Join Log in
Score:0
avatar Server

tls negotiation failed the certificate doesn't match the host

ru flag
eng3

I'm tryin to setup Gmail send-as to send email via my SMTP server over TLS and I get "tls negotiation failed the certificate doesn't match the host" ever since I renewed my lets encrypt cert.

Background: I have a server with a dedicated IP sharing a few domain names. I'm using virutalmin/webmin. I had issues on renewal so I ran certbot manually verifying via TXT records. I created certs with CN=domain.com and SANS=domain.com,www.domain.com,mail.domain.com. mail.domain.com is an A record setup with cloudflare pointing directly to the IP (without being proxied). Note, everything worked fine before. The server shares multiple domains. The primary domain has no issues with email. It previously stopped working for dovecot and postfix because my cert did not renew with the mail.domain.com in the SANS list. It worked after fixing that. I have a second domain that has stopped working with sending. POP3/IMAP is not use as emails are just forwarded.

let's encrypt generated its files. I setup postfix SNI map to point to the cert files.

When I run openssl x509 -text on the files, I can see the CN and SANS. When I run openssl s_client -connect mail.domain.com:25 -starttls smtp, it only shows the CN not the SANS.

Sending emails with the primary domain works fine. Sending emails with the second domain gives the error. openssl gives the same result. Reading the file shows the CN=domain.com and SANS=domain.com,www.domain.com,mail.domain.com. Connecting to the smtp server only shows the CN for the respective domain.

I'm not sure what gmail is comparing to when it says "certificate doesn't match the host" I thought it was just the CN and SANS to the server name but maybe its something else?

217
0 + 0
ssl
anx avatar
fr flag
anx
If it worked before, then compare the certificates to see the difference? https://crt.sh is your friend to find any certificates you no longer have saved.
0
Reply
anx avatar
fr flag
anx
I suspect you configured *two* non-identical names, when in fact your *one* mail server uses *one* name (its host name), regardless of other domain names added to the same certificate.
0
Reply
ru flag
eng3
compare to what? I don't know what google is comparing to. I know what I'm getting from the smtp server, I don't know what google is comparing it to. The hostname of the mail server is ofcourse one name. (ie. domain.com). That is different from the mail server names (mail.domain.com, mail.domain2.com). mail.domain.com works, the other does not.
0
Reply
anx avatar
fr flag
anx
Share your configuration (specifically, any SNI map and relevant commands you used to verify which file contains which certificate), and/or mention the actual domain names so someone willing to answer this can check using his own tools. I don't know what Google is doing either, but at least I could check for some common mistakes.
0
Reply
anx avatar
fr flag
anx
Many problems of the *"has stopped working"* sort can be solved by comparing before/after status. It sounds like either some mail server configuration, or the subject the certificate is issued for, has changed. Find out which certificate you used before, and which you are using now, maybe you introduced unintended changes during the renewal you mention.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.