Mailserver SSL Not Working - Self Signed Certificate Issued

Hi,

I’m trying to issue mailserver SSL for mail.domain.com at CyberPanel. After clicking the Issue SSL button, it says “SSL Issued, your mail server now uses Lets Encrypt!”.

After that, I try to link the email through Gmail and enter the below details:

SMTP Server: mail.domain.com
Username:
Password:
Port: 465
Secure connection using SSL

and I got this error:
Authentication failed. Please check your username/password.
Server returned error: “TLS Negotiation failed, the certificate doesn’t match the host., code: 0”

However, I can proceed to the next step if I choose port 25 unsecured connection.

I have checked at the server log and it says self signed SSL issued for mail.domain.com

[08.16.2021_08-17-29] Trying to obtain SSL for: mail.domain.com and: www.mail.domain.com
[08.16.2021_08-17-29] /root/.acme.sh/acme.sh --issue -d mail.domain.com -d www.mail.domain.com --cert-file /etc/letsencrypt/live/mail.domain.com/cert.pem --key-file /etc/letsencrypt/live/mail.domain.com/privkey.pem --fullchain-file /etc/letsencrypt/live/mail.domain.com/fullchain.pem -w /home/mail.domain.com/public_html --server letsencrypt --force
[08.16.2021_08-17-32] Failed to obtain SSL for: mail.domain.com and: www.mail.domain.com
[08.16.2021_08-17-32] Trying to obtain SSL for: mail.domain
[08.16.2021_08-17-36] Failed to obtain SSL, issuing self-signed SSL for: mail.domain.com
[08.16.2021_08-17-37] Connection unexpectedly closed
[08.16.2021_08-17-37] Websites matching query does not exist. [installSSLForDomain:72]
[08.16.2021_08-17-37] Self signed SSL issued for mail.domain.com.

I have also applied the same workaround from MailServer SSL does not issue the correct SSL cert · Issue #434 · usmannasir/cyberpanel · GitHub but the issue still persists.

postmap -F hash:/etc/postfix/vmail_ssl.map
systemctl restart postfix
systemctl restart dovecot

I’m using CyberPanel version 2.1 build 1. Please help with this.

Thank you.

i’ve got the same errors, have you get the method ?

Running into a similar issue. Did you/anyone ever found a solution to this?

I was also facing a similar problem:

  • I tried the MailServer SSL issue command on the main domain (the one cyberpanel is hosted on) and it worked fine.

  • Then I tried to use the same command for another domain hosted on the server and it worked, however this caused the main domain certificate to stop working afterwards.

  • Then I noticed that everytime I tried to use the issue MailServer SSL command for another domain hosted on the server it somehow overrides the MailServer SSL Certificates, and it becomes the only one covered by it, while cancelling all the rest.

  • So in my case as a workaround, I re-issued an SSL certificate for the main domain (the one CyberPanel is hosted on) and then used it as the host when setting up the SMTP/POP3 connectors in Gmail for the other domains also hosted on the server and it successfully connected through SSL.

Of course this is not a permanent solution, as it requires that all clients on the server should be notifed to use this host instead of their own. But at least the mail server works until we find a proper solution. I hope this helps someone. :slight_smile:

Here’s an example to make things a bit simpler:
Let’s say Cyberpanel is hosted on main-domain.com and I also host the another-domain.com on the same server and both have an “info” email account this is how I would set them up using SSL in Gmail:

Email address: info@main-domain.com
Username: info@main-domain.com
Password: ******
POP Server: main-domain.com
POP Port: 995
SMTP Server: main-domain.com
SMTP Port: 587

Email address: info@another-domain.com
Username: info@another-domain.com
Password: ******
POP Server: main-domain.com
POP Port: 995
SMTP Server: main-domain.com
SMTP Port: 587

Can you go to :8090/email/listEmails

And do you see this ?

If so, click ‘Fix Now’ and then you can use that specific domain as hostname in your mail client, don’t issue mailserver ssl again and again, do it only once for rdns domain.

Sorry for my late reply…
No that error dialog is not showing up in the specific domain name I’m facing the issue with.

