Mailserver SSL Not Working - Self Signed Certificate Issued

arifahizzati · August 16, 2021, 8:50am

Hi,

I’m trying to issue mailserver SSL for mail.domain.com at CyberPanel. After clicking the Issue SSL button, it says “SSL Issued, your mail server now uses Lets Encrypt!”.

After that, I try to link the email through Gmail and enter the below details:

SMTP Server: mail.domain.com
Username:
Password:
Port: 465
Secure connection using SSL

and I got this error:
Authentication failed. Please check your username/password.
Server returned error: “TLS Negotiation failed, the certificate doesn’t match the host., code: 0”

However, I can proceed to the next step if I choose port 25 unsecured connection.

I have checked at the server log and it says self signed SSL issued for mail.domain.com

[08.16.2021_08-17-29] Trying to obtain SSL for: mail.domain.com and: www.mail.domain.com
[08.16.2021_08-17-29] /root/.acme.sh/acme.sh --issue -d mail.domain.com -d www.mail.domain.com --cert-file /etc/letsencrypt/live/mail.domain.com/cert.pem --key-file /etc/letsencrypt/live/mail.domain.com/privkey.pem --fullchain-file /etc/letsencrypt/live/mail.domain.com/fullchain.pem -w /home/mail.domain.com/public_html --server letsencrypt --force
[08.16.2021_08-17-32] Failed to obtain SSL for: mail.domain.com and: www.mail.domain.com
[08.16.2021_08-17-32] Trying to obtain SSL for: mail.domain
[08.16.2021_08-17-36] Failed to obtain SSL, issuing self-signed SSL for: mail.domain.com
[08.16.2021_08-17-37] Connection unexpectedly closed
[08.16.2021_08-17-37] Websites matching query does not exist. [installSSLForDomain:72]
[08.16.2021_08-17-37] Self signed SSL issued for mail.domain.com.

I have also applied the same workaround from MailServer SSL does not issue the correct SSL cert · Issue #434 · usmannasir/cyberpanel · GitHub but the issue still persists.

postmap -F hash:/etc/postfix/vmail_ssl.map
systemctl restart postfix
systemctl restart dovecot

I’m using CyberPanel version 2.1 build 1. Please help with this.

Thank you.

bktechcolor · August 21, 2021, 5:38am

i’ve got the same errors, have you get the method ?

dipakcg · October 8, 2021, 12:49pm

Running into a similar issue. Did you/anyone ever found a solution to this?

SolidSnake · March 15, 2022, 9:11am

I was also facing a similar problem:

I tried the MailServer SSL issue command on the main domain (the one cyberpanel is hosted on) and it worked fine.
Then I tried to use the same command for another domain hosted on the server and it worked, however this caused the main domain certificate to stop working afterwards.
Then I noticed that everytime I tried to use the issue MailServer SSL command for another domain hosted on the server it somehow overrides the MailServer SSL Certificates, and it becomes the only one covered by it, while cancelling all the rest.
So in my case as a workaround, I re-issued an SSL certificate for the main domain (the one CyberPanel is hosted on) and then used it as the host when setting up the SMTP/POP3 connectors in Gmail for the other domains also hosted on the server and it successfully connected through SSL.

Of course this is not a permanent solution, as it requires that all clients on the server should be notifed to use this host instead of their own. But at least the mail server works until we find a proper solution. I hope this helps someone.

Here’s an example to make things a bit simpler:
Let’s say Cyberpanel is hosted on main-domain.com and I also host the another-domain.com on the same server and both have an “info” email account this is how I would set them up using SSL in Gmail:

Email address: [email protected]
Username: [email protected]
Password: ******
POP Server: main-domain.com
POP Port: 995
SMTP Server: main-domain.com
SMTP Port: 587

asma · March 15, 2022, 11:09am

Can you go to :8090/email/listEmails

And do you see this ?

If so, click ‘Fix Now’ and then you can use that specific domain as hostname in your mail client, don’t issue mailserver ssl again and again, do it only once for rdns domain.

SolidSnake · March 28, 2022, 10:51am

Sorry for my late reply…
No that error dialog is not showing up in the specific domain name I’m facing the issue with.

I still get the “SSL error: Leaf certificate is self-signed” when trying to add that email account to my gmail, using the email’s domain as a host.

I don’t face the same issue with other hosted domains though. There must be something I’ve done wrong with this one’s configuration.

EDIT1: I’ve just noticed that I have not created mail.domain.ext subdomain for this domain name while I have created that for the rest. Could this be the reason the SSL fails?

EDIT2: I’ve added a new domain to my server, created along with it its mail subdomain too.
Issued certificates to both the main domain and its mail subdomain.
Then successfully added the email account to gmail using POP3, however when trying to set up SMTP for outgoing email I get “TLS Negotiation failed, the certificate doesn’t match the host., code: 0” using either 587-TLS or 465-SSL options.

