Mailserver issuing SSL gives invalid self signed mail certificate

gilberto · September 1, 2022, 4:57pm

Issuing a mail ssl certificate from the panel keeps failing and i’ve tried a bunch of solutions.

Logs:

[09.01.2022_15-32-52] /root/.acme.sh/acme.sh --issue -d mail.domain.es --cert-file /etc/letsencrypt/live/mail.domain.es/cert.pem --key-file /etc/letsencrypt/live/mail.domain.es/privkey.pem --fullchain-file /etc/letsencrypt/live/mail.domain.es/fullchain.pem -w /usr/local/lsws/Example/html -k ec-256 --force --server letsencrypt
[09.01.2022_15-32-52] Failed to obtain SSL, issuing self-signed SSL for: mail.domain.es
[09.01.2022_15-32-53] {'[email protected]': (554, b'5.7.1 <[email protected]>: Relay access denied')}
[09.01.2022_15-32-53] Websites matching query does not exist. [installSSLForDomain:72]
[09.01.2022_15-32-53] Self signed SSL issued for mail.domain.es.
[09.01.2022_15-35-22] Status Code: Unkown for: http://www.mail.domain.es/.well-known/acme-challenge/mail.domain.es. Error: HTTPConnectionPool(host='www.mail.domain.es', port=80): Max retries exceeded with url: /.well-known/acme-challenge/mail.domain.es (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7fd547bad9b0>: Failed to establish a new connection: [Errno -2] Name or service not known',))
[09.01.2022_15-35-22] Status Code: Unkown for: http://mail.domain.es/.well-known/acme-challenge/mail.domain.es. Error: HTTPConnectionPool(host='mail.domain.es', port=80): Max retries exceeded with url: /.well-known/acme-challenge/mail.domain.es (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7fd547bad208>: Failed to establish a new connection: [Errno -2] Name or service not known',))
[09.01.2022_15-35-51] /root/.acme.sh/acme.sh --issue -d mail.domain.es -d www.mail.domain.es --cert-file /etc/letsencrypt/live/mail.domain.es/cert.pem --key-file /etc/letsencrypt/live/mail.domain.es/privkey.pem --fullchain-file /etc/letsencrypt/live/mail.domain.es/fullchain.pem -w /usr/local/lsws/Example/html -k ec-256 --force --server letsencrypt

Tried solutions found on other topics, none of them worked:
Update cyberpanel to latest version
sh <(curl https://raw.githubusercontent.com/usmannasir/cyberpanel/stable/preUpgrade.sh 36 || wget -O - https://raw.githubusercontent.com/usmannasir/cyberpanel/stable/preUpgrade.sh 36)

postmap and restart

postmap -F hash:/etc/postfix/vmail_ssl.map
systemctl restart dovecot && systemctl restart postfix

issue using acme from ssh, gives error (challenge failed for domain mail.domain.es, type: unauthorized)

/root/.acme.sh/acme.sh --issue --dns dns_cf -d mail.domain.com

certbot certonly -d mail.domain.com

Nothing worked and issuing from panel still gives me self-signed ssl

from checktls:

Perfect Forward Secrecy: yes
Session Algorithm in use: Curve X25519 DHE(253 bits)
Certificate #1 of 1 (sent by MX):
Cert VALIDATION ERROR(S): self signed certificate
So email is encrypted but the recipient domain is not verified

Gmail pop3: SSL error: Leaf certificate is self-signed

domain.es has correct ssl and works though the mail server doesnt

gilberto · September 1, 2022, 9:33pm

Hey, i discovered it was a dns problem, my SPF record had a typing mistake. I found it out by testing my server on https://mail-tester.com and it gave me an error, so i hope it helps someone else!

system · January 12, 2023, 8:41pm

This topic was automatically closed 3 hours after the last reply. New replies are no longer allowed.