TLS check failure related to SSL mail sever (lets encrypt)

Any help on this would be appreciated.

My main domain (domain1.com) is hosted on another server that utilises cpanel & autoSSL but the mail (mail.domain1.com) runs through vmin. I previously copied the SSL into vmin & applied it to postfix. I used this for outgoing mail for all my other domains/subservers.

The SSL recently expired but the other server using cpanel & autoSSL will not renew the mail server part of the SSL anymore for mail.domain1.com as its hosted on a different server with different IP address to domain1.com and www.domain1.com

One solution would be to get an SSL for domain2.com and mail.domain2.com (all hosted on the vmin server) & apply this cert to postfix then send mail from this but I get failure message when adding mail.otherdomain.com onto the SSL using vmin.

Does anyone know how to get letsencrypt to successfully apply the cert to mail.domain.com?

The failure message is as below. Suggests there is an issue with the acme challenge. Ive read some suggestions about installing certbot - if anyone has encountered & solved this would be useful to know how

Traceback (most recent call last):
File “/usr/libexec/webmin/webmin/acme_tiny.py”, line 198, in
main(sys.argv[1:])
File “/usr/libexec/webmin/webmin/acme_tiny.py”, line 194, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
File “/usr/libexec/webmin/webmin/acme_tiny.py”, line 149, in get_crt
raise ValueError(“Challenge did not pass for {0}: {1}”.format(domain, authorization))
ValueError: Challenge did not pass for mail.domain2.com: {u’status’: u’invalid’, u’challenges’: [{u’status’: u’invalid’, u’validationRecord’: [{u’url’: u’http://mail.domain2.com/.well-known/acme-challenge/cRTPn18uXQmfmy--zVeM7nS86xezHV0eFqtR-bC9esU’, u’hostname’: u’mail.domain2.com’, u’addressUsed’: u’88.202.186.191’, u’port’: u’80’, u’addressesResolved’: [u’88.202.186.191’]}], u’url’: u’https://acme-v02.api.letsencrypt.org/acme/chall-v3/74088281060/nMzq2Q’, u’token’: u’cRTPn18uXQmfmy–zVeM7nS86xezHV0eFqtR-bC9esU’, u’error’: {u’status’: 400, u’type’: u’urn:ietf:params:acme:error:dns’, u’detail’: u’Fetching https://www.mail.domain2.com/.well-known/acme-challenge/cRTPn18uXQmfmy--zVeM7nS86xezHV0eFqtR-bC9esU: DNS problem: NXDOMAIN looking up A for www.mail.domain2.com - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for www.mail.domain2.com - check that a DNS record exists for this domain’}, u’validated’: u’2022-02-01T09:06:02Z’, u’type’: u’http-01’}], u’identifier’: {u’type’: u’dns’, u’value’: u’mail.domain2.com’}, u’expires’: u’2022-02-08T09:05:48Z’}

🛈 SYSTEM INFORMATION
OS type and version CentOS linux 7.8.2003
Webmin version 1.984
Virtualmin version 6.17

OK - fixed this eventually. I installed certbot but not sure this was required as the SSL wouldn’t deploy on mail.domain.com after i did this. I already had an A record for mail.domain.com but needed to add another for www.mail.domain.com and this allowed me to deploy an SSL onto mail.domain.com. Just needed to set this cert as the one for default services to copy to postfix and TLS works!

You have created a virtual host named mail.domain1.tld and this is not ideal. The mail subdimain is reserved and should not be used as a name of a virtual server.

What you should have done is create a virtual server for domains.tld (yeah, I know that the domain1 and www is hosted somewhere else) and then got a certificate only for mail.domain1.tld. This would be the correct way to go about doing it in Virtualmin and would be compliant with how all the moving parts in Virtualmin expect a domain to be set up.

The way you have done things may or may not produce quirks.

Thanks for the reply. I did try to get a letsencrypt cert for mail.domain.com but it gave the “NXDOMAIN looking up A…” error. Hopefully wont be too many quirks - mail seems to be sending normally with this setup so far

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.