider, like cpanel. Ergo, you start with one client and evolve to 16. You can't keep getting new certificates. cpanel has it's limitations as the clients are always asked to do a "security exception", but we are hearing that this is resolved in dovecot2. It's just that no one knows how to implement it.
     
  6. Dave Jury

    Dave Jury New Member

    @sjau,
    Thanks for your quick response. I am using ispconfig3, and the purpose of this is to be a web provider, like cpanel. Ergo, you start with one client and evolve to 16. You can't keep getting new certificates. cpanel has it's limitations as the clients are always asked to do a "security exception", but we are hearing that this is resolved in dovecot2. It's just that no one knows how to implement it.
     
  7. Dave Jury

    Dave Jury New Member

    By the way, your very good point on acme is well taken, but it's not relevant on an ispconfig install to keep getting a new top level cert every time you get a new client. For my application, The best ever how-to is Howto on howto, and it's the "Perfect Server". Unfortunately, the advice here doesn't work
     
  8. sjau

    sjau Local Meanie Moderator

    why would a client cause new certs to be generated for the ISPConfig interface?
     
  9. Jesse Norell

    Jesse Norell Well-Known Member

    Dovecot supports SNI, implementation appears quite simple and is described at https://wiki.dovecot.org/SSL/DovecotConfiguration - you may want to automate the config with a script though, if you add/remove clients very often.

    But that's just dovecot (receiving); once you have that working you'll likely find clients still get a warning about the certificate, as postfix (sending) does not support SNI.

    Solutions (which would also work with dovecot, if you wanted to implement those), both of which are not built-in to ispconfig, you'd have to set these up yourself, are: 1) obtain a single certificate with multiple hostnames (including client domain names like mail.client1.tld) to use for postfix (and dovecot), or 2) use a different ip address for each client and have postfix (and dovecot) serve a different certificate depending on the ip address.

    Limitations on "1" are the number of names in a certificate (100 I believe), and obviously a limitation on "2" is the number of available ip addresses. You could combine those as well, so eg. each ip address serves up a certificate with < 100 names in it. Of course working out the setup is up to you, not built into ispconfig.
     

Share This Page