EDIT3: The new domain issue was actually solved by executing these commands through SSH:

postmap -F hash:/etc/postfix/vmail_ssl.map
systemctl restart postfix
systemctl restart dovecot

This solution was found here:

github.com/usmannasir/cyberpanel

MailServer SSL does not issue the correct SSL cert

opened 01:23PM - 11 Sep 20 UTC

franciscopaniskaseker

With last cyberpanel version and centos 7 updated, I installed one domain and tr…ied issue the MailServer SSL through "SSL > MailServer SSL", but it always issue a self signed SSL cert. I had to go to "WEBSITES > List Child Domains" menu, issue the SSL of "mail. child domain" and then go to "SSL > MailServer SSL" to issue the Let's encrypt one. I do not like this steps. They are logical, however mail servers with self cert signed will not be accepted for a lot of mail servers. But ok, let's move on to the main problem. After I issued the mail server ssl, I received this message: ```bash SSL Issued, your mail server now uses Lets Encrypt! ``` But when I try to lookup the SSL ```bash openssl s_client -connect mail.mydomain.com:587 -starttls smtp openssl s_client -connect mail.mydomain.com:25 -starttls smtp openssl s_client -connect mail.mydomain.com:465 -starttls smtp ``` All of them return a SSL selfsigned using "www.example.com" as CN. As I do not have any log about what cyberpanel is doing internally (plase see #416 that was closed with any relevant comment). I have no good way to troubleshoot the problem without have to understand a tons of code to understand why cyberpanel is not issuing the SSL mail right.

I’m still trying to find a solution to the problematic domain of my initial post though.

vjranga · June 25, 2022, 8:34pm

I had the same problem. However, I was able to fix it.
I do not know if it is the right step, but it works fine

I use Cyberpanel(ubuntu 20.04) and Cloudflare DNS
I issue SSL using DNS API

connect DNS using an API key

export CF_Key="API Key"
export CF_Email="Email"

more details:- github.com/acmesh-official/acme.sh/wiki/dnsapi#1-cloudflare-option

issue SSL main domain and mail domain(replace domain.com with your domain)

/root/.acme.sh/acme.sh --issue --dns dns_cf -d domain.com -d www.domain.com
/root/.acme.sh/acme.sh --issue --dns dns_cf -d mail.domain.com

copy the file letsencrypt/live folder(replace domain.com with your domain)

cp /root/.acme.sh/domain.com/domain.com.key /etc/letsencrypt/live/domain.com/privkey.pem 
cp /root/.acme.sh/domain.com/fullchain.cer /etc/letsencrypt/live/domain.com/fullchain.pem
cp /root/.acme.sh/domain.com/domain.com.cer /etc/letsencrypt/live/domain.com/cert.pem

cp /root/.acme.sh/mail.domain.com/mail.domain.com.key /etc/letsencrypt/live/mail.domain.com/privkey.pem
cp /root/.acme.sh/mail.domain.com/fullchain.cer /etc/letsencrypt/live/mail.domain.com/fullchain.pem
cp /root/.acme.sh/mail.domain.com/mail.domain.com.cer /etc/letsencrypt/live/mail.domain.com/cert.pem

Then I created a cronJob to renew SSL.

create a bash script file

nano sslnew.sh

Add all commands to the file (replace domain.com with your domain)

#!/bin/sh

/root/.acme.sh/acme.sh --renew --force --dns dns_cf -d domain.com -d www.domain.com
/root/.acme.sh/acme.sh --renew --force --dns dns_cf -d mail.domain.com
 
cp /root/.acme.sh/domain.com/domain.com.key /etc/letsencrypt/live/domain.com/privkey.pem 
cp /root/.acme.sh/domain.com/fullchain.cer /etc/letsencrypt/live/domain.com/fullchain.pem
cp /root/.acme.sh/domain.com/domain.com.cer /etc/letsencrypt/live/domain.com/cert.pem

cp /root/.acme.sh/mail.domain.com/mail.domain.com.key /etc/letsencrypt/live/mail.domain.com/privkey.pem
cp /root/.acme.sh/mail.domain.com/fullchain.cer /etc/letsencrypt/live/mail.domain.com/fullchain.pem
cp /root/.acme.sh/mail.domain.com/mail.domain.com.cer /etc/letsencrypt/live/mail.domain.com/cert.pem

convert file to executable
chmod +x sslnew.sh
Add cronJob.
5.If you are running for the first time, you will need to select a text editor(use a familiar one)*

crontab -e
0 0 * * 7 /root/sslnew.sh
more details:- crontab.guru

I test it on my personal site and it is worked

abdullahakim.com · August 7, 2023, 4:05pm

how to fix it, if I did it again and again?

xmedia · August 25, 2023, 8:01am

Same issue here… It worked for months and then POOF suddenly a selfsigned certificate.
The certificate is valid, and /etc/postfix/main.cf points to the correct cert:

smtpd_tls_key_file = /etc/letsencrypt/live/[emaildomain[/privkey.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/[emaildomain[/fullchain.pem

I have a cron that runs the vmail_ssl.map every week:
0 6 * * sun postmap -F hash:/etc/postfix/vmail_ssl.map

I cannot even find the self signed certificate anywhere on the server. Where is this coming from?

iamkashifnadeem · February 16, 2024, 11:38am

Got fix with this command