HTTPS Policy Certificate is Invalid

trondandre

When we use our own ssl chained certificate and test MTA-STS lookup we get an error message that HTTPS Policy Certificate is Invalid.
If we switch to using Lets encrypt ssl certificate everything is ok and it says that HTTPS Policy Certificate is valid.
We follow the Mailcow documentation and add both the chained certificate in the cert.pem file and the private key in key.pem in document : data/asset/ssl.
Everything else in the testing on MTA-STS lookup looks good except that it says that HTTPS Policy Certificate is Invalid…
Has anyone had the same problem or does anyone know a solution to this?
Should we also add the certificate somewhere else since Mailcow added support for MTA-STS in version 09 as well?

ETNyx

If you open https://mta-sts.yourdomain.tld/.well-known/mta-sts.txt any certificate errors and do you see mta-sts config?

trondandre

ETNyx
When i open it is comes up: this is not an secure site
But if we change to use Let´s Encrypt it is ok

ETNyx

Ok, you need to fix this,… Did you extend your own certificate to cover mta-sts.yourdomain.tld? In browser there should be more information about this error check it too,…

trondandre

ETNyx
Yes but i can not figure out how to fix this….
If i create an record from the qualified domain all is ok, but not with the another hosted domain.
It is so when i adding an hosted domain (ex: test.no) and when use Let´s Encrypt , then Let´s Encrypt make an ssl cert. for this domain and all another hosted domain we are added to the mailcow mailserver?

ETNyx

Sorry man, your response is confusing to me,…

Is there specific reason why you need own certificate instead of LE. It’s battle proven and safe solution.

Anyway from what I think you wrote,.. You are missing SAN(s) Subject Alternative Names in your cert. Basically when you are generating your cert list all domains you need. Assume, you are using acme.sh than something like this:

acme.sh --issue --standalone -d mc.ui.ltd -d autoconfig.domain1.ltd -d autodiscover.domain1.ltd -d mta-sts.domain1.ltd -d autoconfig.domainX.ltd -d autodiscover.domainX.ltd -d mta-sts.domainX.ltd

First is fdqn of your MC (for access to MC UI and SoGo), than next make set of three domains for every domain (domains you are managing mails).

See your provider docs how to generate certificate,…
Just be sure you are not hitting some limit just like in LE 100 domains per certs,…

trondandre

ETNyx
The reason to use owned cert. is becuse it have this limit on 100 domain..
Sorry if i have Confusing you.

ETNyx

Yes, this is just partially problem. Change your ENABLE_SSL_SNI to y in mailcow.conf and up and down stack than monitor logs of acme container.

This will cause that every domain of second order will have own certificate . Like autoconfig.domain1.ltd + autodiscover.domain1.ltd + mta-sts.domain1.ltd is in separate cert *.domain2.ltd in own cert.

I use this configuration too, no problem,.. (Unless you are using 30 years old software) Please see the docs

trondandre

ETNyx
Ah Ok,
In the Mailcom documentation for this config you describe we see they write some e-mailclient will not be available to conect etc. but this is not any problem you have meet then?

ETNyx

Zero reports from our users.

From my research problems are on “ancient” systems like Win XP (20 years old), Android 3 (15 years old), those should not be used anyway,…

Only problem that I anticipated was printers, printers are worst pieces of HW and SW in this world, luckily I do not believe anyone from our users are using SMTP in their printers.

trondandre

ETNyx
Ok,
Then we go for the same config you use!
Thank you for all your replay 🙂