ClosedTLS Library problem alert 42 - domain name does not match the server certificate - cyberpanel

Hello,

Don’t understand why it’s not working,

Jan 14 19:38:56 localhost postfix/submission/smtpd[397261]: connect from unknown[173.44.55.155]
Jan 14 19:38:57 localhost postfix/submission/smtpd[397261]: SSL_accept error from unknown[173.44.55.155]: -1
Jan 14 19:38:57 localhost postfix/submission/smtpd[397261]: warning: TLS library problem: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:…/ssl/record/rec_layer_s3.c:1543:SSL alert number 42:
Jan 14 19:38:57 localhost postfix/submission/smtpd[397261]: lost connection after STARTTLS from unknown[173.44.55.155]
Jan 14 19:38:57 localhost postfix/submission/smtpd[397261]: disconnect from unknown[173.44.55.155] ehlo=1 starttls=0/1 commands=1/2
Jan 14 19:41:17 localhost dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>,

I did dns record A mail.domain.com to the server ip
I did mx record mail.domain.com to the server ip too

When I try to send a mail I have this pop up (domain name does not match the server’s certificate)
https:// prnt.sc/4OWj9c5gZsO9

updated to make it more clear, today dns are fully propagated and still have this error, waiting for a fix, this email is critical business for customer service… cyberpanel mail function should work 100% with any problem , otherwise it’s dangerous to use cyberpanel for critical apps, hope I can understand what is happening here

I didn’t make a try before with a non critical email because i was thinking this will work 100% in the first time without any error, for the next time i will use a test site for this purpose

what is the results of checktls?

checktls: command not found
…

What @shoaibkk means is you go to //email/testTo: and use any email address for your mailserver. Post the results here for support

Ok thanks to clarify

Result :

Checking XXX@XXX.com from www12-do.checktls.com(V03.69.04) at 2023-01-16T15:17:49Z:

Reissue mailserver ssl for mail.XXX.com

I already did but this doesn’t work, still the problem, I try for mail.xxx.com and xxx.com (primary domain) like in the youtube video of cyperpanel team.

Check rDNS ptr record it should be mail.xxx.com this should be done where your dedicated server was purchased from. Add for both ipv4 and ipv6 ip addresses.

On OVH we have a tab where we can add what they call “Secondary DNS”

Screenshot by Lightshot translation :

Add a domain

Add a secondary DNS to your dedicated server :

IP
…

Domain
…

Is that rDNS ptr ?

This is service provider specific kindly check their tutorial https://support.us.ovhcloud.com/hc/en-us/articles/360002181530-How-to-Configure-Reverse-DNS

Thanks,

So we edit the reverse DNS and we put mail.xxx.com

We can only edit the IPv4 Reverse DNS and not the IPv6, there is no option to edit.

This reverse DNS will not put any problem in the future for our other wordpress site that run on the same server ?

We will install more mailbox after for other domain so mail.xxx.com is the first install , but there will be mail.xxx2.com mail.xxx3.com and mail.xxx4.com

We actually think that put the reverse dns to mail.xxx.com will maybe make us not possible to install correctly the futur mailbox for other wordpress site.

Testing :

So we did a test after editing the reverse DNS to mail.xxx.com,
The A Dns was fully propagated already, and like it’s explained we understand that the reverse DNS is instantly propagated after the setting in place.

We still have the same error :
Jan 17 09:28:07 localhost postfix/submission/smtpd[727258]: warning: TLS library problem: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:…/ssl/record/rec_layer_s3.c:1543:SSL alert number 42:

Thunderbird pop-up say :
This site tries to identify itself with invalid information.

Wrong site

The certificate belongs to a different site, which could indicate that someone is trying to impersonate this site.

Unknown identity

The certificate is not secure because it is impossible to verify that it was issued by a trusted authority using a secure signature.

(still same problem)

After this Pop up I can only quit, then a secondary pop up appear, this one say :

Sending the message failed.
The certificate is not secure because it is self-signed.
The configuration linked to mail.hecten.com must be corrected.

No the rDNS is for the mailserver, not to serve your websites

Apply this fix Cannot Send Emails As via Gmail - SSL Certificate Mismatch - #4 by josephgodwinke then copy your mailserver domain and test it here SSL Checker if you get any errors there report back here

1/ We test with the domain name xxx.com instead of mail.xxx.com and it works, no any problem.

2/ We still want to use mail.xxx.com because this is the best option if we want to change later our mail server.

So we did your fix again, we issued again the mail server ssl for mail.xxx.com
We test, we connect to our email, and when trying to send an email we are blocked by the pop-ups. Still the same problem.

The checking of ssl checker :

We check after the Check tls because we find that weird ssl checker say everything is fine, and on our side we have still the problem :

Follow this guide Self Signed SSL Issue · josephgodwinkimani/cyberpanel Wiki · GitHub

instead of mydomain.com use mail.mydomain.com e.g.

rm -f /etc/letsencrypt/live/mail.mydomain.com/privkey.pem && rm -f /etc/letsencrypt/live/mail.mydomain.com/fullchain.pem

Skip this part Self Signed SSL Issue · josephgodwinkimani/cyberpanel Wiki · GitHub and do Cannot Send Emails As via Gmail - SSL Certificate Mismatch - #4 by josephgodwinke

we delete the file in mail.xxx.com and issue mail server ssl again for mail.xxx.com and we still have the same problem,

does it may come from the dns settings ?

we know that the
default._domainkey.
_domainkey.
_dmarc.

are all set on xxx.com and not for mail.xxx.com

maybe it come from that ? We didn’t think about it because the error seems more to be at the certificate level and not dns record.

