My mail SSL is still self-signed

Hello, my mail ssl is permanently self-signed. I tried this, but it was already set-up. I requested SSL for both mail.tenerhack.men and tenerhack.men. The ssl on the classic site works fine. I can even send e-mails, but not login to Thunderbird.
I tried looking at this https://community.cyberpanel.net/t/achieve-10-10-email-score-with-cyberpanel/30653, but again, no luck.
My DNS are all setup.
The domain is tenerhack.men and the mail subdomain is mail (mail.)

Thank you,
Filip

edit: seems as the issuing fails

[12.13.2021_10-33-22] Trying to obtain SSL for: mail.tenerhack.men and: www.mail.tenerhack.men
[12.13.2021_10-33-22] /root/.acme.sh/acme.sh --issue -d mail.tenerhack.men -d www.mail.tenerhack.men --cert-file /etc/letsencrypt/live/mail.tenerhack.men/cert.pem --key-file /etc/letsencrypt/live/mail.tenerhack.men/privkey.pem --fullchain-file /etc/letsencrypt/live/mail.tenerhack.men/fullchain.pem -w /home/mail.tenerhack.men/public_html -k ec-256 --force --server letsencrypt
[12.13.2021_10-33-31] Failed to obtain SSL for: mail.tenerhack.men and: www.mail.tenerhack.men
[12.13.2021_10-33-31] Trying to obtain SSL for: mail.tenerhack.men
[12.13.2021_10-33-33] Failed to obtain SSL, issuing self-signed SSL for: mail.tenerhack.men
[12.13.2021_10-33-33] {'[email protected]': (554, b'5.7.1 <[email protected]>: Relay access denied')}
[12.13.2021_10-33-34] Websites matching query does not exist. [installSSLForDomain:72]
[12.13.2021_10-33-34] Self signed SSL issued for mail.tenerhack.men.

this seems to be the error when debugging

Could not get nonce, let's try again.

_authorizations_map=',<html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center>nginx</center></body></html>
mail.tenerhack.men,{"identifier":{"type":"dns","value":"mail.tenerhack.men"},"status":"pending","expires":"2022-01-12T12:05:00Z","challenges":[{"type":"http-01","url":"https://acme.zerossl.com/v2/DV90/chall/3WIEW4hc9SYCGdbLDEtv-g","status":"pending","token":"wDldvV91UsvlEhsDwd2t6_p2ww-3qzbiy31FlgFLW5o"},{"type":"dns-01","url":"https://acme.zerossl.com/v2/DV90/chall/Uh9la-1WhG7vEFuJdNPPXw","status":"pending","token":"596KhN073ffD6zrSdAwm-js-1E5rXG24uR0ExrVRHOM"}]}

You need to update your cyberpanel as your installation is trying for zeroSSL which was removed from cyberpanel and reverted to Letsencrypt as SSL issuer. Please upgrade your cyberpanel using this : 02 - Upgrading CyberPanel

After upgrading, try to issue SSL again.

OK, thank you! It solved the issue and I was able to issue a SSL for mail.tenerhack.men. Now I have problems with www.mail.tenerhack.men (not sure if I need SSL on this one), but the error is “404, redirect loop detected”. I have a CNAME on that domain, aliasing to mail.tenerhack.men as shown on DNS Propagation Checker - Global DNS Testing Tool

[Tue 14 Dec 2021 06:04:10 AM UTC] www.mail.tenerhack.men:Verify error:Fetching 404.html: Redirect loop detected
[Tue 14 Dec 2021 06:04:10 AM UTC] Debug: get token url.
[Tue 14 Dec 2021 06:04:10 AM UTC] Retrying GET
[Tue 14 Dec 2021 06:04:10 AM UTC] GET
[Tue 14 Dec 2021 06:04:10 AM UTC] url='http://www.mail.tenerhack.men/.well-known/acme-challenge/IjZkT-......
....
....
[Tue 14 Dec 2021 06:04:27 AM UTC] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 47
[Tue 14 Dec 2021 06:04:27 AM UTC] ret='47'
[Tue 14 Dec 2021 06:04:27 AM UTC] _hcode='47'
[Tue 14 Dec 2021 06:04:29 AM UTC] Debugging, skip removing: /home/mail.tenerhack.men/public_html/.well-known/acme-challenge/IjZk

www.mail.domain.tld is not even required as www will be subdomain of subdomain. mail.domain is already a subdomain. You can ignore this.

