Re: multi-site SSL certificates

[Alex JOST]

Am 02.04.2018 um 14:25 schrieb Jeff Abrahamson:
I'm handling mail for several domains, let's call them a.com, b.com,
and c.com.  I have certificates for each of these domains individually
via certbot (letsencrypt) and nginx is happy with all of that.
Since I initially configured the site to handle mail only for a.com,
my /etc/postfix/main.cf file currently has these two lines:

     smtpd_tls_cert_file = /etc/letsencrypt/live/mail.a.com/fullchain.pem
     smtpd_tls_key_file = /etc/letsencrypt/live/mail.a.com/privkey.pem

But I see that mail test tools are reporting that MX for b.com and
c.com are misconfigured due to an SSL name mismatch.  Indeed, this is
true!

So I believe I should generate a multi-site SSL cert.  I try this:

     sudo certbot  certonly  --cert-name postfix  --webroot \
       --webroot-path /var/www/a-com -d www.a.com -d a.com -d mail.a.com \
       --webroot-path /var/www/b-com -d www.b.com -d b.com \
       --webroot-path /var/www/c-com -d www.c.com -d c.com

And that fails with a bunch of errors like this:

     Domain: www.a.com
     Type:   unauthorized
     Detail: Invalid response from
     
http://www.a.com/.well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6FflmZzWQGNg:
     "<html>
     <head><title>404 Not Found</title></head>
     <body bgcolor="white">
     <center><h1>404 Not Found</h1></center>
     <hr><center>"

I see that the file

     .well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6FflmZzWQGNg

is being created (and one other file, too) but that nginx reports that
the _directory_

     .well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6FflmZzWQGNg

doesn't exist.

Multi-site + letsencrypt + postfix is a subject that has recently
changed quite a bit, so I'm suspecting my web reading is merely
leading me astray.  It is also entirely possible I've misunderstood
things about SSL certificates.  Any pointers how to generate (or point
to) the certificates that I need to make those who contact my postfix
instance happy with their SSL conversation?

Thanks!


You can use 1 directory to create certificates for multiple virtual 
hosts. Copy the config below to all the virtual host config you want to 
use in your certificate (or use 'includes').

user@server:~$ cat /etc/nginx/sites-enabled/a-com
  server {
    [...]

    location ~ /.well-known {
      location ~ /.well-known/acme-challenge/(.*) {
        root        /usr/share/nginx/html;
        add_header  Content-Type application/jose+json;
      }
      allow             all;
      try_files $uri $uri/ =404;
    }
  }


After reloading nginx you can create a new certificate by providing only 
1 webroot directory.

user@server:~$ sudo certbot  certonly  --cert-name postfix \
  --webroot -w /usr/share/nginx/html \
  -d www.a.com -d a.com -d mail.a.com \
  -d www.b.com -d b.com \
  -d www.c.com -d c.com

--
Alex JOST