SIngle Public IP4 Multiple Domains Multiple SSL Certs Needed - Confused

Ubuntu 14.04

Hi,

I am a little confused regarding SSL certificates and VIrtualmin. I am sure that my setup will be similar to many others. I have a single Public IP4 address for the VirtualmIn server. It is hosting multiple domains and websites, I am now in a situation where I need to add commercial SSL certificates to a number of the domains. Not wildcard SSL but single SSL certificates per domain. Obviously I want to secure all comms for those domains and have the respective SSL certificates used for Web/Imap/SMTP etc.

I am a little confused as to how to configure this in Virtualmin.

Do I simply create a CSR for each virtual server and install the certificate and copy the certificate to webmin/Dovecot/Postfix etc. Also when creating a CSR is the server name the FQDN of the Virtualmin server and the other domain names box contains the domain name that I want to create an SSL for?

I have searched the web, but I may be fundamentally misunderstanding. Most of the info including the Virtualmin Docs are dated back in 2009.

Any help appreciated.

Cheers
Spart

Hi,

Modern SSL certificates support a features called SNI which allows you to use a “single IP” for multiple individual certificates. This feature is supported by all modern browsers so you should be fine.

Postfix unfortunately DOES NOT support SNI however so the only solution to support multiple domains with individual certificates is to have a dedicated IP per domain.

However, many providers if they even allow additional IPs will require proper justification and needing them simply for email may not suffice as it is possible to setup a “main/master/primary” domain for ALL email on the same server which can be setup with a certificate.

Ex. mail.masterdomain.com

When a domain like “peter.com” is added to the server, in order to make use of SSL, it’d have to make use of “mail.masterdomain.com” as the SMTP and IMAP/POP3 hostname to correctly work.

If you have any other questions, feel free to post them here or drop me a line on Skype.

Ask me about my new support plans which include a FREE copy of Virtualmin Pro!!!

Peter,

Thanks for your note. Still a little confused by this on a virtual hosting platform like Virtualmin.

The mail.masterdomain.com would not work for me. Clients need to access mail using mail.theirdomain.com etc.

Essentially we have a virtualmin server named i.e. vpsN.ourcompany.com with a single public IP address. We then a have a number of domains hosted on this server providing web/mail/file or a combination of services per domain.

I am wanting to host a new client that needs a commercial SSL certificate. I contacted my VPS provider and they agreed that this client justifies a new IP4 address being allocated due to the nature of their business etc.

Does this simplify things? If I get a new IP4 address and an SSL for the new client that covers www.newclient.com and mail.newclient.com and deploy it using the form at the virtual server level and copy the SSL to Dovecot/Postifx/Webmin will that protect www/mail/newclient.com. e.g all web connections and mail connections.

The mail server not supporting per domain SSL issue seems crazy given the natire of vistual hosting. The buttons to copy the SSL to Dovecot/Postfix etc. are now even more confusing at the vistual server level. Does that mean that if I copy an SSL to Postfix for say customerdomain.com then all domains served by postfix will use the SSL for customerdomain.com ?

Also confused by subdomains and SSL’s it would seem that www.customerdomain.com and mail.customerdomain.com whilst resolving to the same vpsN.ourcompany.com IP address would need either individual SSL’s or a wildcard SSL to cover all subdomains. But, from what you have said the mailserver (postfix) serving mail.customerdomain.com would not be able to use the certificate anyway.

Sorry if I am seeming a little dim but as I said a little confused.

Cheers
Spart

Hi,

If you’ve been given the thumbs up about the certificate, but want to cover both “mail.” and “www.” you’ll actually need two individual certificates with two IP addresses.

There are two alternatives however…

1. Use a “wildcard certificate” which would cover: www, mail, and any other sub-domain needing covered within the same domain… Basically “anything.newclient.com”.

