Exim presents wrong certificate after updating SSL host

grindlay

• February 16, 2021 05:52

I use Cloudflare CDN to manage security on my domain. I've run into the same problem described in multiple threads where the LetsEncrypt certificate validation service fails due to cloudflare - the workaround is a cumbersome 'pause cloudflare on the domain every 3 months' and run AutoSSL. This becomes unmanageable as the number of accounts increases. In an effort to find a solution, I disabled AutoSSL, removed the LetsEncrypt certificates and installed Cloudlare's Origin certificate instead. This works perfectly for https but when I try to connect my mail client (Exim/Dovecot) they are presented with the root certificate for my domain, throwing a warning. Understand that this has something to do with

• 

  sneader

  • February 19, 2021 02:52

  We use AutoSSL with Let's Encrypt, and have many clients running Cloudflare. Our clients are not "pausing Cloudflare every 3 months". Validation will fail for DNS validation, of course, since Cloudflare is doing your DNS. But then AutoSSL & Let's Encrypt will fall back to File Based validation, and that will work just fine. i.e. it will come to the customer's domain and try to pull up something like Edge Certificates, and look at "Minimum TLS Version". The default is TLS 1.0, but if you want to remove support for them, then change this setting to TLS 1.2. - Scott

  0
• 

  cPRex Jurassic Moderator

  • February 19, 2021 13:42

  @sneader 's behavior is also what I am used to seeing. We definitely don't want a system in place where users have to disable Cloudflare every few months in order to stay secure. If you see this problem with another domain on your machine we'd be happy to check directly if you submit a ticket to our team.

  0
• 

  grindlay

  • February 23, 2021 17:07

  Thanks for the replies. Doing a search on these forums for "cloudflare DCV" produces a lot of results but the errors are wide and varied and in some case clearly DNS mis-configuration. In my case, DCV was failing due to IP v6 resolution - the only solution I've found is to pause Cloudflare, but next time it fails, I'll post the error and see if I can get to the bottom of it.

  0

Please sign in to leave a comment.