I still get the “SSL error: Leaf certificate is self-signed” when trying to add that email account to my gmail, using the email’s domain as a host.

I don’t face the same issue with other hosted domains though. There must be something I’ve done wrong with this one’s configuration. :confused:

EDIT1: I’ve just noticed that I have not created mail.domain.ext subdomain for this domain name while I have created that for the rest. Could this be the reason the SSL fails?

EDIT2: I’ve added a new domain to my server, created along with it its mail subdomain too.
Issued certificates to both the main domain and its mail subdomain.
Then successfully added the email account to gmail using POP3, however when trying to set up SMTP for outgoing email I get “TLS Negotiation failed, the certificate doesn’t match the host., code: 0” using either 587-TLS or 465-SSL options.

EDIT3: The new domain issue was actually solved by executing these commands through SSH:

postmap -F hash:/etc/postfix/vmail_ssl.map
systemctl restart postfix
systemctl restart dovecot

This solution was found here:

I’m still trying to find a solution to the problematic domain of my initial post though.

I had the same problem. However, I was able to fix it.
I do not know if it is the right step, but it works fine

I use Cyberpanel(ubuntu 20.04) and Cloudflare DNS
I issue SSL using DNS API

  1. connect DNS using an API key
export CF_Key="API Key"
export CF_Email="Email"

more details:- github.com/acmesh-official/acme.sh/wiki/dnsapi#1-cloudflare-option

  1. issue SSL main domain and mail domain(replace domain.com with your domain)
/root/.acme.sh/acme.sh --issue --dns dns_cf -d domain.com -d www.domain.com
/root/.acme.sh/acme.sh --issue --dns dns_cf -d mail.domain.com
  1. copy the file letsencrypt/live folder(replace domain.com with your domain)
cp /root/.acme.sh/domain.com/domain.com.key /etc/letsencrypt/live/domain.com/privkey.pem 
cp /root/.acme.sh/domain.com/fullchain.cer /etc/letsencrypt/live/domain.com/fullchain.pem
cp /root/.acme.sh/domain.com/domain.com.cer /etc/letsencrypt/live/domain.com/cert.pem

cp /root/.acme.sh/mail.domain.com/mail.domain.com.key /etc/letsencrypt/live/mail.domain.com/privkey.pem
cp /root/.acme.sh/mail.domain.com/fullchain.cer /etc/letsencrypt/live/mail.domain.com/fullchain.pem
cp /root/.acme.sh/mail.domain.com/mail.domain.com.cer /etc/letsencrypt/live/mail.domain.com/cert.pem

Then I created a cronJob to renew SSL.

  1. create a bash script file

nano sslnew.sh

  1. Add all commands to the file (replace domain.com with your domain)
#!/bin/sh

/root/.acme.sh/acme.sh --renew --force --dns dns_cf -d domain.com -d www.domain.com
/root/.acme.sh/acme.sh --renew --force --dns dns_cf -d mail.domain.com
 
cp /root/.acme.sh/domain.com/domain.com.key /etc/letsencrypt/live/domain.com/privkey.pem 
cp /root/.acme.sh/domain.com/fullchain.cer /etc/letsencrypt/live/domain.com/fullchain.pem
cp /root/.acme.sh/domain.com/domain.com.cer /etc/letsencrypt/live/domain.com/cert.pem

cp /root/.acme.sh/mail.domain.com/mail.domain.com.key /etc/letsencrypt/live/mail.domain.com/privkey.pem
cp /root/.acme.sh/mail.domain.com/fullchain.cer /etc/letsencrypt/live/mail.domain.com/fullchain.pem
cp /root/.acme.sh/mail.domain.com/mail.domain.com.cer /etc/letsencrypt/live/mail.domain.com/cert.pem
  1. convert file to executable
    chmod +x sslnew.sh
  2. Add cronJob.
    5.If you are running for the first time, you will need to select a text editor(use a familiar one)*

crontab -e
0 0 * * 7 /root/sslnew.sh
more details:- crontab.guru

I test it on my personal site and it is worked