Mail and webmail SSL cert invalid

Truz · October 31, 2023, 4:00pm

I have generated the cert by navigating to Mail > Domain > Checked SSL and letsencrypt

Despite that when I try to use nodemailer it outputs this error:
Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate’s altnames: Host: webmail.example.com. is not in the cert’s altnames: DNS:example.com, DNS:www.example.com

And to confirm if I have read on other posts, yes I have and no solution would do it in my case.

sahsanu · October 31, 2023, 5:34pm

You should use mail.example.com instead of webmail.example.com

Anyway, show the output of (replace example.com by your domain):

echo | openssl s_client -connect webmail.example.com:465 -servername webmail.example.com 2>/dev/null | openssl x509 -noout -subject -ext subjectAltName | tr -d ' '

echo | openssl s_client -connect mail.example.com:465 -servername mail.example.com 2>/dev/null | openssl x509 -noout -subject -ext subjectAltName | tr -d ' '

eris · October 31, 2023, 5:42pm

Try using hostname.domain.com instead …

Truz · October 31, 2023, 6:08pm

subject=CN=example.com
X509v3SubjectAlternativeName:
DNS:example.com,DNS:www.example.com

subject=CN=mail.example.com
X509v3SubjectAlternativeName:
DNS:mail.example.com,DNS:webmail.example.com

sahsanu · October 31, 2023, 6:10pm

Ok, then, as I said, use mail.example.com

Truz · October 31, 2023, 6:17pm

Still the same error despite changing from webmail to mail. Here is another part of the error i get a bit further down.

reason: “Host: mail.example.com. is not in the cert’s altnames: DNS:example.com, DNS:www.example.com”,
host: ‘mail.example.com’,

sahsanu · October 31, 2023, 6:19pm

Then nodemailer is not using SNI, use example.com or www.example.com or as @eris said, use the hostname of your server.

Truz · October 31, 2023, 6:22pm

You are indeed onto something here, but now I am facing that the auth is incorrect:

code: ‘EAUTH’,
response: ‘535 Incorrect authentication data’,
responseCode: 535,
command: ‘AUTH PLAIN’

Despite I know I am using a valid email which would be [email protected] and I am trying to use the same password that I would use for logging in to Roundcube.

sahsanu · October 31, 2023, 6:26pm

Which port are you using?

Truz · October 31, 2023, 6:27pm

That would be port 587.

sahsanu · October 31, 2023, 6:28pm

And nodemailer is using starttls? If you want to use a direct TLS connection, use port 465

Truz · October 31, 2023, 6:38pm

That got it further, but now it is complaining about not receiving a greeting.

Error: Greeting never received
code: ‘ETIMEDOUT’,
command: ‘CONN’

sahsanu · October 31, 2023, 6:42pm

Maybe you should ask in nodemailer community.