*** We can sell you a wildcard certificate potentially lower than competitors due to our wholesale agreement, and low margin on certificates. ***

2. Acquire two IP addresses for each sub-domain requiring protection. Certificate issuers will cover the “www” prefix on each domain and sub-domain by default if you create a CSR for say “www.newclient.com” or “www.mail.newclient.com” (though the latter one might not make sense).

Ask me about my new support plans which include a FREE copy of Virtualmin Pro!!!

“If you’ve been given the thumbs up about the certificate, but want to cover both “mail.” and “www.” you’ll actually need two individual certificates with two IP addresses.”

If I have an additional IP4 address that will be dedicated to newclient.com why do I need 2 IP addresses. Surely I can just buy 2 SSL certs (www.newclient.com and mail.newclient.com both would cover newclient.com) and use them with apache and postfix/dovecot respectively ?

After adding the new IP4 address as a new virtual interface (eth0:1) and restarting networking in webmin. The server should be listening on all addresses.

I am unsure where to set the new IP address for newclient.com. Do I use the [Addresses and Networking] [Change IP Address] menu in Virtualmin to change the IP4 address for the newclient.com virtual server? That option seems to change the IP address correctly in the Virtual Server and the DNS addresses.

Apache/Postifx/Dovecot are set to use all available IP4 addresses so should be listening. If I setup the www.newclient.com SSL cert in the Virtual Server that would seem to set the correct SSL cert in the apache virtual server.

However do I then need to hack the postfix/dovecot config files to use the correct per ip ssl cert for the mail.newclient.com SSL certificate? I cannot see any other way to get the mail servers to use the mail.newclient.com SSL certificate for mail connections to the newclient.com IP4 address.

Such as below to bind each certificate to its corresponding IP:

1.1.1.1- unix - n n - - smtp -o smtp_bind_address=1.1.1.1 -o smtp_bind_address6= -o smtp_address_preference=ipv4

2.2.2.2- unix - n n - - smtp -o smtp_bind_address=2.2.2.2 -o smtp_bind_address6= -o smtp_address_preference=ipv4

#smtp inet n - n - - smtpd
#smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes
#submission inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions=

1.1.1.1:smtp inet n - n - - smtpd -o smtpd_tls_cert_file=/etc/postfix/cert1.pem -o smtpd_tls_key_file=/etc/postfix/cert1.pem
1.1.1.1:smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_tls_cert_file=/etc/postfix/cert1.pem -o smtpd_tls_key_file=/etc/postfix/cert1.pem
1.1.1.1:submission inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_tls_cert_file=/etc/postfix/cert1.pem -o smtpd_tls_key_file=/etc/postfix/cert1.pem

2.2.2.2:smtp inet n - n - - smtpd -o smtpd_tls_cert_file=/etc/postfix/cert2.pem -o smtpd_tls_key_file=/etc/postfix/cert2.pem
2.2.2.2:smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_tls_cert_file=/etc/postfix/cert2.pem -o smtpd_tls_key_file=/etc/postfix/cert2.pem
2.2.2.2:submission inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_tls_cert_file=/etc/postfix/cert2.pem -o smtpd_tls_key_file=/etc/postfix/cert2.pem

And for Dovecot:

If you have multiple IPs available, this method is guaranteed to work with all clients.

local 1.1.1.1 { # instead of IP you can also use hostname, which will be resolved
  protocol imap {
    ssl_cert = </etc/ssl/dovecot/imap-01.example.com.cert.pem
    ssl_key  = </etc/ssl/dovecot/imap-01.example.com.key.pem
  }

  protocol pop3 {
    ssl_cert = </etc/ssl/dovecot/pop-01.example.com.cert.pem
    ssl_key  = </etc/ssl/dovecot/pop-01.example.com.key.pem
  }
}

local 2.2.2.2 {
  protocol imap {
    ssl_cert = </etc/ssl/dovecot/imap-02.example.com.cert.pem
    ssl_key  = </etc/ssl/dovecot/imap-02.example.com.key.pem
  }

  protocol pop3 {
    ssl_cert = </etc/ssl/dovecot/pop-02.example.com.cert.pem
    ssl_key  = </etc/ssl/dovecot/pop-02.example.com.key.pem
  }
}

Concerned about having to hack configs, when this has got to be a fairly standard use case for a virtual hosting platform!