Thanks

Do you have an A record for mail.xxxx.com?

yes we set the A record for mail.xxx.com , this is fine propagated now, it point to the server ip of course

You are right. Exclude the DNS. Of course diabling tls on postfix is out of the question.

Let’s take matters into our own hands now. create a csr

cd /etc/postfix/ssl
openssl req -nodes -newkey rsa:2048 -keyout mail.xxxx.com.key -out mail.xxx.com.csr

Confirm /etc/postfix/main.cf has our new certificate and keychain and run service postfix reload

Done,
edit the /etc/postfix/ssl folder wasn’t exist so we create it by mkdir ssl

after all done, we still have the problem

nano /etc/postfix/main.cf || vi /etc/postfix/main.cf

do you see this:

smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem

Yes we have exactly this settings

Post your entire /etc/postfix/main.cf here

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix/sbin
data_directory = /var/lib/postfix
mail_owner = postfix
inet_protocols = all
mydestination = localhost, localhost.localdomain
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.10.1/samples
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES

hostname = mail.xxx.com
mynetworks = 127.0.0.0/8
message_size_limit = 30720000
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /home/vmail
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
virtual_create_maildirsize = yes
virtual_maildir_extended = yes
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_cano>
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
inet_interfaces = all
smtp_tls_security_level = may
disable_vrfy_command = yes
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept

tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map

Looks ok. Let me see another way to fix this

$ /root/.acme.sh/acme.sh --renew --force --ecc --domain mail.xxx.com
$ cp /root/.acme.sh/mail.xxx.com/mail.xxx.com.key /etc/letsencrypt/live/mail.xxx.com/privkey.pem
$ cp /root/.acme.sh/mail.xxx.com/fullchain.cer /etc/letsencrypt/live/mail.xxx.com/fullchain.pem
$ cp /root/.acme.sh/mail.xxx.com/mail.xxx.com.cer /etc/letsencrypt/live/mail.xxx.com/cert.pem

/etc/postfix# /root/.acme.sh/acme.sh --renew --force --domain mail.xxx.com
[Tue 17 Jan 2023 11:32:10 AM UTC] The domain ‘mail.xxx.com’ seems to have a ECC cert already, please add ‘–ecc’ parameter if you want to use that cert.
[Tue 17 Jan 2023 11:32:10 AM UTC] Renew: ‘mail.xxx.com’
[Tue 17 Jan 2023 11:32:10 AM UTC] ‘mail.xxx.com’ is not an issued domain, skip.

/etc/postfix# cp /root/.acme.sh/mail.xxx.com/mail.xxx.com.key /etc/letsencrypt/live/mail.xxx.com/privkey.pem
cp: cannot stat ‘/root/.acme.sh/mail.xxx.com/mail.xxx.com.key’: No such file or directory

/.acme.sh# ls
I can see mail.xxx.com_ecc with key inside

I forgot its ECDSA certificate

Yes coz nothing was generated the first command failed

Just to add this remark,

From this post TLS Library problem alert 42 - domain name does not match the server certificate - cyberpanel - #14 by EcomNextGen

I test again with the imap settings on xxx.com instead of mail.xxx.com
and same for smtp.

This is not working too on xxx.com now, before it was working, now not anymore, maybe some change made before are responsible of this,

Just to inform you in case it can help

Setting up your mail client to use a mailserver such as domain.com is not recommended and from what I know about cyberpanel it wunt let you do this. The mailserver is mail.domain.com when you first create a website or domain.

Read this up and try this.

Which service provider are you using for the server?

Ok will do, just before, i add this information,

Maybe there is a misconfiguration problem, because mail.xxx.com seems to be identified like a domain exactly like xxx.com

On the Create Email Account - Cyberpanel
I can both create mail for @xxx.com
or create mail for @mail.xxx.com

After that,

On the List Email Accounts - Cyberpanel
We can both select xxx.com or mail.xxx.com , they are identified both as domain

I find it a bit weird, that’s it,

For the previous change we made, it is not better to edit back to the default config since it doesn’t work actually ?

Maybe there is something we don’t see, and only @shoaibkk or @usmannasir can see idk

We use OVH dedicated server

For the OVH part How to use OVH domain api · acmesh-official/acme.sh Wiki · GitHub
I just created API credentials, but this part How to use OVH domain api · acmesh-official/acme.sh Wiki · GitHub the point 2. after, confuse me, where should I put this credentials, in which file?

Thanks

Edit, maybe we are pushing the things a little to much, why not put back the settings changed in previous post & try to delete mail.xxx.com and recreate from the start ? idk what is the best

Simplest method if you can is start all over again and if possible reinstall cyberpanel afresh. Make sure to install only what you need

The problem i actually run critical wordpress and not confidend about reinstall cyberpanel, I run 4 ecommerce site prefers to not lost data or break something

If this are mission ciritical apps then I would assume you have some sort of backup?

Yes I have of course

Then backup your website files and dbs as of now and restore a snapshot of your server when you first purchased it. Install cyberpanel with only what you need, set up default nameservers and dns. create website with primary domain this should include maildomain which will be our mailserver

Can we just not put settings back to previous settings ?

I’m really not ready to put a snapshot of the server, and work on backups from all the wordpress site. Prefers to wait the fix from @usmannasir or @shoaibkk
…

Hello need cyberpanel support help here @usmannasir @shoaibkk please

still in urgency about this problem, need help from cyberpanel
solution edit : no answer, no solution.