• Solved
  • [SOLVED] LetsEncrypt Certificate / Multidomain

Hello all
I have added a second domain and deposited users. They can send and receive mails with Android, Outlook and co.
Unfortunately, I have the problem with Outllok that the certificate still has an error, because the second domain name is different, as well as when logging into the web on the second domain no certificate is detected.

  • Can I simply extend the Letsencript certificate on the server via terminal?
  • Will this be automatically stored in the future, so that when adding a new domain is also created accordingly a certificate?

Thanks for your help

    Hello Uwe ,

    extending LetsEncrypt is possible by using the -d flag to extend used LE domains:

    certbot certonly -n --standalone --agree-tos \
        --preferred-challenges http \
        --cert-name="<ssl-domain1>" \
        -d "<ssl-domain1>" \
        -d "<ssl-domain2>" \
        -d "<ssl-domain3>" \
        -m "<ssl-mailforLE>"

    The certbot renew timer takes care of the renewals automatically every week, no matter what you generate for that system, you can check its running by:

    systemctl status grommunio-certbot-renew.timer

    • Uwe replied to this.

      noplan
      You may have to update your nginx config files and modify the servername entry, or if you are using different keys, create separate config files for each domain that is basically a copy of the /usr/share/grommunio-common/nginx.conf but specific for each domain.

      In each config file, you could then specify a different ssl_certificate and ssl_certificate_key. This way, you can use the domain specific certificate files for each domain. Otherwise, if you use the key for say *.domain1.tld and the user goes to https://mail.domain2.tld they will get an certificate error stating the certificate is not valid, the certificate is issued for 'domain1.tld' but you are connecting to 'domain2.tld'.

        obsidiangroup

        oh yeah i was aware of this,
        thought they implemented a stnt like this as default when u set up multi domain

        br NP

          Hi noplan,

          per default, the entire configuration of the webservice is multi-tenant and multi-domain capable. The only thing you need to "deal with" is chosing/generating the apropriate certificate for it. For multiple domains in combination with wildcard you can specify -d with *.domain1.tld and another -d with *.domain2.tld.

          This is a so-called SAN wildcard certificate. There are many vendors supporting this. However, when it comes to really large setups, like 1.000.000 mailboxes with thousands of domains, the setup doesn't really rely on such configurations but instead with load balancers and separate SSL-termination in the front-end.

          Smaller setups can be done also with SNI and multiple certificates, however if you're around 5 wildcard SANs, you should be perfectly fine with LE.

            mwilliams

            yeah we are on the same page with SAN / wildcard certs

            i though i missed something like
            login with webIF was enabled for each domain on the setup per default ..

            the more i thin k about it the more i start to like the idea 😉
            but then i indeed need a chang of color on he login page for each domain 😉
            for starters

            • orange
            • pink
            • blue
            • blonde
            • brown
            • white

            LE ACME and haProxy in front of grommunio will do the trick for the mini setups 😉

            lets go to work

              mwilliams
              Thanks for your answer :-)
              I was able to adjust the certificate with the way you pointed out, but unfortunately this had no effect (reboot was performed).

                noplan
                That's right. I would like the users to be able to use the WebIF according to their domain

                2 months later

                noplan Can you share your haproxy configs? Seems like you are doing something we are looking at.

                This should be the gist ... Just wrote it, not tested.

                haproxy-snippet

                frontend https
                ...
                #hostname begins with
                acl acl_backend1 hdr_beg(host) -i domain1.
                acl acl_backend2 hdr_beg(host) -i domain2.
                use_backend grommunio_domain1 if acl acl_backend1
                use_backend grommunio_domain2 if acl acl_backend2
                ...
                
                backend grommunio_domain1
                ...
                server comment internalhostname1:443 ssl verify none
                
                backend grommunio_domain2
                ...
                server comment internalhostname2:443 ssl verify none

                Uwe

                More detailed:

                certbot certonly -n --standalone --agree-tos \
                --preferred-challenges http \
                --cert-name="<domain1>" \
                -d "<domain1>" \
                -d "<domain2>" \
                -d "<domain3>" \
                -d "<domain4>" \
                -d "<domain5>" \
                -m "me@domain1.com" \
                --pre-hook "service nginx stop" --deploy-hook /usr/share/grommunio-setup/grommunio-certbot-renew-hook --post-hook "service nginx start"

                This way you get the nifty 'put-the-certificate-in-place' logic included. Has been used numerous times in production.

                mwilliams changed the title to [SOLVED] LetsEncrypt Certificate / Multidomain .

                © 2020-2024 grommunio GmbH. All rights reserved. | https://grommunio.com | Data Protection | Legal notice