Why FTP and emails don't use domain certificate?

Discussion in 'General' started by lonerunner, Apr 8, 2021.

  1. lonerunner

    lonerunner Member

    So i don't know if this is normal condition or mistake somewhere but it's bugging me alot.

    These two guides has been followed:

    All FTP connections, and mail are using the same certificate which has been set to server hostname which is basically a main domain. And when using software like thunderbird and filezilla it's showing me a warning that certificate don't match domain when i try to connect with other domain names even though they have it's own SSL.

    Why don't they use always certificate from the domain name used on connection?
    Is that not possible or i made mistake somewhere along the setup?
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    This is intended behaviour.
    Use the main domain for e-mail and FTP.
    Let's Encrypt does not allow more than 100 domains in the same certificate. Creating aliasdomains and including them to the main certificate would work up to that number.
    ahrasis likes this.
  3. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Apache specifies the SSL cert to use for HTTPS connections - port 443. This has nothing to do with other software on other ports. I frequently see this misconception and I will probably write a longer explanation on this soon.

    Users should use the main domain, like @Taleman mentioned.
  4. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    well, postfix (and dovecot) and pure-ftpd all now support sni.
    although pure-ftpd appears to rely on the use of pure-certd for sni, which should be included in pure-ftpd-common_1.0.49-4_all on ubuntu 20.04, and so far i can't find any trace of pure-certd on a newly installed server....
    but technically, yes, you could use separate certs for each domain for email and ftp. requires support for it to be coded into ispconfig though, and certs would have to be saved in the database, since they may be needed on different servers. also gets complicated when considering you may want to use a LE cert for a domain in ftp/email but not on your website (dunno why, but some mad client is bound to insist on it).
    you could currently configure each one manually... but given the amount of work, it's much easier to stick with just using one cert on the main domain for every connection

Share This Page