Wrong Lets Encrypt certificate showing in Thunderbird emai client

2 posts / 0 new
Last post
#1 Sat, 06/29/2019 - 15:52

Wrong Lets Encrypt certificate showing in Thunderbird emai client

I installed Virtualmin using the install script on a virtual server with Ubuntu 18.04 I originally installed on LEMP (-b LEMP), but I reinstalled with Apache (LAMP, no arguments added to the install command). I’ll explain why later. The FQDN I used was rpaserver1.com.

After installing, I created 2 virtual servers: rpaserver1.com and second_domain.com (not the actual name). For both of them, in enabled features, I UNCHECKED Setup DNS zone and checked Setup SSL website too. The other boxes I didn’t change.

For DNS I use Cloudflare. I’m attaching a screenshot of the DNS records for rpaserver1.com. The other domain’s DNS is essentially the same. Sorry, I can't see how to attach files.

After creating the domains, I then setup Let’s Encrypt certificates for each. For each the “Domains associated with this server” are the domain, www and mail. At this point I should explain that I switched from nginx (LEMP) to Apache (LAMP) because when I used nginx, only the domain and the www domains appeared here-NO mail domain.

I indicated 2 months between renewals and requested the certificates. This was successful.

I then created an e-mail account on each domain: myname@domain.tld. I use Thunderbird and set both of these accounts up in Thunderbird. In this setup, incoming mail settings are mail.domain.tld on port 995. Outgoing settings are mail.domain.tld on port 465.

The e-mail works, but not the certification process. When I check e-mail or send e-mail, I get an “Add security exception” window that allows me to add an exception. Adding the exception allows the e-mail to finish (send or receive) properly.

The “Add security exception” window has an option to see the certificate received. I’m attaching a screenshot for both. Note that the “Issued To” and “Issued By” fields are ALMOST identical in both: “rpaserver1.com”. But the rpaserver1.com certificate has”.” before the domain. The certificate for the other domain doesn’t have the “,”, but it uses the same domain, rpaserver1.com, not the domain of the e-mail. And neither indicates mail.domain.tld.

What do I need to do to get the certification process working properly for my e-mail?

Sat, 06/29/2019 - 20:05

I’m pretty sure I discovered the solution.

At the bootm of the SSL certificates page there’s a section that says, “The buttons below will copy this domain's SSL certificate as the default for the chosen service. This will be used if no per-domain or per-IP certificate is configured.”

There are buttons for Webmin, Usermin, Dovecot, Postfix and PureFTP. I guess some or all of them may or may not be there. When I clicked on each button, it processed the request and the button disappeared, except for Dovecot. The Dovecot successful processed, but the button was still there.

So it may be that if one or more of those buttons is missing, the certificate was probably already dopied to that service.

In Thunderbird, I no longer get the “Add security exception” window, so I guess the verification of the certificates is working properly.