I’m having a hard time pinpointing the following issue.
My server has an SSL cert valid until Jan 18th. This is confirmed when running v-list-sys-hestia-ssl
However, my Outlook is telling me the mailserver cert is no longer valid (it was until this morning). If I run echo | openssl s_client -connect mail.mydomain.nl:465 -servername mail.mydomain.nl it shows valid until Nov 30th.
*The hostname of my server IS mail.mydomain.nl
I tried v-add-letsencrypt-host and v-update-letsencrypt-ssl but neither of the certificates renews.
So I have 2 questions: why are there 2 certs for the same domain, and why didn’t one of them auto renew…
Any help greatly appreciated!
EDIT: I should mention I have added the domain mail.mydomain.nl under the (newly created) admin user. I’m not sure if this is correct.
In this case, v-update-letsencrypt-ssl should renew the certs.
To debug this kind of issues, is really important to know the actual domain name.
First, check whether the current certificate is the one being used by Exim and Dovecot (replace testuser with the actual user name and example.net with the actual domain name)`:
You should also check the log located here /var/log/hestia/LE-testuser-mail.example.net.log
And show also the output of this command:
for f in $(grep -rlE "LETSENCRYPT_FAIL_COUNT=" /usr/local/hestia/data/users/*/{web,mail}*); do d=$(grep -oE "DOMAIN='[^']*'" "$f" | head -n1); l=$(grep -oE "LETSENCRYPT_FAIL_COUNT='[^']*'" "$f" | head -n1); echo "$f: ${d} ${l}";done | column -t
I have added the domain mail.mydomain.nl under the (newly created) admin user.
This was not an admin user. Since the official documentation suggested only creating domains under a user that is not the admin user, that’s what I did a few month ago when I installed the server. So I have a couple of sites and services running on subdomains of mydomain.nl, under a regular user. This was including mail.mysubdomain.nl, which is also the servers hostname. No site or service is running under that subdomain.
I suspect this is where the problem was coming from.
Should there be a domain registered under a user that matches the servers hostname?
If yes, should that be under the admin account, or under a non-admin user?
Secondly, I managed to get things working again by moving the domains from the non-admin user to the admin user. Also, I had to change the content of
After that I ran v-add-letsencrypt-host which updated the SSL certificate. Then a restart of dovecot and exim4 and everything was working again.
To answer your questions…
openssl x509 -in /usr/local/hestia/ssl/mail/example.net.crt -noout -issuer -dates -subject -ext subjectAltName
the cert of mail.mydomain.nl is not (or no longer) in that directory
When running this command for the non-admin user the mail.mydomain.nl was previously registered under, I receive an error (which makes sense because the domain was moved). When running it for the admin, I get the output below:
Interestingly, there is no log file for mail.mydomain.nl. There is however a log file for hestia.mydomain.nl, the hostname is used previously. Last log entry over a month old.
Yes to the first question. Regarding second question, it doesn’t matter.
The conf you changed manually will be rewritten when rebuild the mail domain.
First, I would change your server’s hostname from mail.example.net to whatever.example.net, otherwise you may experience issues with the mail domain because it requires two subdomains (mail and webmail). Once the change is done, update the PTR record of your public IP to point to whatever.example.net.
Next, add the mail domain correctly to your admin user (remember that you must have two A records pointing to your server’s IP: mail and webmail, as well as an MX record pointing to mail.example.net). If you already have added the mail domain, rebuild it.
Aquí tienes la frase corregida y mejorada:
If you issued a certificate for your mail domain correctly, it should appear in those certificate files. So, right now you don’t have a correct setup.
And that’s a great reason to not use mail.example.net as your hostname.
Thanks for your advice. I was under the impression that having a hostname and PTR record that match the url to connect to the mailserver (mail.mydomain.nl) improves email deliverability, but that does not seem to be true.
I have changed the hostname per your suggestion and updated the PTR record.
There were already a mail. and webmail. A-record pointing to the server, so that part should be OK.
I am not entirely sure what to do with the mail domain now. I do have the maildomain for mydomain.nl under the admin user now (was previously located under the non-admin user).
Should I move that back to the non-admin user? As basically it is like any other customer mail domain, right?
To improve deliverability, your public IP should point to the domain your mail server identifies itself with. Exim uses the server’s hostname to identify itself; you can check it using telnet:
telnet mail.example.net 25
And you should see something like this (the part after 220 is the name Exim uses to identify itself).
❯ telnet mail.example.net 25
Trying 203.0.113.67...
Connected to mail.example.net.
Escape character is '^]'.
220 whatever.example.net
So, whatever.example.net must point to your public IP, and the public IP must resolve back to whatever.example.net.
Great.
I would move it to the same user that is managing the base domain example.net.
Okay, so I now have mail.mydomain.nl and hestia.mydomain.nl under the admin user. The base domain mydomain.nl is now under a different user.
Outlook then started throwing errors because the cert it received was for hestia.mydomain.nl instead of mail.mydomain.nl. So I then rebuilt the domains as you suggested and then ran v-update-letsencrypt-ssl which now finished without errors.
Looks like things are now working with the new hostname and PTR record.
Thank you kindly for helping me out, your effort is greatly appreciated sahsanu!