Assuming latest fresh (clean) install of GPL version on CentOS 7:
I am planning to create the virtual server’s hostname (i.e myserver.domain.com) and enable Apache and SSL site on it. I will then acquire LetsEncypt SSL for that server and I want to use that certificate also for email services (Dovecot IMAPS+Postfix).
Question: Will the mail services be reloaded (or restarted) when the virtualserver automatically renews the LetsEncrypt certificate or I need to buy a wildcard SSL?
Virtualmin / Server Configuration / SSL Certificate - Service Certificates Tab
Hit the copy to buttons for Dovecot and Postfix and that certificate will be used for both services.
CentOS 7 does not have a version of Postfix that supports SNI. So, not automatic in the sense that every domain will automatically setup the cert to be used by Postfix. You have choose which domain will be the TLS domain for Postfix.
Hi,
I know it will work the first time. What about when the automatic renewal happens? Will the Dovecot and Postfix automatically reloaded with the new cert?
I didn’t directly, but I assumed it was obvious.
Of course Virtualmin will automatically renew any certificates it is managing, if you tell it to.
After you do this, let me give you an idea what happens after you set email clients to use the letsencrypt cert…
Email clients will barf all over the place and give people a hard time when it changes. Thunderbird will possibly be left open all night and you will have 100 small windows open asking about the certificate. Androids can handle it by tell it to accept any certificate, iphones will simply stop working and will have to be fussed with. on and on and on.
Wow - that happens when Virtualmin automatically renews SSL certificates via Let’s Encrypt?
Thanks for letting us know.
I’m pretty sure that shouldn’t happen if your mail client is up to date, and the full chain is being used in Postfix and Dovecot. The signing certificate used by Let’s Encrypt is known by the current version of Thunderbird, as far as I know. If you get a popup when it changes, you have something wrong somewhere…I don’t know where, though.
Would like to hear from those that have it working with email clients…
I am certainly interested it other peoples experience doing this.
Have you checked to be sure you have current software (both Virtualmin/Webmin and Thunderbird)? Are you sure the certificate name(s) match the name you are using to contact the server? This isn’t really a thing that should need discussion (but if it does require further discussion, please start a new topic, as it’s unrelated to the original question). It just works. If it doesn’t work, something is wrong. I just tested, and when I renew our certificate, Thunderbird does not give any errors.
Agreed on the new thread thing. Apologies to the original poster.
On another note, I to, went to looking-testing and found this.
https://clients.websavers.ca/whmcs/knowledgebase/268/Your-mail-app-presents-an-error-like-cannot-verify-server-identity.html
Which prompted me to use the hostname of the server in the cert as well. Then renewed, tested, renewed again and had no troubles. Interesting. we typically use mail.domainname.com which is also listed in the cert.
At this point, I would invite the original poster to go forward and give it a try…
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.