TLS certificate error with mail host aliases

I’m running into a similar issue. I’ve always used aliases on my email system to make it easier to change out the backend.

i.e. mailserver.domain.com is the MX and primary address, but I give users:
imap.domain.com and smtp.domain.com. Those two addresses point to mailserver.domain.com so everyone is happy.

However, on NS8, I am now getting certificate errors, because I can’t find anyway to add the aliases (imap and smtp) to the mailserver certificate. I’ve added them as additional TLS certificates, but that doesn’t seem to help.

Of course, I can talk all of my users through changing their settings, but I would prefer to simply add the aliases.

just go to settings, TLS certificates, and request the addiitonal certificates you require.

or is it because they have been requested separately that you are having an issue?

if thats the case, then i think dev team would need to implement a way to request same cert for multiple domains

I’ve done this, I think they aren’t being associated with mail.

Correct, it is just a certificate for a domain that can be resolved correctly and do these do not point to mail.domain.com but to the FQDN provided.

I do not hope the final asnwer is “this is not a task for NS8 but for a firewall”. @davidep could you shed a quick light here pls?

Maybe via Settings → HTTP Routes?

The certificate obtained by Traefik and passed to Mail does not contain alternative names (imap and smtp in your case), just the Mail server name.

Alternatives could be

• uploading a certificate with the alternative names
• talk with users and configure mailserver.domain.com everywhere

Thanks, @davidep Not the answer I was hoping for, but I appreciate the clarity.

This is so counterintuitive don’t you think?

According to Traefik docs it seems possible to obtain a certificate with alternative host names: Traefik Let's Encrypt Documentation - Traefik

If somebody want to play with it, load a custom .yml file of Traefik configuration under the configs/ directory, e.g.

runagent -m traefik1
cd configs
vi myconf.yml

IIRC the configuration is reloaded automatically

Not that I am the one to have the knowledge, but does this address the root question?

Hi @davidep

It’s easy to find the certificate-mail.domain.com.yml. Per the docs, I believe the correct syntax would be this:

http:
  routers:
    certificate-mail.domain.com:
      entrypoints: https
      service: ping@internal
      rule: Host(`mail.domain.com`) && Path(`/cd98a9c8-24c2-441b-a6d5-159afe0b1822`)
      priority: '1'
      tls:
        domains:
        - main: mail.domain.com
          sans:
            - "smtp.domain.com"
            - "imap.domain.com"
        certresolver: acmeServer

However, I don’t see any way to check my work. I don’t get any indication the certificate refreshes and so far at least my mail client continues to complain of a bad cert. Is there a way to view the generated cert? Or to “refresh” traefik?

same meaning as restart? If so, I think it could be similarly as Steph showed us.

runagent -m traefik1
systemctl restart --user traefik.service

Excellent! Yes. That restarted Traefik. Sadly, my config file does not appear to have worked.

Try with curl -v https://imap.domain.com/cd98a9c8-24c2-441b-a6d5-159afe0b1822

A post was split to a new topic: I feel left behind

I’m not sure how to read this. My initial look was that all is well with the cert, but it still doesn’t work, so that’s clearly a bad read.

*   Trying xx.xx.xx.xx:443...
* Connected to imap.domain.com (xx.xx.xx.xx) port 443 (#0)
* ALPN: offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=imap.domain.com
*  start date: Mar 13 17:26:34 2024 GMT
*  expire date: Jun 11 17:26:33 2024 GMT
*  subjectAltName: host "imap.domain.com" matched cert's "imap.domain.com"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* using HTTP/2
* h2 [:method: GET]
* h2 [:scheme: https]
* h2 [:authority: imap.domain.com]
* h2 [:path: /cd98a9c8-24c2-441b-a6d5-159afe0b1822]
* h2 [user-agent: curl/8.1.2]
* h2 [accept: */*]
* Using Stream ID: 1 (easy handle 0x127013400)
> GET /cd98a9c8-24c2-441b-a6d5-159afe0b1822 HTTP/2
> Host: imap.domain.com
> User-Agent: curl/8.1.2
> Accept: */*
> 
< HTTP/2 404 
< content-type: text/plain; charset=utf-8
< x-content-type-options: nosniff
< content-length: 19
< date: Tue, 19 Mar 2024 12:56:52 GMT
< 
404 page not found
* Connection #0 to host imap.domain.com left intact

A post was merged into an existing topic: I feel left behind

I did an experiment, that seems to work by my side at least to obtain a certificate with alternative names. Curl’s proof:

* Server certificate:
*  subject: CN=nethservice.nethesis.it
*  start date: Apr 29 09:15:43 2024 GMT
*  expire date: Jul 28 09:15:42 2024 GMT
*  subjectAltName: host "mail.nethesis.it" matched cert's "mail.nethesis.it"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.

What we were missing is a fix to the rule line:

rule: Host(`mail.domain.com`, `smtp.domain.com`, `imap.domain.com`) && Path(`/cd98a9c8-24c2-441b-a6d5-159afe0b1822`)

Alternative names must be listed inside the Host() matcher, as stated in “Multiple Hosts in a Rule” Traefik Routers Documentation - Traefik

When the file is saved, Traefik picks up the new configuration immediately. However an HTTP request matching the rule is needed to trigger a cert request, as Matteo said:

I’d try for every altName, just to be sure…

This is not needed, and must be use with caution because restarting Traefik might generate too much Acme requests, which leads to the API rate limit cap.

Editing the certificate .yml file manually might break the API responses and the HTTP routes page.

Edit: there’s also another issue by my side: Mail ignores the host name and refuses to reload the certificate. In the Mail log I see:

Apr 29 12:15:45 ns8n5 agent@mail11[2408658]: Event ignored: the certificate does not match our hostname

I went ahead and gave this a quick go. In case someone else is tracking this, I realized I hadn’t specified a location for the certificate file.

For most it will be in /home/traefik1/.config/state/configs/

That said, while my curl results look good:

Server certificate:
*  subject: CN=smtp.heroesinc.us
*  start date: Mar 13 17:26:50 2024 GMT
*  expire date: Jun 11 17:26:49 2024 GMT
*  subjectAltName: host "smtp.heroesinc.us" matched cert's "smtp.heroesinc.us"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.

and

* Server certificate:
*  subject: CN=imap.heroesinc.us
*  start date: Mar 13 17:26:34 2024 GMT
*  expire date: Jun 11 17:26:33 2024 GMT
*  subjectAltName: host "imap.heroesinc.us" matched cert's "imap.heroesinc.us"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.

My mail software disagrees:

Maybe it needs a bit of time for things to refresh?

24-hours later, no change.

I’m not expecting any change, at least until it expires.

This issue requires further work.