# Changed domains/cert problems



## fullauto2012 (Mar 1, 2019)

```
FreeBSD kif 11.1-RELEASE FreeBSD 11.1-RELEASE #0 r321309: Fri Jul 21 02:08:28 UTC 2017    root@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64
```

I decided to change my domain name (domain1.com to domain2.com).  I revoked the certbot certs, deleted them. Changed over my /usr/local/etc/apache24/extra/httpd-vhosts.conf  to reflect the name change.  Turned off the "redirect" line that shuffles people from port 80 to port 443, and used certbot to grab a new certificate for domain2.com, www.domain2.com, and mail.domain2.com.  Worked like a charm.  I then turned the redirect line to ensure that the certificate was working, and all was fine. 

The problem came about when I tried to change over my sendmail.  I made all the certificate changes in the ServerName.MC file, changed over the local-host-names file, the access file, etc.... Issued a "make all install restart", and it all came up just fine.   However, when I telnet over to the machine on port 25 there is no TLS listed.  I decided to go back and check my configurations but I cannot find anything wrong in them.  Perhaps a fresh set up eyes!

I know the certs are good, but cannot find anything else. Admittedly, I am a novice with this stuff.


```
root@kif:/etc/mail # service saslauthd status
saslauthd is running as pid 47455.
root@kif:/etc/mail #
```


```
root@kif:/etc/mail # cat kif.mc
divert(-1)
divert(0)
VERSIONID($FreeBSD: releng/11.1/etc/sendmail/freebsd.mc 285230 2015-07-07 03:00:57Z gshapiro $')
OSTYPE(freebsd6)
DOMAIN(generic)

FEATURE(access_db, hash -o -T<TMPF> /etc/mail/access')
FEATURE(blacklist_recipients)
FEATURE(local_lmtp)
FEATURE(mailertable, hash -o /etc/mail/mailertable')
FEATURE(virtusertable, hash -o /etc/mail/virtusertable')

MASQUERADE_AS(domain2.com)dnl
MASQUERADE_DOMAIN(domain2.com)dnl
FEATURE(masquerade_envelope)dnl
FEATURE(masquerade_entire_domain)dnl

dnl Enable STARTTLS for receiving email.

define(CERT_DIR', /usr/local/etc/letsencrypt/live/domain2.com')dnl
define(confSERVER_CERT', CERT_DIR/cert.pem')dnl
define(confSERVER_KEY', CERT_DIR/privkey.pem')dnl
define(confCLIENT_CERT', CERT_DIR/cert.pem')dnl
define(confCLIENT_KEY', CERT_DIR/privkey.pem')dnl
define(confCACERT', CERT_DIR/fullchain.pem')dnl
define(confCACERT_PATH', CERT_DIR')dnl

dnl define(confDH_PARAMETERS', CERT_DIR/dh.param')dnl

dnl set SASL options
TRUST_AUTH_MECH(GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
define(confAUTH_MECHANISMS', GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
define(confAUTH_OPTIONS',p,y')

define(confCW_FILE', -o /etc/mail/local-host-names')

dnl Enable for both IPv4 and IPv6 (optional)
DAEMON_OPTIONS(Name=IPv4, Family=inet', Name=MTA-v4, Port=25, Modifiers=a)
dnl DAEMON_OPTIONS(Name=IPv6, Family=inet6, Modifiers=O')

define(confBIND_OPTS', WorkAroundBrokenAAAA')
define(confNO_RCPT_ACTION', add-to-undisclosed')
define(confPRIVACY_FLAGS', `authwarnings,noexpn,novrfy')
MAILER(local)
MAILER(smtp)
root@kif:/etc/mail #
```


```
root@kif:/etc/mail # ls -la /usr/local/etc/letsencrypt/live/domain2.com/
total 12
drwxr-xr-x  2 root  wheel  512 Feb 28 22:17 .
drwx------  4 root  wheel  512 Feb 28 23:42 ..
-rw-r--r--  1 root  wheel  543 Feb 28 22:17 README
lrwxr-xr-x  1 root  wheel   38 Feb 28 22:17 cert.pem -> ../../archive/domain2.com/cert1.pem
lrwxr-xr-x  1 root  wheel   39 Feb 28 22:17 chain.pem -> ../../archive/domain2.com/chain1.pem
lrwxr-xr-x  1 root  wheel   43 Feb 28 22:17 fullchain.pem -> ../../archive/domain2.com/fullchain1.pem
lrwxr-xr-x  1 root  wheel   41 Feb 28 22:17 privkey.pem -> ../../archive/domain2.com/privkey1.pem
root@kif:/etc/mail #
```


```
root@kif:/usr/local/etc/letsencrypt/archive/domain2.com # ls -la
total 24
drwxr-xr-x  2 root  wheel   512 Feb 28 22:17 .
drwx------  7 root  wheel   512 Feb 28 23:42 ..
-rw-r--r--  1 root  wheel  1964 Feb 28 22:17 cert1.pem
-rw-r--r--  1 root  wheel  1647 Feb 28 22:17 chain1.pem
-rw-r--r--  1 root  wheel  3611 Feb 28 22:17 fullchain1.pem
-rw-r-----  1 root  wheel  1704 Feb 28 22:17 privkey1.pem
root@kif:/usr/local/etc/letsencrypt/archive/domain2.com #
```


```
root@kif:/etc/mail # telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 kif ESMTP Sendmail 8.15.2/8.15.2; Fri, 1 Mar 2019 01:12:51 -0500 (EST)
ehlo localhost
250-kif Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5
250-DELIVERBY
250 HELP
quit
221 2.0.0 kif closing connection
Connection closed by foreign host.
root@kif:/etc/mail #
```

I used the following to help set this up...
https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/SMTP-Auth.html
https://evermeet.cx/wiki/Let's_Encrypt_with_Apache,_dovecot,_and_sendmail#sendmail_.28sendmail.mc.29


----------



## SirDice (Mar 1, 2019)

Note that FreeBSD 11.1 is not supported any more, it ended 3 months after the release of 11.2. Please upgrade to 11.2 as soon as possible. Support schedule from 11.0 onward is different compared to all previous versions. Now only the _last_ minor version of a major branch is supported.  










						Unsupported FreeBSD Releases
					

FreeBSD is an operating system used to power modern servers, desktops, and embedded platforms.




					www.freebsd.org


----------