Are you having troubles with mail?

Yes. I still cannot login into Thunderbird and getting the self-signed cert error on port 143, which is correctly set in my rainloop admin panel, the user is the long version and the password is 100% good.

I just noticed, that even after successfully having it issued, the SSL came back to being self-signed. I will wait for a few days and try to renew it.

Your mail domain doesnt have proper SSL. You can click on “Websites” on left menu options of cyberpanel and then select “list domains” options under it. Then you will see your mail.tenerhack.men domain there.
You will see an option “issue SSL” there. Just click on it and see if it issues SSL properly.

If not, check the logs and let me know here. I will have a look

having same issue help me please SSL not working for mail server outlook and thunderbird not working and get error sent item not save and SSL nots ecure

Same issue here

My log when i use Issue SSL for Mail.domain.com

[7527] [SSL_CTX: 0x266b130] OCSP Stapling can’t be enabled: [OCSP] /etc/letsencrypt/live/mail.domain.com.br/fullchain.pem: X509_STORE_CTX_get1_issuer failed!.

can you post here your domain name ?

Same issue. Same error #47. Can’t seem to issue a proper security certificate on a subdomain. Redirect loop detected. I’ve tried all kinds of things. Updated CP. Turned off ModSecurity. Restarted everything. Nothing helps. I hate when I’m just “trying stuff” with only partial understanding of the underlying principals.

Could the redirect loop have something to do with the fact that mail.whatever.com is an alias (A record) for whatever.com and the mx record for whatever.com is mail.whatever.com? Does seem like that would just be going round and round?

This is actually part of a wider issue I’m having with expired end-user certs that aren’t being updated:

I got it working.

This might not help anybody but I wanted to post this for other poor schnooks like myself taking a crash course (hopefully not literally) in issuing security certificates in the hope it does some good.

I’d been issuing this command:
/root/.acme.sh/acme.sh --issue -d <YOUR\_DOMAIN> -d www.<YOUR\_DOMAIN> --cert-file /etc/letsencrypt/live/<YOUR\_DOMAIN>/cert.pem --key-file /etc/letsencrypt/live/<YOUR\_DOMAIN>/privkey.pem --fullchain-file /etc/letsencrypt/live/<YOUR\_DOMAIN>/fullchain.pem -w /home/<YOUR\_DOMAIN>/public\_html --force --debug

And it wasn’t working. The debug info was telling me two things. One, it was looking for folder "[DOMAIN].mail/public_html. Of course, it doesn’t exist. So, I made one and clicked “fix permissions” just to make sure. That didn’t help. I noticed it said there was a config file in /etc/letsencrypt/live/[domain].mail. Sure enough I checked it and it was saying to place files in “public_html”. I don’t know how it got set to that. I changed it back to the root directory, erased “public_html” and tried again. No joy. Debug is back to telling me about a “redirect loop”. It’s looking for a .well_known directory and a 404 file and they’re not there. Gave up for the night.

Next day, tried manually creating the directories and files (not the cert files of course). No luck here either. I removed the files and directories I created and started over.

