Wildcard SSL is not working

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
gnoppix
New user
New user
Posts: 25
Joined: 2015-10-26 07:27

Wildcard SSL is not working

Post by gnoppix » 2019-12-17 03:41

Premise:
My previous setup was a Comodo SSL Cert for the hMailServer and it was working well. And since we are securing all communications we opted to apply for an SSL Wildcard Cert which *.domain.com.xx. This will include our mail.domain.xx and ticket.domain.xx etc. (please correct me if i'm wrong).

Here's the problem:
1. After doing the same thing i did on the first cert it didn't work.
a. already do the chain cert (same order as the first one ) - fail
2. I used the same private key coming from the server where we created the CSR for wildcard cert. fail
3. I used the same private key that i previously used before in hMailServer - fail

Should i crate a new private key for the wildcard cert ?

Thanks for the usual help.

gnoppix.

palinka
Senior user
Senior user
Posts: 1915
Joined: 2017-09-12 17:57

Re: Wildcard SSL is not working

Post by palinka » 2019-12-17 03:59

gnoppix wrote:
2019-12-17 03:41
Should i crate a new private key for the wildcard cert ?
New cert, new key.

Every new certificate requires a new key. My automated renewals create new certs and keys all having the same path\name as the old ones so no action in hmailserver is required other than restarting.

gnoppix
New user
New user
Posts: 25
Joined: 2015-10-26 07:27

Re: Wildcard SSL is not working

Post by gnoppix » 2019-12-17 05:53

Is it okay to crate a new Private Key in hMailServer then use it together with the wildcard cert?

As mentioned, the CSR was created on another server and not in hMailServer, would there be issues on this?

Thanks for the prompt response.

Gnoppix

User avatar
mattg
Moderator
Moderator
Posts: 20788
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Wildcard SSL is not working

Post by mattg » 2019-12-17 06:06

You need the key to match the certificate

It's like a physical padlock and key - they are made to match
Some arbitrary text can't just be used as a key, or they would easily be hacked.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

gnoppix
New user
New user
Posts: 25
Joined: 2015-10-26 07:27

Re: Wildcard SSL is not working

Post by gnoppix » 2019-12-17 10:17

Is there a way to get the private key. As i checked, the one who submitted the CSR to Comodo is not sure if a Private key is created or not.

Any suggestion?

Thanks again. Gnoppix

palinka
Senior user
Senior user
Posts: 1915
Joined: 2017-09-12 17:57

Re: Wildcard SSL is not working

Post by palinka » 2019-12-17 14:11

gnoppix wrote:
2019-12-17 10:17

Any suggestion?
Fire the guy responsible for messing up your security. :lol:

There is 0% chance a key was not issued with the cert. If you don't have the key you need to do it over again.

Or you could get a free letsencrypt cert and forget Comodo. Plenty of tutorials here in the tutorial section.

gnoppix
New user
New user
Posts: 25
Joined: 2015-10-26 07:27

Re: Wildcard SSL is not working

Post by gnoppix » 2019-12-18 11:13

3. I used the same private key that i previously used before in hMailServer - fail
Please confirm if i can still use the same private key that i used before since you never have to create one if you already have an existing and working one.

Thanks.

palinka
Senior user
Senior user
Posts: 1915
Joined: 2017-09-12 17:57

Re: Wildcard SSL is not working

Post by palinka » 2019-12-18 13:34

gnoppix wrote:
2019-12-18 11:13
3. I used the same private key that i previously used before in hMailServer - fail
Please confirm if i can still use the same private key that i used before since you never have to create one if you already have an existing and working one.

Thanks.
As long as you're using the certificate that was generated with that key. Then yes.

Every certificate has a key for that certificate only. If you change or renew the certificate, a new key will be generated and the old one will not work.

Virinum
Normal user
Normal user
Posts: 69
Joined: 2018-11-23 14:42
Location: Germany

Re: Wildcard SSL is not working

Post by Virinum » 2019-12-18 17:02

You don't need a new key every time you create a new certificate. You can reuse the old key. That's what I'm doing because of my TLSA record for DANE.

For letsencrypt I'm using win-acme (https://github.com/PKISharp/win-acme). And win-acme has the flag "--reuse-privatekey". See here: https://github.com/PKISharp/win-acme/wi ... ine#common

palinka
Senior user
Senior user
Posts: 1915
Joined: 2017-09-12 17:57

Re: Wildcard SSL is not working

Post by palinka » 2019-12-18 17:14

Virinum wrote:
2019-12-18 17:02
You don't need a new key every time you create a new certificate. You can reuse the old key. That's what I'm doing because of my TLSA record for DANE.

For letsencrypt I'm using win-acme (https://github.com/PKISharp/win-acme). And win-acme has the flag "--reuse-privatekey". See here: https://github.com/PKISharp/win-acme/wi ... ine#common
I did not know that. I also use win-acme. Its good to know, although I don't think it has a lot of bearing on hmailserver since win-acme automated renewals create new certs and keys with the same file names as the old ones in the same location. So when hmailserver restarts (reloads the cert/key) it doesn't even know or care that the cert/key are different - only that they work together.

However, the OP actually changed certificates from whatever his old one was to a wildcard cert (not a renewal). Its a completely new certificate that requires a completely new key.

Virinum
Normal user
Normal user
Posts: 69
Joined: 2018-11-23 14:42
Location: Germany

Re: Wildcard SSL is not working

Post by Virinum » 2019-12-18 17:23

palinka wrote:
2019-12-18 17:14
Its good to know, although I don't think it has a lot of bearing on hmailserver since win-acme automated renewals create new certs and keys with the same file names as the old ones in the same location. So when hmailserver restarts (reloads the cert/key) it doesn't even know or care that the cert/key are different - only that they work together.
Yes, you're right. I just don't want to change my TLSA-Record every time my cert renews. So that's the reason why I reuse the private key.
palinka wrote:
2019-12-18 17:14
However, the OP actually changed certificates from whatever his old one was to a wildcard cert (not a renewal). Its a completely new certificate that requires a completely new key.
If the OP still has his old private key he could reuse it. You can use a private key for as many certificates as you want. It's just important that the CSR is generated with this key. win-acme generates this CSR for you.

The "normale" way is: Generate private key -> Generate a CSR with this private key -> let a certification authority sign this CSR

palinka
Senior user
Senior user
Posts: 1915
Joined: 2017-09-12 17:57

Re: Wildcard SSL is not working

Post by palinka » 2019-12-18 17:25

Virinum wrote:
2019-12-18 17:23
palinka wrote:
2019-12-18 17:14
However, the OP actually changed certificates from whatever his old one was to a wildcard cert (not a renewal). Its a completely new certificate that requires a completely new key.
If the OP still has his old private key he could reuse it. You can use a private key for as many certificates as you want. It's just important that the CSR is generated with this key. win-acme generates this CSR for you.

The "normale" way is: Generate private key -> Generate a CSR with this private key -> let a certification authority sign this CSR
Good to know. Thanks for the info!

Post Reply