[BlueOnyx:26482] Re: Strange SSL error

[Michael Stauber]

Hi Colin,

> We have a strange SSL error with email that has just raised its head. 
> Been fine for years but may have been an update?
> 
> We have a 5210R running postfix.
> 
> A Vsite on the server has a couple of web aliases (historical combining 
> of servers).
> 
> The LE cert has all aliases and if using a web browser to access 
> roundcube then it all works fine. Site is secure.
> 
> Many of our customers are still using one of the aliases in their email 
> client server address and have done for years.
> 
> This weekend we started getting complaints of SSL errors when using 
> email clients – the email client apparently returning the cert for the 
> host server rather than the vsite when using one of the aliases.


This might be related to a YUM update that was published on Friday. 
While working on a client server I noticed that he had non-working SNI 
for several Vsites. The Vsites where it didn't work all had a single 
FQDN which they responded to. And the Handler/Constructor that parse the 
SSL certs to generate the SNI config files for Postfix and Dovecot so 
far only parse the "DNS:" line in the certificates, but not the 
"Subject:" line. So single FQDN certs resulted in a somewhat borked 
email SNI configuration. The update from Friday fixes that.

To address your issue do the following:

Run "yum clean all" and "yum update" to make sure you have all updates 
installed. Then restart CCEd for good measure:

/usr/sausalit/sbin/cced.init restart

If that doesn't fix it, try to renew the SSL certificate for the Vsite 
in question.

-- 
With best regards

Michael Stauber