Host cert not done by letsencrypt (if not resolved to external IP)


My setup is a server behind NAT (because I want openvpn, ipset for country acls, own firewall rules, rspamd, nginx reverse proxy in front of MIAB server). I do DNAT to MIAB for mail and http reverse proxiing to MIAB for http(s).

My previous setup (iRedMail) worked perfectly without greylisting with rspamd - but got unsupportable after upgrade to bullseye.

These are all reasons why I do not need letsencrypt (I do this with dehydrated - much easier on the frontend server). Anyway, I also tried to forward the .well-known location to MIAB server.

The forward works for my mail domains, but I wonder why I had the same issue than self-signed-not-replaced #8495.

Manually replacing the cert links with my own letsencrypt certs resulted in
#3867 (no reply) and #3565 (sorry, cannot post more links on my first post:-).

Still the reason why I not just using letsencrypt builtin is issue #8495.

Why my self-signed cert of the host itself is not done by builtin letsencrpyt?
The maildomains do work - but the cert for the hostname itself is still self-signed.


Is this due to

            if domain not in actual_web_domains:
                    domains_cant_provision[domain] = "The domain has a custom DNS A/AAAA record that points the domain elsewhere, so there is no point to installing a TLS certificate here and we could not automatically provision one anyway because provisioning requires access to the website (which isn't here)."

in management/

My hostname resolves internally to the private IP, not the public one: Certificate Status:

Self-signed. Get a signed certificate to stop warnings. The domain name does not resolve to this machine: (A).

If he would try it would resolve externally to him :slight_smile:

Well, I removed the forwarder in /etc/bind/named.conf.options, and thus resolving myself via external DNS servers.

Now that warning “The domain name does not resolve to this machine” is gone and mail3.mydomain.tld (hostname) is resolving to the external IP and is listed on the “Provision” button.

I have to think through, if my host needs to resolv internal IP addresses.

Might there be a config option somewhere to accept that “not resolve to this machine” with an override?

Now it is not working because it wanted to do www.maildomain.tld, too.
Why it added www.maildomain.tld? www is a completely different host!
Where is it coming from and how to get rid of it in the TLS page?

Add an A record on the custom DNS page pointing it to … somewhere that isn’t your MiaB.

thanks @alento!

“Provision” of certs is now valid and is out of the box behaviour without modification (all standard settings via GUI and supported).

This is a perfect scenario for me now:

  • Miab server resolves via public DNS hierarchy and sends out directly to Inet
  • Inbound mail via postfix relay w/ rspamd in front of it (this also solves the greylisting somehow, together with the whitelist_clients.local workaround)
  • Certs for it’s hostname, so internal communication is valid, too
  • nginx reverse proxy in front of MiaB Server do some filtering and IP sharing for other purposes
  • admin page only reachable from inside. with correct cert.

BTW: For others fall into the HSTS trap after generated self signed too often: clear browser cache!

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.