TLS Library problem alert 42 - domain name does not match the server certificate - cyberpanel

josephgodwinke · January 17, 2023, 11:08am

nano /etc/postfix/main.cf || vi /etc/postfix/main.cf

do you see this:

smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem

EcomNextGen · January 17, 2023, 11:10am

Yes we have exactly this settings

josephgodwinke · January 17, 2023, 11:11am

Post your entire /etc/postfix/main.cf here

EcomNextGen · January 17, 2023, 11:14am

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix/sbin
data_directory = /var/lib/postfix
mail_owner = postfix
inet_protocols = all
mydestination = localhost, localhost.localdomain
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.10.1/samples
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES

hostname = mail.xxx.com
mynetworks = 127.0.0.0/8
message_size_limit = 30720000
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /home/vmail
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
virtual_create_maildirsize = yes
virtual_maildir_extended = yes
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_cano>
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
inet_interfaces = all
smtp_tls_security_level = may
disable_vrfy_command = yes
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept

tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map

josephgodwinke · January 17, 2023, 11:20am

Looks ok. Let me see another way to fix this

josephgodwinke · January 17, 2023, 11:29am

$ /root/.acme.sh/acme.sh --renew --force --ecc --domain mail.xxx.com
$ cp /root/.acme.sh/mail.xxx.com/mail.xxx.com.key /etc/letsencrypt/live/mail.xxx.com/privkey.pem
$ cp /root/.acme.sh/mail.xxx.com/fullchain.cer /etc/letsencrypt/live/mail.xxx.com/fullchain.pem
$ cp /root/.acme.sh/mail.xxx.com/mail.xxx.com.cer /etc/letsencrypt/live/mail.xxx.com/cert.pem

EcomNextGen · January 17, 2023, 11:34am

/etc/postfix# /root/.acme.sh/acme.sh --renew --force --domain mail.xxx.com
[Tue 17 Jan 2023 11:32:10 AM UTC] The domain ‘mail.xxx.com’ seems to have a ECC cert already, please add ‘–ecc’ parameter if you want to use that cert.
[Tue 17 Jan 2023 11:32:10 AM UTC] Renew: ‘mail.xxx.com’
[Tue 17 Jan 2023 11:32:10 AM UTC] ‘mail.xxx.com’ is not an issued domain, skip.

/etc/postfix# cp /root/.acme.sh/mail.xxx.com/mail.xxx.com.key /etc/letsencrypt/live/mail.xxx.com/privkey.pem
cp: cannot stat ‘/root/.acme.sh/mail.xxx.com/mail.xxx.com.key’: No such file or directory

/.acme.sh# ls
I can see mail.xxx.com_ecc with key inside

josephgodwinke · January 17, 2023, 11:37am

I forgot its ECDSA certificate

Yes coz nothing was generated the first command failed

EcomNextGen · January 17, 2023, 11:45am

Just to add this remark,

From this post TLS Library problem alert 42 - domain name does not match the server certificate - cyberpanel - #14 by EcomNextGen

I test again with the imap settings on xxx.com instead of mail.xxx.com
and same for smtp.

This is not working too on xxx.com now, before it was working, now not anymore, maybe some change made before are responsible of this,

Just to inform you in case it can help

josephgodwinke · January 17, 2023, 11:48am

Setting up your mail client to use a mailserver such as domain.com is not recommended and from what I know about cyberpanel it wunt let you do this. The mailserver is mail.domain.com when you first create a website or domain.

Read this up and try this.

Which service provider are you using for the server?

EcomNextGen · January 17, 2023, 11:55am

Ok will do, just before, i add this information,

Maybe there is a misconfiguration problem, because mail.xxx.com seems to be identified like a domain exactly like xxx.com

On the Create Email Account - Cyberpanel
I can both create mail for @xxx.com
or create mail for @mail.xxx.com

After that,

On the List Email Accounts - Cyberpanel
We can both select xxx.com or mail.xxx.com , they are identified both as domain

I find it a bit weird, that’s it,

For the previous change we made, it is not better to edit back to the default config since it doesn’t work actually ?

Maybe there is something we don’t see, and only @shoaibkk or @usmannasir can see idk

We use OVH dedicated server

EcomNextGen · January 17, 2023, 12:02pm

For the OVH part How to use OVH domain api · acmesh-official/acme.sh Wiki · GitHub
I just created API credentials, but this part How to use OVH domain api · acmesh-official/acme.sh Wiki · GitHub the point 2. after, confuse me, where should I put this credentials, in which file?

Thanks

Edit, maybe we are pushing the things a little to much, why not put back the settings changed in previous post & try to delete mail.xxx.com and recreate from the start ? idk what is the best

josephgodwinke · January 17, 2023, 12:07pm

Simplest method if you can is start all over again and if possible reinstall cyberpanel afresh. Make sure to install only what you need

EcomNextGen · January 17, 2023, 12:13pm

The problem i actually run critical wordpress and not confidend about reinstall cyberpanel, I run 4 ecommerce site prefers to not lost data or break something

josephgodwinke · January 17, 2023, 12:14pm

If this are mission ciritical apps then I would assume you have some sort of backup?

EcomNextGen · January 17, 2023, 12:17pm

Yes I have of course

josephgodwinke · January 17, 2023, 12:20pm

Then backup your website files and dbs as of now and restore a snapshot of your server when you first purchased it. Install cyberpanel with only what you need, set up default nameservers and dns. create website with primary domain this should include maildomain which will be our mailserver

EcomNextGen · January 17, 2023, 12:24pm

Can we just not put settings back to previous settings ?

I’m really not ready to put a snapshot of the server, and work on backups from all the wordpress site. Prefers to wait the fix from @usmannasir or @shoaibkk
…

EcomNextGen · January 19, 2023, 7:51am

Hello need cyberpanel support help here @usmannasir @shoaibkk please

EcomNextGen · January 20, 2023, 7:12am

still in urgency about this problem, need help from cyberpanel
solution edit : no answer, no solution.