Hi Rodrigo,
We are still ahving this problem on a newly yummed 5211, Server offer the > BX.Host certificate instead of the domain when using> outlook with
pops and smtps ,> > Certificate is letsencrypt> > Do I have to install
an specific package to receive the correction, The> domain only has 1 alias.
No, this should already work fine. You could try to restart CCEd to
force an update of the SSL configuration for Postfix and Dovecot, though:
/usr/sausalito/sbin/cced.init restart
You can also test the TLS connection agains Postfix this way:
openssl s_client -starttls smtp -connect <server>:587
Just replace <server> with the fully qualified domain name you want to test.
Example:
openssl s_client -starttls smtp -connect 5210r2.smd.net:587
That is a Vsite on a 5210R with an LE cert. In the output the relevant
lines are this:
mstauber@beast:~$ openssl s_client -starttls smtp -connect
5210r2.smd.net:587
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = 5210r2.smd.net
verify return:1
---
Certificate chain
0 s:CN = 5210r2.smd.net
i:C = US, O = Let's Encrypt, CN = R3
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Sep 10 07:50:50 2023 GMT; NotAfter: Dec 9 07:50:49
2023 GMT
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Sep 4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00
2025 GMT
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03
2024 GMT
---
Above it shows the name of the certificate that answered:
depth=0 CN = 5210r2.smd.net
Also further below in the output below the raw certificate you can see
something like this:
-----END CERTIFICATE-----
subject=CN = 5210r2.smd.net
issuer=C = US, O = Let's Encrypt, CN = R3
That also (again) tells us which domain the cert is valid for and the
issuer.
Try it with the FQDN of the Vsite that is not working and see if the
cert validity that shows up is for the Vsite or for the server.
--
With best regards
Michael Stauber
_______________________________________________
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx
