SSL Strange behavior (or not?)

OS type and version Ubuntu Linux 22.04.1
Webmin version 2.013
Usermin version 1.861
Virtualmin version 7.5
Theme version 20.13
Package updates 1 package update is available

A prompt from Virtualmin that SSL about to expire - Thank you

I check and the LE page tells me the SSL expired yesterday (whoops) a further check indicates that it was also set to auto renew ! so why didn’t it?

anyway I simply requested a new certificate (why not) and get a bunch of errors. So check what had been requested To my alarm not only was it requesting and as expected. it was also requesting and

I have no idea where those sub domains have come from, I have not added them. And using the “domains listed here” option without them gets the LE cert issued and everything working - great! but where did those extra subdomains come from? and what may have stopped working without them?

I may be totally off the mark here and maybe an expert will chime in with the correct answer but I believe those are auto created with the email setup. DNS records are created for them and I believe that the letsEncrypt default domains are pulled from the DNS setup.
I don’t use them and I always specify what domains I want listed in my certificates. I leave those out. I have never had an issue with that. If you find certificate issues (due to a missing or mismatched certificate) you might need to look into it further but I have never had any issues related to those.

This happened again (not automatically renewing) a couple of days ago.

As I came to the conclusion that the failed automatic renew was again due to these same and domains being requested, I selected only the ones that I needed and LE gave me a new certificate.

Where are these extra requests coming from? and why?

I believe that when a virtual server is created there are DNS records that are created automatically in order to allow email clients like outlook, thunderbird etc. to automatically set up an email account for the client. AFAIK they are not really needed and you could actually remove those DNS records. When a user goes to set up their email client it may then require them to manually add a few items. If they are there I believe they provide a bunch of default settings to those email clients. My understanding is that when an email client tries to connect and check for setup, these settings redirect to scripts that provide additional information for the clients to auto populate certain fields.

When you set up your LetsEncrypt renewal form there are two fields where you can request the domains to be in your certificate.
The first are domains that are associated with your server. These are automatically populated and, I believe are pulled from your DNS settings which were set up automatically. That field is the displays thos default domains and is selected by default.
The other is a list you can specify. I select it as my choice when I save the dialog and only place the domains I want in my certificate. When the certificate renews it will then use my choices rather than the default choices.

I expect that if you set up a virtual server that does not use email accounts those DNS records would not be created and you would not see them in the LetsEncrypt setup. You could test it out by creating some different virtual servers and see what happens. I think that if you remove those items from the DNS records and you manually remove them from the virtual hosts config file they will probably not show up in LetsEncrypt’s setup dialog. Its been a long time since I have played with those things so I can’t remember what happens for sure.

1 Like

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.