Page 1 of 1

SSL uses self signed instead of Lets encrypt

Posted: 05 Nov 2019 09:00
by Justin
Hi there,

I'm using "hardenize" and "STARTTLS Everywhere" to check all my domain records, and both are giving errors on my MX server.
I have a EFA 3.2.6 server and a EFA 4 RC3 server which both give the same error/result

For some reason the tools pick up a Self-Signed certificate, which i've never seen before.
mx99.domain.nl
Issuer: unknown (self signed)
Not Before: 08 Feb 2019 10:20:28 UTC
Not After: 05 Feb 2029 10:20:28 UTC (expires in 9 years 3 months)
Key: RSA 2048 bits
Signature: SHA256withRSA

The certificate i'm using (and shows when i browse to the domain) is a Comodo certificate (once this one expires, i will use Let's Encrypt)
*.domain.nl (wildcard)
Issuer: COMODO RSA Domain Validation Secure Server CA
Not Before: 04 Dec 2018 00:00:00 UTC
Not After: 16 Dec 2020 00:00:00 UTC
Key: RSA 2048 bits
Signature: SHA256withRSA

Any idea how i can fix this? Once this is done i can move on to MTA-STS and a error free "STARTTLS Everywhere" result.

NOTE: domain.nl hides my real domain, just to security reasons

Re: SSL uses self signed instead of Lets encrypt

Posted: 05 Nov 2019 10:09
by Justin
After using the Let's Encrypt the certificate is correct.
How can i do this with my own certificates? Seems likethe certificates used on HTTPS are not the same used on Postfix/EFA

Re: SSL uses self signed instead of Lets encrypt

Posted: 06 Nov 2019 07:56
by kommunen
That mx99.domain.nl certificate was automatically created when you installed EFA.

Its location is defined in /etc/postfix/main.cf . Look for smtpd_tls

Re: SSL uses self signed instead of Lets encrypt

Posted: 11 Nov 2019 14:04
by Justin
kommunen wrote: 06 Nov 2019 07:56 That mx99.domain.nl certificate was automatically created when you installed EFA.

Its location is defined in /etc/postfix/main.cf . Look for smtpd_tls
Will this be overwritten by an update of eFa?

Re: SSL uses self signed instead of Lets encrypt

Posted: 11 Nov 2019 15:56
by kommunen
Not unless you re-run the setup script.