How to Generate SSL Certificates for WEBMAIL and MAIL Subdomains in HestiaCP

caos30 · July 27, 2024, 7:03am

Introduction

I’m creating this post for two reasons:

To save other users from spending hours trying to solve this surprisingly simple issue (once you know how).
To request that the project maintainers incorporate this information into the documentation, which to my knowledge, doesn’t currently exist. Or maybe a tooltip or tiniy message on the UI.

Scenario

I created a third user account (user3) in my HestiaCP and a domain for it (domain3.com). When adding the domain, I specified in the form that I wanted to use Let’s Encrypt.

Everything worked fine up to this point. However, no certificate was created for webmail.domain3.com or mail.domain3.com, preventing secure access to webmail and the use of SSL certificates for SMTP mail sending, which is problematic.

Diagnosis

I’m not entirely sure what the issue was. One would think that HestiaCP would have created the certificate not only for domain3.com and www.domain3.com (which I defined as an alias) but also for webmail.domain3.com and mail.domain3.com. However, this didn’t seem to be the case.

I spent about 3-4 hours searching this forum and GitHub, trying to understand what was happening.

Solution

As often happens, persistence pays off. I found the solution in a comment by @sahsanu here: (What is the difference between v-add-letsencrypt-domain and v-add-letsencrypt-host? - #2 by eris). Running this command in the server terminal did the trick:

v-add-letsencrypt-domain user3 domain3.com www.domain3.com yes

It worked on the first try!

Note: If you look at the code on GitHub, this command accepts 4 arguments:

v-add-letsencrypt-domain USERNAME ROOTDOMAIN ALIASDOMAINCOMMALIST MAIL

Where “MAIL” is a boolean that can be “yes” or “no” to generate (or not) the certificate for the MAIL and WEBMAIL subdomains.

Questions for the team

Aren’t certificates for mail and webmail supposed to be generated BY DEFAULT when we add a certificate for an existing domain in a user’s account?
Or is there a requirement for this to happen? The existence of some DNS zone in that domain? In my case, I always had MAIL and WEBMAIL as A-type DNS records pointing to the server’s IP. Is an IMAP or SMTP record necessary? (I don’t think so)
Could it be that if this domain name has NOTHING to do with the hostname defined on the server, it might prevent HestiaCP from automatically generating that certificate for MAIL and WEBMAIL?

Acknowledgments

Whatever the case, thank you all for being here, for this excellent software, and for the great support you provide when those of us with less knowledge are always asking questions that might seem obvious to you.

eris · July 27, 2024, 7:07am

Syntax:

for main domains are:

v-add-letsencrypt-domain user domain.com "" yes

How ever we don’t support “domain.com” for webmail aliases

See: CLI Reference | Hestia Control Panel

caos30 · July 27, 2024, 7:20am

Hello @eris, what do you mean by this? I now have the following working perfectly:

Both on the same server (same HestiaCP), same IP, but under two different users (user1 and user2), neither of which is an “admin” type user.
I didn’t quite understand what you meant by your comment. Isn’t your command the same as the one I mentioned? Perhaps I’m missing something that I’m not seeing.

Best regards!

eris · July 27, 2024, 7:21am

You can’t add domain.com as alias for mail.domain.com and webmail.domain.com

caos30 · July 27, 2024, 7:28am

I think I still don’t understand what you’re trying to tell me. I apologize. Are you suggesting that the automatic generation of the certificate for mail.domain3.com and webmail.domain3.com didn’t work because I defined them at some point as aliases of domain3.com?

Because that never happened. At least, as far as I’m aware. The only thing I did was create separate DNS A records for the “subdomains” MAIL and WEBMAIL pointing to the server’s IP. I suppose that’s not the same thing, right?

I’m asking without much certainty because I’m not one of those who knows A LOT about these things, so I’m trying to understand if I did something wrong or if HestiaCP by default doesn’t generate the certificate for MAIL and WEBMAIL.

I’d like to have an answer to this.
Cheers.

sahsanu · July 27, 2024, 8:49am

I’ll edit my post in the other topic because it is not correct.

No, a web domain and a mail domain and two different types. Maybe you didn’t add support for mail domain when creating a web domain and viceversa.

Yes, the requirement is that you explicitly tell Hestia that the mail domain must use SSL.

No.

When you use the command:

v-add-letsencrypt-domain YourUser example.com www.example.com yes

As MAIL is yes, Hestia will issue a certificate for the sub domains mail.example.com and webmail.example.com so it will ignore the aliases, in this case www.example.com

To issue a certificate for the web domain and its aliases the command should be:

v-add-letsencrypt-domain YourUser example.com www.example.com

or

v-add-letsencrypt-domain YourUser example.com www.example.com no

caos30 · July 27, 2024, 6:51pm

Ok, man, i now fully understand you (i think so ) .
Thanks!!

system · August 26, 2024, 6:52pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.