|Exim and Dovecot do support multi-IP ssl certificates, but their setup can be a little bit tricky to try and maintain.|
With LetsEncrypt, we can setup multi-domain certificates for the hostname, and mail domains, all in one value, to make managing SSL for mail a little simpler.
To do this, we use the letsencrypt.sh script normally, but we manually create the ca.san_config file, loaded with the values we want to use.
With LetsEncrypt 1.0.4+, we can specify all values on the command line, like this:
./letsencrypt.sh request `hostname`,mail.domain.com,smtp.domain.com,www.domain.com,domain.com 4096
- First, install a certificate for your hostname normally, so you get everything else setup correctly:
- Next, we'll edit the file:
/usr/local/directadmin/conf/ca.san_configand edit the line that contains:
subjectAltName=DNS:server.hostname.comand we'll change it by loading it up with all domains we want for exim and dovecot, eg:
subjectAltName=DNS:server.hostname.com, DNS:mail.domain1.com, DNS:mail.domain2.comwhere you have a comma separated list, with a ", DNS:" prefixing each additional value. If domain.com is already being used by LetsEncrypt but is created by the User in their SSL Certificates page, LetsEncrypt may throw an error, since we don't want to be managing the domain value in 2 different certs, hence I've just listed the mail.* domains for the extras... but you can use domain.com and www.domain.com here if you want, but then shouldn't be done at the User Level.
IMPORTANTall value you add must resolve to your server.
- Request the certificate again, but now with the loaded ca.san_config file, eg:
./letsencrypt.sh request server.hostname.com 4096 /usr/local/directadmin/conf/ca.san_config