Many thanks for bearing with me as I navigate these muddy waters Any further help appreciated.

Cheers
Spart

Howdy – a request for this issue was posted in the Support Tracker. I’m posting my response to that here – let us know if this answers any questions, or if you have additional questions. I’ll review the rest of this thread shortly, as I think some of this may have been discussed already –

Virtualmin supports the Dovecot and Postfix ability to have an SSL certificate for each IP address on the server.

That’s a fairly new feature – Virtualmin used to only support one SSL certificate in those services.

To use that feature, you would give your Virtual Servers with SSL a dedicated IP address (and then setup the SSL certificate if you haven’t already).

Upon doing that, you can configure Postfix and Dovecot to use that same SSL certificate by going into Server Configuration -> Manage SSL Certificates, and copy it into Dovecot and Postfix.

That should be all that’s required – though this is a new enough feature that I haven’t tried that before, so if that doesn’t work as such let me know and we’ll get it sorted out.

Let us know if you have any further questions!

Thank you for your attention to this issue.

Are you saying that all I need to do is configure the dedicated IP address as per my write up above and purchase a SSL for instance for www.newclient.com (this will cover newclient.com) then use the Server Configuration -> Manage SSL Certificates menu option and install the certificate then use the copy to Postfix and Dovecot and that will create the relevant IP based SSL config entries as per my write up above in the Postfix and Dovecot configs?

So I don’t need another SSL certificate for the mail servers for newclient.com as long as mail.newclient.com resolves to the same IP4 address as www.newclient.com i.e. the dedicated virtual server IP for newclient.com.

Cheers
Spart

Howdy,

When copying in an SSL certificate from Apache to Dovecot/Postfix, it copies in the exact one that the Virtual Server was using.

So if you copy in the SSL certificate that protects “www.domain.tld”, then that’s the SSL cert that would be available in Postfix/Dovecot as well.

What you could do, if you want an SSL cert for mail.domain.tld, is setup a “mail.domain.tld” Virtual Server on the same IP address as “domain.tld”, and create SSL certificates for both (this would use SNI in Apache).

Then, just copy the “mail.domain.tld” SSL certificate into Dovecot/Postfix.

-Eric

Eric,

Many thanks, you have given me some confidence that this has a reasonable chance of working. Just to be clear. In the Postfix and Dovecot configs, the process of copying the SSL certs from the newclient.com virtual server which has its own IP address WILL create the IP specific SSL config lines as per my example above right?

Thank you for your support and patience.

Cheers
Spart

I don’t know if it creates it exactly as your example above shows.

What I can offer though is that if you copy an SSL certificate into Postfix and Dovecot, from a Virtual Server using a private/dedicated IP address – it will copy that SSL certificate in and set it up to run on that specific IP.

However, if you have any questions or concerns about how this all works – I might suggest setting up a test server (perhaps even in VirtualBox, which is something I use frequently for testing) – and just make sure it does what you want before making any changes on your live server.

That’s a very safe way to try things out, and then if it doesn’t do what you want, nothing was changed on your live server, there’s no downtime, and we still get to talk about how to get things working well for you

-Eric

OK I think I am just about there with this.

newclient.com is setup as a new Virtual Server within virtualmin using a dedicated (not shared) IP4 address. Hostname is newclient.com SSL is being procured for www.newclient.com (also covers newclient.com) certificate will be configured in the Server Management -> Manage SSL Certificates menu option. SSL certificate will be copied to Postfix and Dovecot and all mail clients will be configured to connect to newclient.com for outbound and inbound mail using SSL. Insecure ports will be closed.

DNS entries for mail.newclient.com etc will be removed.

This should in theory mean that I can get secure web and mail for this client using one new IP4 address and one SSL certificate.

That’s the plan at least.

Cheers
Spart