Let's encrypt mail A record renewal failure

OS type and version: CentOS 8
Webmin version: 1.981
Virtualmin version: 6.17
Related products version: RECOMMENDED

My DNS is managed by cloudflare

Each domain is setup with an MX record pointing to “mail.domain.com” which is an A record pointing to the IP of the shared server. (No mail.domain.com sub-virtual server exists)

I had everything setup with let’s encrypt using virtualmin.

Dovecot handles POP3s access (port 995)

Everything worked fine for 3mo but the auto-renewal didn’t work for the “mail.domain.com” subdomains. Therefore the cert is missing it from the SAN list. It’s looking for http://mail.domain.com/.well-known/acme-challenge/TOKEN and fails with timeout. It succeeds with the other SANS

When gmail tries to use pop3s to get my email, it complains about the mail.domain.com subdomain “Hostname “mail.domain.com” doesn’t match any SANs (domain.com, www.domain.com)”.

My workaround was to use certbot to manually expand the cert authenticating via DNS then manually copied it over to dovecot but ofcourse this isnt ideal.

I don’t really understand how “/.well-known/acme-challenge/TOKEN” works. I don’t see any “.well-known” folder anywhere. Should there be a rewrite rule to point requests for that folder somewhere else?

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.