certificate domain

leeone7200

I want to cert all domain added in mailcow but additional san wildcard only support subdomains.

DocFraggle

leeone7200 but additional san wildcard only support subdomains

That’s not true, please read the docs!

A wildcard name like smtp.* will try to obtain a smtp.DOMAIN_NAME SAN for each domain added to mailcow.

https://docs.mailcow.email/post_installation/firststeps-ssl/?h=#additional-domain-names

leeone7200

DocFraggle I wanted to cert example.com not smtp.exmaple.com or mail.example.com.

DocFraggle

leeone7200 OK, afaik you can add example.com to ADDITIONAL_SAN as well. The problem is that you can’t use wildcards obviously, you have to add every domain manually.

Why do you need that in the first place?

maddler

well, if the apex of the domain points or can be pointed to the same IP used by Mailcow you can still add them to the ADDITIONAL_SAN. And that is the only case I can think of having the root domain in the SAN.
Not sure what you’re trying to achieve.

DocFraggle

You need to add them to ADDITIONAL_SERVER_NAMES as well then

maddler

DocFraggle yes, clearly.

Or, if you want to use an external certificate you can follow steps here:
https://docs.mailcow.email/post_installation/firststeps-ssl/

Then, you can use an external tool (certbot, LeGo, etc.) to process the cert request using a DNS validation method (depending on your DNS provider) to issue the certificates and/or a wildcard.

In general I’d suggest to only have the hostnames used on the email server and not to use a wildcard unless necessary (although easier to use, sometimes).