Email error – The certificate does not match the expected identity of the site that it was retrieved from.

The certificate does not match the expected identity of the site that it was retrieved from.
The server's identity does not match the identity in the certificate
Hostname in certificate didn't match

The reason for the above errors are due to the fact that the email client is trying to use mail.mydomain.com and the email server is mail.emailserver.com.

So the email client pulls the certificate for mail.emailserver.com and reads that this certificate is for mail.emailserver.com, NOT for mail.mydomain.com. Hence the conflict and it throws an error.

If you can, accepting the certificate should let everything work. It appears that on recent versions of iOS their may be some problems trusting it. The other work around is to use the actual mail server host. So mail.emailserver.com

Create Certificate on Mikrotik – Command Line

https://wiki.mikrotik.com/wiki/Manual:Create_Certificates
https://www.medo64.com/2016/12/simple-openvpn-server-on-mikrotik/

Create Certificate Authority and Server Certificate

/certificate add name=ca-template common-name=myCa days-valid=3650 key-size=2048 key-usage=key-cert-sign,crl-sign

/certificate add name=server-template common-name=server days-valid=3650 key-size=2048 key-usage=digital-signature,key-encipherment,tls-server

Sign certificates

/certificate sign ca-template name=myCa

/certificate sign server-template ca=myCa name=server

Trust certificates

/certificate set myCa trusted=yes

/certificate set server trusted=yes

Create Certificate on Mikrotik – WinBox

Create Certificates

Open up the Certificates window by going to /System -> Certificates. Hit the + to add a new certificate

Create Certificate Authority Certificate

First we are going to create a Certificate Authority template

Setup Certificate Authority template

Specify the key usage to “crl sign” and “key cert. sign” and apply

Set Certificate Authority Key Usage

Setup Server Certificate

Now we are going to create a server template

Setup Server Template

We need to specify “Digital signature, key encipherment, and tls server” You may need to enable/disable more depending on your use case scenario. In this case we are setting it up for OpenVPN.

Configure Server Key Usage

Sign Templates

First we need to sign the ca-template by opening up the the Certificate and hitting Sign on the right hand side. Should get the little Sign window pop up.

Sign Certificate Authority

Progress will show done when it is finished signing.

Next we need to sign the server-template. When Signing the server template, specify the ca-template in the CA: field. See below

Sign Server Certificate

Errors Renewing Lets Encrypt Certificate for UniFi-Video

Had an issue with the Lets Encrypt cert for a UniFi-Video server.  When renewing the cert and reimporting it into the UniFi-Video keystore, the certification was showing out of date.

Issue ended up being something with certbot.

When certbot runs it generates a new cert.pem, chain.pem, fullchain.pem and privkey.pem and puts them in the “/etc/letsencrypt/live/unifi.domain.com/” directory.

The privkey.pem and cert.pem are used to create the keys.p12 file which gets imported into the UniFi-Video keystore.

Apparently the .pem files in “/etc/letsencrypt/live/unifi.domain.com/” are symbolic links to files in “/etc/letsencrypt/archive/unifi.domain.com/”

Upon inspection of the archive directory, multiple cert.pem and privkey.pem files were found with the names cert1.pem, cert2.pem, cert3.pem etc.  Looking at the creation date of the file revealed the symbolic link was referring to an old “cert1.pem” file.

Work around was to stop the unifi-video service and reimport the cert using the latest .pem files in the archive directory.

echo ubiquiti | openssl pkcs12 -export -inkey /etc/letsencrypt/archive/unifi.yourdomain.com/privkey2.pem -in /etc/letsencrypt/archive/unifi.yourdomain.com/cert2.pem -name airvision -out /usr/lib/unifi-video/data/keys.p12 -password stdin
echo y | keytool -importkeystore -srckeystore /etc/letsencrypt/archive/unifi.yourdomain.com/keys.p12 -srcstoretype pkcs12 -destkeystore /usr/lib/unifi-video/data/keystore -storepass ubiquiti -srcstorepass ubiquiti

Remove the old ufv-truststore and start the service.

mv /usr/lib/unifi-video/data/ufv-truststore{,.old}
systemctl start unifi-video

Worked like a charm.