We need to distinguish between Web applications (e.g. SOGo, Webtop…) and Other applications (namely Mail, NethVoice Proxy, Ejabberd).
-
A certificate for a web application can be uploaded or obtained via Let’s Encrypt and is presented by Traefik itself. It has a single server name, usually configured by the app through an HTTP route. This type of certificate is not listed on the TLS certificates page and must not be requested from there, as the application already handles its request.
-
A certificate for Other applications can also be uploaded or obtained via Let’s Encrypt, but it is presented by the application itself (e.g. Postfix, Dovecot, Ejabberd, Kamailio…). Applications on the same node can share a Let’s Encrypt certificate with multiple server names (SANs), which are listed on the TLS certificates page. This node-level LE certificate is also used as Traefik’s default certificate. A common use case is the certification of the node’s FQDN for cluster-admin.
We are aware of some limitations in the current certificate management UI and plan to release an improvement soon: Avoid multiple TLS certificates for the same server name · Issue #7383 · NethServer/dev · GitHub.