| SYSTEM INFORMATION | |
|---|---|
| OS type and version: | CentOS 8 |
| Webmin version: | 1.981 |
| Virtualmin version: | 6.17 |
| Related products version: | RECOMMENDED |
My DNS is managed by cloudflare
Each domain is setup with an MX record pointing to “mail.domain.com” which is an A record pointing to the IP of the shared server. (No mail.domain.com sub-virtual server exists)
I had everything setup with let’s encrypt using virtualmin.
Dovecot handles POP3s access (port 995)
Everything worked fine for 3mo but the auto-renewal didn’t work for the “mail.domain.com” subdomains. Therefore the cert is missing it from the SAN list. It’s looking for http://mail.domain.com/.well-known/acme-challenge/TOKEN and fails with timeout. It succeeds with the other SANS
When gmail tries to use pop3s to get my email, it complains about the mail.domain.com subdomain “Hostname “mail.domain.com” doesn’t match any SANs (domain.com, www.domain.com)”.
My workaround was to use certbot to manually expand the cert authenticating via DNS then manually copied it over to dovecot but ofcourse this isnt ideal.
I don’t really understand how “/.well-known/acme-challenge/TOKEN” works. I don’t see any “.well-known” folder anywhere. Should there be a rewrite rule to point requests for that folder somewhere else?