CyberHosting

Secondary Domain Mail Server SSL not Trusted

The Primary Domain SSL for the hostname, website and mail server has no issue. Outlook trust the SSL for the Primary mail server domain.
I was able to install Let's Encrypt SSL for the secondary domain website and mail server which can be verified when you open the child domain because it show "MAIL.ALLCOVEREDBYAC.COM HAS SSL FROM LET'S ENCRYPT.
Your SSL will expire in 89 days".
However, when you connect the secondary domain to Outlook it show that the SSL was not trusted with the following error:
This CA root certificate is not trusted.
Issued to: www.example.com
Issued by: www.example.com
Valid from: 3/3/2020 to 3/1/2030
Please help me to fix it. Thanks.

Comments

  • All my websites have Cname and A record and encrypted with Let's Encrypt SSL. All websites have no issue. The Primary domain mail server is trusted and no SSL issue.
    The problem is the secondary domain which you can see above that it was encrypted by Let's Encrypt. But when you connect it to MS Outlook it show not trusted and issued to www.example.com instead of allcoveredbyac.com.
  • You need to confirm that the DNS is all in place and working for each domain that you wish to use mail ssl for.

    Letsencrypt uses DNS authentication to issue the SSL certificate. If that fails then the self-signed SSL certificate is issued.

    Double check your dns.

    You can also re-try by listing the child domain select the mail.domain in question and issue ssl.
    Cyberpanel Managed & Unmanaged Shared & VPS Hosting by Cyberpanel Experts.

    https://www.cyberhosting.org
  • I am using version 1.9.4 which automatically create a child mail server. The DNS are all okay and as you can see Let's Encrypt SSL was properly issued on the secondary domain mail server.
    "MAIL.ALLCOVEREDBYAC.COM HAS SSL FROM LET'S ENCRYPT.
    Your SSL will expire in 89 days".
    But when connect to Outlook it shows that the SSL was not trusted with the following error:
    This CA root certificate is not trusted.
    Issued to: www.example.com
    Issued by: www.example.com
    Valid from: 3/3/2020 to 3/1/2030
    I compared config of Dovecot of cPanel and CyberPanel. cPanel uses SNI and CyberPanel has none. cPanel has no SSL problem in the mail server of all domains. Is this due to no SNI in CyberPanel?
    Below is the dovecot.conf file SSL part in my CyberPanel account which also shows SSL was installed.
    local_name mail.rizalpalawan.gov.ph {
    ssl_cert = </etc/letsencrypt/live/mail.rizalpalawan.gov.ph/fullchain.pem
    ssl_key = </etc/letsencrypt/live/mail.rizalpalawan.gov.ph/privkey.pem
    }
    local_name mail.panel.rizalpalawan.gov.ph {
    ssl_cert = </etc/letsencrypt/live/mail.panel.rizalpalawan.gov.ph/fullchain.pem
    ssl_key = </etc/letsencrypt/live/mail.panel.rizalpalawan.gov.ph/privkey.pem
    }
    local_name mail.allcoveredbyac.com {
    ssl_cert = </etc/letsencrypt/live/mail.allcoveredbyac.com/fullchain.pem
    ssl_key = </etc/letsencrypt/live/mail.allcoveredbyac.com/privkey.pem
    }

    I also noticed in Postfix - main.cf that it use the last domain which I installed the SSL and not the Primary Domain which is my host name. My hostname with SSL is panel.rizalpalwan.gov.ph so that I can encrypt the contyrol panel https://panel.rizalpalawan.gov.ph:8090/ with no issue and my primary domain is rizalpalawan.gov.ph.
    Below is the content in Postfix main.cf
    myhostname = mail.allcoveredbyac.com
    mynetworks = 127.0.0.0/8
    Is this another problem?
  • SNI is part of the SSL certificate and the certificates issued by LetsEncrypt have SNI.

    For postfix a file vmail_ssl.map file is created can you check
    Cyberpanel Managed & Unmanaged Shared & VPS Hosting by Cyberpanel Experts.

    https://www.cyberhosting.org
  • I mean in cPanel Dovecot there is a SNI file which CyberPanel don't have.
    There is a vmail.ssl.map in postfix and here is the content.
    mail.rizalpalawan.gov.ph /etc/letsencrypt/live/mail.rizalpalawan.gov.ph/privkey.pem /etc/letsencrypt/live/mail.rizalpalawan.gov.ph/fullchain.pem
    mail.panel.rizalpalawan.gov.ph /etc/letsencrypt/live/mail.panel.rizalpalawan.gov.ph/privkey.pem /etc/letsencrypt/live/mail.panel.rizalpalawan.gov.ph/fullchain.pem
    mail.allcoveredbyac.com /etc/letsencrypt/live/mail.allcoveredbyac.com/privkey.pem /etc/letsencrypt/live/mail.allcoveredbyac.com/fullchain.pem
  • Just because cPanel has a file does not make it missing in Cyberpanel. That is just their way of processing the information

