After renewing a TLS certificate I get these two errors in the mailinabox admin:
The DANE TLSA record for incoming mail (_25._tcp.box.dobom.website) is not correct. It is ‘3 1 1 dcdaa5cd22340a393c867c0db9015105ecc46b040470f0fb7565f22cea46bbac’ but it should be ‘3 1 1 586264c988f1d5031d31ed14aa5c8e297b7274f0d5ae4eec9767d5fa7366d6be’. It may take several hours for public DNS to update after a change.
The TLS (SSL) certificate has a problem: The certificate is for the wrong domain name. It is for Gandi Standard SSL CA 2.
I just regenerated for the second time and also tried installing from within the admin, but get the same error.
In the gandi admin area it clearly shows that the protected address is the correct subdomain.
Does anyone have an idea how I can fix this?
By the way, digicert and other ssl checking sites say everything’s all right, so I don’t really understand.
I am not certain the reason, but Gandi has issued a certificate for your domain and have applied it to your site. That certificate is valid.
The first question is why is that certificate there and how to get rid of it. Did you do something on your VPS to have Gandi issue and install a certificate?
Sure, I renewed the certificate.
Generated the needed new csr, and placed the csr and key on the server.
I’ve done this a couple of times with no problem, so I don’t get what’s happening now.
Ok, so you have chosen to use a certificate issued by a different authority other than the internally supported Let’s Encrypt by requesting it from Gandi with a CSR and installing it presumably in the TLS(SSL) Certificates area of the admin pages.
So why are you trying to issue a Let’s Encrypt certificate with the Gandi one in place? That is where I am confused.
As far as I can tell from what you have said and what I am seeing, you are good until next December (2019).
Well miab needs one TLS that’s not the Let’s Encrypt one, which is the same as the domain the admin runs from. I’m only renewing that one TLS. Am I wrong about a separate TLS for the “main” domain needed for miab?
What do you mean that I’m trying to issue a Let’s Encrypt certificate with the Gandi one in place?
MiaB needs a certificate issued for the domain that the mail server is on which in your case is box.dobom.website. (Assuming no websites are being hosted from within MiaB)
Go to box.dobom.website - Mail-in-a-Box Control Panel in your browser. The padlock showing the site is secured by SSL will be there. Click on the padlock and then the right arrow, and then the more information tab at the bottom. I am using FireFox, so a different browser may behave differently. Once you are there, you will be able to review all of the certificate information.
Yes, other TLS checkers like digicert also showed that all is well. The thing I don’t understand is, why MiaB admin has these lines of error, when the earlier cert gave no errors, even though the process was exactly the same.
Having never used an externally generated SSL certificate for MiaB personally, I am not the one who can answer that …
But let me make a broad assumption … when using External DNS, the MiaB admin area gives several error messages - all of which can be safely ignored. Perhaps the same is true with the SSL certificate? I do not know.
I would think though, if you installed the certificate from the admin area SSL Certificate page, MiaB would know this and account for it. Is this how you ‘installed’ it? So far, I have been assuming so,
At this point I can only suggest changing the title of this thread to something like “Installed SSL Certificate causing errors in admin area” to catch the attention of someone with more knowledge of the back end development such as one of the developers.
Though I don’t understand how you do not use an external SSL, don’t you need one for MiaB to work?
I appreciate your effort!
I modified the title according to your suggestion.
We will see if anyone catches on.
Let me clarify my bad usage of the term “external SSL” … by that I am referring to a SSL certificate issued by a different certificate authority and installed to MiaB
INSTEAD OF
using the Let’s Encrypt SSL certificate that is generated by Let’s Encrypt with the certbot client that is integrated within MiaB.
As mentioned earlier in this thread - a SSL certificate is absolutely required for proper hassle free functioning. It is however not required that the certificate be issued utilizing the certbot client within MiaB.
OK, thanks for the clarification.
I regenerated the certificate once more, but get the same error in the admin.
I’ll just leave it for now, and hope everything will work properly.
I thought the question was do I use external DNS at all, for any of the handled domains, to that the answer is yes. But for box.dobom.website I use ns1/ns2.box.dobom.website
I just realised that maybe I am facing this issue because I created the csr from the command line with this command (because this is what Gandi.net requires to generate the cert):
So I tried the installation via the MIAB admin, but I wasn’t able to generate the cert with the csr provided by MIAB. Gandi didn’t accept the csr.
Could anyone suggest a solution, so I can generate a csr with MIAB that Gandi accepts?
Then maybe the intermediate cert will be evaluated by MIAB correctly, and the error will disappear…