multi-site SSL certificates

Alex JOST jost+lists at
Mon Apr 2 18:38:31 EEST 2018

Am 02.04.2018 um 14:25 schrieb Jeff Abrahamson:
> I'm handling mail for several domains, let's call them,,
> and  I have certificates for each of these domains individually
> via certbot (letsencrypt) and nginx is happy with all of that.
> Since I initially configured the site to handle mail only for,
> my /etc/postfix/ file currently has these two lines:
>      smtpd_tls_cert_file = /etc/letsencrypt/live/
>      smtpd_tls_key_file = /etc/letsencrypt/live/
> But I see that mail test tools are reporting that MX for and
> are misconfigured due to an SSL name mismatch.  Indeed, this is
> true!
> So I believe I should generate a multi-site SSL cert.  I try this:
>      sudo certbot  certonly  --cert-name postfix  --webroot \
>        --webroot-path /var/www/a-com -d -d -d \
>        --webroot-path /var/www/b-com -d -d \
>        --webroot-path /var/www/c-com -d -d
> And that fails with a bunch of errors like this:
>      Domain:
>      Type:   unauthorized
>      Detail: Invalid response from
>      "<html>
>      <head><title>404 Not Found</title></head>
>      <body bgcolor="white">
>      <center><h1>404 Not Found</h1></center>
>      <hr><center>"
> I see that the file
>      .well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6FflmZzWQGNg
> is being created (and one other file, too) but that nginx reports that
> the _directory_
>      .well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6FflmZzWQGNg
> doesn't exist.
> Multi-site + letsencrypt + postfix is a subject that has recently
> changed quite a bit, so I'm suspecting my web reading is merely
> leading me astray.  It is also entirely possible I've misunderstood
> things about SSL certificates.  Any pointers how to generate (or point
> to) the certificates that I need to make those who contact my postfix
> instance happy with their SSL conversation?
> Thanks!

You can use 1 directory to create certificates for multiple virtual 
hosts. Copy the config below to all the virtual host config you want to 
use in your certificate (or use 'includes').

user at server:~$ cat /etc/nginx/sites-enabled/a-com
   server {

     location ~ /.well-known {
       location ~ /.well-known/acme-challenge/(.*) {
         root        /usr/share/nginx/html;
         add_header  Content-Type application/jose+json;
       allow		all;
       try_files	$uri $uri/ =404;

After reloading nginx you can create a new certificate by providing only 
1 webroot directory.

user at server:~$ sudo certbot  certonly  --cert-name postfix \
   --webroot -w /usr/share/nginx/html \
   -d -d -d \
   -d -d \
   -d -d


More information about the dovecot mailing list