Convert from DNS/Web/Mail to DNS/Mail lets certs expire in dovecot.conf

Using Centos, but I doubt that matters.

"full" customer, using all the stuff in virtualmin, moves his website to another host, but leaves DNS and Mail here. So, turn off the "Apache" stuff and its all good. Time passes, and the SSL certs that were happily used in Dovecot timeout, since Apache SSL isn't there any more to update them. Dovecot of course doesn't complain, and things are fine, but SSL connections start failing to the dovecot server on that domain. Not all the connections, just some (thats a different problem).

So, if you remove the Apache SSL settings from a virtual domain, should either find a different way of keeping the SSL up to date, or remove it from dovecot.conf. Would be great if Virtualmin would just keep updating the domains SSL cert though.

Status: 
Active

Comments

This is a difficult situation to handle correctly, as without a website there is no way to add an SSL cert for a domain, and no way to request a new one from Let's Encrypt. We could automatically remove it from Dovecot, but the result would still be an invalid certificate served to clients.

DNS is still there, use that instead? So when Apache SSL is removed, still allow access to the Lets Encrypt stuff in the domain but use DNS verification?

That could work - currently Virtualmin ties it's SSL support to a website being enabled for the domain, but this isn't strictly necessary. This is on our roadmap already, and I'll update this ticket when it happens.