I'm handling mail for several domains, let's call them a.com, b.com, and c.com. I have certificates for each of these domains individually via certbot (letsencrypt) and nginx is happy with all of that.
Since I initially configured the site to handle mail only for a.com, my /etc/postfix/main.cf file currently has these two lines:
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.a.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.a.com/privkey.pemBut I see that mail test tools are reporting that MX for b.com and c.com are misconfigured due to an SSL name mismatch. Indeed, this is true!
So I believe I should generate a multi-site SSL cert. I try this:
sudo certbot certonly --cert-name postfix --webroot \
--webroot-path /var/www/a-com -d www.a.com -d a.com -d mail.a.com \
--webroot-path /var/www/b-com -d www.b.com -d b.com \
--webroot-path /var/www/c-com -d www.c.com -d c.comAnd that fails with a bunch of errors like this:
Domain: www.a.com
Type: unauthorized
Detail: Invalid response from
http://www.a.com/.well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6FflmZzWQGNg:
"<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>"I see that the file
.well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6FflmZzWQGNgis being created (and one other file, too) but that nginx reports that the _directory_
.well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6FflmZzWQGNgdoesn't exist.
Multi-site + letsencrypt + postfix is a subject that has recently changed quite a bit, so I'm suspecting my web reading is merely leading me astray. It is also entirely possible I've misunderstood things about SSL certificates. Any pointers how to generate (or point to) the certificates that I need to make those who contact my postfix instance happy with their SSL conversation?
Thanks!