TLS Library problem alert 42 - domain name does not match the server certificate - cyberpanel

Check rDNS ptr record it should be this should be done where your dedicated server was purchased from. Add for both ipv4 and ipv6 ip addresses.

1 Like

On OVH we have a tab where we can add what they call “Secondary DNS”

Screenshot by Lightshot translation :

Add a domain

Add a secondary DNS to your dedicated server :



Is that rDNS ptr ?

This is service provider specific kindly check their tutorial

1 Like


So we edit the reverse DNS and we put

We can only edit the IPv4 Reverse DNS and not the IPv6, there is no option to edit.

This reverse DNS will not put any problem in the future for our other wordpress site that run on the same server ?

We will install more mailbox after for other domain so is the first install , but there will be and

We actually think that put the reverse dns to will maybe make us not possible to install correctly the futur mailbox for other wordpress site.

Testing :

So we did a test after editing the reverse DNS to,
The A Dns was fully propagated already, and like it’s explained we understand that the reverse DNS is instantly propagated after the setting in place.

We still have the same error :
Jan 17 09:28:07 localhost postfix/submission/smtpd[727258]: warning: TLS library problem: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:…/ssl/record/rec_layer_s3.c:1543:SSL alert number 42:

Thunderbird pop-up say :
This site tries to identify itself with invalid information.

Wrong site

The certificate belongs to a different site, which could indicate that someone is trying to impersonate this site.

Unknown identity

The certificate is not secure because it is impossible to verify that it was issued by a trusted authority using a secure signature.

(still same problem)

After this Pop up I can only quit, then a secondary pop up appear, this one say :

Sending the message failed.
The certificate is not secure because it is self-signed.
The configuration linked to must be corrected.

No the rDNS is for the mailserver, not to serve your websites

Apply this fix Cannot Send Emails As via Gmail - SSL Certificate Mismatch - #4 by josephgodwinke then copy your mailserver domain and test it here SSL Checker if you get any errors there report back here

1 Like

1/ We test with the domain name instead of and it works, no any problem.

2/ We still want to use because this is the best option if we want to change later our mail server.

So we did your fix again, we issued again the mail server ssl for
We test, we connect to our email, and when trying to send an email we are blocked by the pop-ups. Still the same problem.

The checking of ssl checker :

We check after the Check tls because we find that weird ssl checker say everything is fine, and on our side we have still the problem :

Follow this guide Self Signed SSL Issue · josephgodwinkimani/cyberpanel Wiki · GitHub

instead of use e.g.

rm -f /etc/letsencrypt/live/ && rm -f /etc/letsencrypt/live/

Skip this part Self Signed SSL Issue · josephgodwinkimani/cyberpanel Wiki · GitHub and do Cannot Send Emails As via Gmail - SSL Certificate Mismatch - #4 by josephgodwinke

1 Like

we delete the file in and issue mail server ssl again for and we still have the same problem,

does it may come from the dns settings ?

we know that the

are all set on and not for

maybe it come from that ? We didn’t think about it because the error seems more to be at the certificate level and not dns record.


Do you have an A record for

1 Like

yes we set the A record for , this is fine propagated now, it point to the server ip of course

You are right. Exclude the DNS. Of course diabling tls on postfix is out of the question.

Let’s take matters into our own hands now. create a csr

cd /etc/postfix/ssl
openssl req -nodes -newkey rsa:2048 -keyout -out

Confirm /etc/postfix/ has our new certificate and keychain and run service postfix reload

1 Like

edit the /etc/postfix/ssl folder wasn’t exist so we create it by mkdir ssl

after all done, we still have the problem

nano /etc/postfix/ || vi /etc/postfix/

do you see this:

smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
1 Like

Yes we have exactly this settings

Post your entire /etc/postfix/ here

1 Like

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix/sbin
data_directory = /var/lib/postfix
mail_owner = postfix
inet_protocols = all
mydestination = localhost, localhost.localdomain
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
debugger_command =
ddd $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.10.1/samples
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES

hostname =
mynetworks =
message_size_limit = 30720000
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/, mysql:/etc/postfix/
virtual_mailbox_domains = proxy:mysql:/etc/postfix/
virtual_mailbox_maps = proxy:mysql:/etc/postfix/
virtual_mailbox_base = /home/vmail
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
virtual_create_maildirsize = yes
virtual_maildir_extended = yes
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_cano>
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
inet_interfaces = all
smtp_tls_security_level = may
disable_vrfy_command = yes
smtpd_milters = inet:
non_smtpd_milters = $smtpd_milters
milter_default_action = accept

tls_server_sni_maps = hash:/etc/postfix/

Looks ok. Let me see another way to fix this

1 Like
$ /root/ --renew --force --ecc --domain
$ cp /root/ /etc/letsencrypt/live/
$ cp /root/ /etc/letsencrypt/live/
$ cp /root/ /etc/letsencrypt/live/

1 Like

/etc/postfix# /root/ --renew --force --domain
[Tue 17 Jan 2023 11:32:10 AM UTC] The domain ‘’ seems to have a ECC cert already, please add ‘–ecc’ parameter if you want to use that cert.
[Tue 17 Jan 2023 11:32:10 AM UTC] Renew: ‘
[Tue 17 Jan 2023 11:32:10 AM UTC] ‘’ is not an issued domain, skip.

/etc/postfix# cp /root/ /etc/letsencrypt/live/
cp: cannot stat ‘/root/’: No such file or directory

/ ls
I can see with key inside

I forgot its ECDSA certificate

Yes coz nothing was generated the first command failed

1 Like