I was reading this: MailServer SSL does not issue the correct SSL cert · Issue #434 · usmannasir/cyberpanel · GitHub page, where at the very end mencargo posted where he’d found the same error regarding “public_html” and ran this code instead: (eliminating the www subdomain)

/root/.acme.sh/acme.sh --issue -d mail.domain.com --cert-file /etc/letsencrypt/live/mail.domain.com/cert.pem --key-file /etc/letsencrypt/live/mail.domain.com/privkey.pem --fullchain-file /etc/letsencrypt/live/mail.domain.com/fullchain.pem -w /home/domain.com/mail.domain.com -k ec-256 --force --server letsencrypt

This seemed to work for me. Thunderbird still wasn’t working but cyberpanel ui is now telling me I have a let’s encrypt cert. However, no .well-known directory or acme files were created. usmannasir is saying here: How to fix SSL issues in CyberPanel that cp is using file-based authentication for Let’s Encrypt Authority. So, I’m confused about that. Shouldn’t it be creating these files?

At any rate, mostly out of frustration I tried one more time creating the SSL via the cyberpanel ui for the mail domain and thunderbird started working again right away. There are still no ACME files in root directory.

So, after days of screwing around (I did learn some things), I’m glad it’s working. However, I don’t see why it should! I’d greatly appreciate anyone who has a better understanding of these issues shining a light on all this. Again, I’m glad it’s working but the real value here would be a better understanding of the situation. Thanks.

I somehow managed to fix that issue. I do not know how, but… I now have this error when issuing SSL to my mail subdomain or any other subdomain I have.

[08.02.2022_12-46-16] Trying to obtain SSL for: store.tenerhack.men and: www.store.tenerhack.men
[08.02.2022_12-46-16] /root/.acme.sh/acme.sh --issue -d store.tenerhack.men -d www.store.tenerhack.men --cert-file /etc/letsencrypt/live/store.tenerhack.men/cert.pem --key-file /etc/letsencrypt/live/store.tenerhack.men/privkey.pem --fullchain-file /etc/letsencrypt/live/store.tenerhack.men/fullchain.pem -w /usr/local/lsws/Example/html -k ec-256 --force --server letsencrypt
[08.02.2022_12-46-24] Failed to obtain SSL for: store.tenerhack.men and: www.store.tenerhack.men
[08.02.2022_12-46-24] Trying to obtain SSL for: store.tenerhack.men
[08.02.2022_12-46-26] Failed to obtain SSL, issuing self-signed SSL for: store.tenerhack.men
[08.02.2022_12-46-26] {'[email protected]': (554, b'5.7.1 <[email protected]>: Relay access denied')}
[08.02.2022_12-46-26] Websites matching query does not exist. [installSSLForDomain:72]
[08.02.2022_12-46-26] Self signed SSL issued for store.tenerhack.men.
[08.02.2022_12-47-24] Trying to obtain SSL for: mail.store.tenerhack.men and: www.mail.store.tenerhack.men
[08.02.2022_12-47-24] /root/.acme.sh/acme.sh --issue -d mail.store.tenerhack.men -d www.mail.store.tenerhack.men --cert-file /etc/letsencrypt/live/mail.store.tenerhack.men/cert.pem --key-file /etc/letsencrypt/live/mail.store.tenerhack.men/privkey.pem --fullchain-file /etc/letsencrypt/live/mail.store.tenerhack.men/fullchain.pem -w /usr/local/lsws/Example/html -k ec-256 --force --server letsencrypt
[08.02.2022_12-47-33] Failed to obtain SSL for: mail.store.tenerhack.men and: www.mail.store.tenerhack.men
[08.02.2022_12-47-33] Trying to obtain SSL for: mail.store.tenerhack.men
[08.02.2022_12-47-40] Failed to obtain SSL, issuing self-signed SSL for: mail.store.tenerhack.men
[08.02.2022_12-47-40] Websites matching query does not exist. [installSSLForDomain:72]
[08.02.2022_12-47-40] Self signed SSL issued for mail.store.tenerhack.men.

My DNS records are setup like this:
Nameservers in namecheap → forwarded to hetzner DNS:


DNS records in Hetzner DNS

Am I missing something?

Thank you!