Archive > 21.7 Legacy Series

Wildcard certificate not applied to all services

<< < (2/2)

tz-mbc:
Thanks again Vilhonator, I am not sure if my issue is specific to email, I am setting up an email relay which technically is a simple network connection protected by TLS. I don't see how any of the higher level email checks would be relevant here. But nevertheless, yes DMARC, SPF and DKIM are all set for this domain.
I actually use both of these FQDNs for relaying email from/to Office365, and that works. Maybe because Microsoft doesn't check the cert.

I attached a screenshot which shows the Gmail dialogs side by side.
Both mail.mydomain.com and out.mydomain.com point to the same server, the only difference (I am aware of) is different IP addresses/interfaces where OpnSense picks up the traffic.
And my question comes down to if the cert gets picked up for mydomain.com what could prevent OpnSense from providing the same cert to out.mydomain.com

You raised a valid point that out.mydomain.com may not be listed in the cert, but given that the cert contains *.mydomain.com, all subdomains should be served, and it does seem to work for mail.mydomain.com.

Let me rephrase the questions slightly: is adding a certificate to the OpnSense trust store sufficient for it to be used for all FQDNs listed in the certificate, or do I need to specifically assign the certificate to a WAN interface/NAT rule/ anything? If the answer is that this certificate will be used for all services, I may be hitting the wrong bush. E.g. OpnSense provides the correct cert but Gmail for some reason is not happy with it which would mean I can tick off OpnSense and need to continue troubleshooting at that end.

Vilhonator:
Sorry can't help with that. I would contact certificate issuer and ask help from google as well.

Opnsense isn't able to force any certificates to you (it doesn't even check if you are using valid certificate or not, when you send certificate validation request to google, opnsense will send it even if it's invalid and response you get is how google sees it)

Proxy certificates, VPN certificates etc. are all authenticated by servers not firewall (unless you are using IPS function). Just by it's own, firewall only blocks, rejects, passes and forwards traffic based on rules it has.

tz-mbc:
Just to close this off, I think I got to the bottom of my issue. Indeed not related to OpnSense but rather the cert settings of a server behind NAT.
Once I knew where to look I found this command which allowed me to identify the server which responded with the wrong certificate:

openssl s_client -starttls smtp -showcerts -connect out.mydomain.com:25 -servername out.mydomain.com

Thanks for helping me along!

Navigation

[0] Message Index

[*] Previous page