    Dovecot states the following:

    With client TLS SNI (Server Name Indication) support
    It is important to note that having multiple SSL certificates per IP will not be compatible with all clients, especially mobile ones. It is a TLS SNI limitation. See SSL/SNIClientSupport for list of clients known to (not) support SNI.


    local_name imap.example.org {
    ssl_cert = </etc/ssl/certs/imap.example.org.crt
    ssl_key = </etc/ssl/private/imap.example.org.key
    }
    local_name imap.example2.org {
    ssl_cert = </etc/ssl/certs/imap.example2.org.crt
    ssl_key = </etc/ssl/private/imap.example2.org.key
    }

    Which is exactly how it is written to the dovecot.conf file
    Cyberpanel Managed & Unmanaged Shared & VPS Hosting by Cyberpanel Experts.

    https://www.cyberhosting.org
  • I can see valid ssl certificates for

    mail.allcoveredbyac.com
    mail.rizalpalawan.gov.ph

    So I can only conclude that the issue is with outlook not obtaining the SSL certificate.

    Perhaps you need to add it to the trust section in outlook if it is not obtaining the ssl certificate?
    Cyberpanel Managed & Unmanaged Shared & VPS Hosting by Cyberpanel Experts.

    https://www.cyberhosting.org
  • In actual, only my primary domain which is mail.rizalpalawan.gov.ph which is valid and trusted. The secondary domain which is mail.allcoveredbyac.com is not valid and trusted.
    The SSL cannot be installed by Outlook because using www.example.com like below:
    This CA root certificate is not trusted.
    Issued to: www.example.com
    Issued by: www.example.com
    Valid from: 3/3/2020 to 3/1/2030
  • I tried to add 2 more domains and only the primary domain has a valid and trusted SSL for mail server. The other 3 domains have successfully installed SSL for the mail server according to CyberPanel but in actual SSL is not valid and using www.example.com instead of their domains.
  • Impossible if using cPanel which also uses Let's Encrypt certificate all domains are trusted and valid in Outlook and other Mail software.
    I suspect the CyberPanel program is not capable of handling multiple SSLs for the mail servers of multiple domains.
  • Well, it is and is doing so on my own cyberpanel server.

    You have not mentioned that the dns and therefore the ssl certificate is cloudflare.

    Did you grey cloud your mail dns?

    https://www.ssllabs.com/ssltest/analyze.html?d=mail.allcoveredbyac.com&hideResults=on

    Verifies the ssl certificate

    However, tools such as https://ssl-tools.net/mailservers/allcoveredbyac.com

    Cannot get any result as cannot connect to your mail server.
    Cyberpanel Managed & Unmanaged Shared & VPS Hosting by Cyberpanel Experts.

    https://www.cyberhosting.org
  • I already move back all domains to cPanel due to this issue. When I use both CyberPanel and cPanel, all are Grey Cloud except the A and Cname for the website only. Mail Server, control panel, etc. are grey cloud so it use Let's Encrypt SSL.
    I know how to setup DNS in Cloudflare that is why the Primary Domain has no issue on the mail server of CyberPanel and all domains in cPanel.
    I also tried installing the Origin certificate of Cloudflare for the mailserver. Cloudflare SSL was installed according to CyberPanel but still shows www.example.com instead of my domain in Outlook.
    The test shows A+ and Let's Encrypt now because using cPanel.
    https://www.ssllabs.com/ssltest/analyze.html?d=mail.allcoveredbyac.com&hideResults=on
    I will try again using CyberPanel after the Update because I like this Control Panel and no issue for now if use on 1 domain and its subdomains.
  • Cannot replicate the issue it is working as intended in accordance with how you setup multi-domains with postfix etc.

    The only thing that I can see is the issue here is Outlook as all my tests on my server installations and verified with ssl testing tools all state the ssl is correct.
    Cyberpanel Managed & Unmanaged Shared & VPS Hosting by Cyberpanel Experts.

    https://www.cyberhosting.org
  • I don't believe it is Outlook since the Primary Domain using CyberPanel and on All Domains on cPanel are okay. I've been using Cloudflare, Outlook and cPanel on many domains for 5 years and never encountered SSL problem on the mail servers.
  • Tested Cyberpanel with Mailbird - Primary and Secondary SSL fine.
    Tested Cyberpanel with Thunderbird - Primary and Secondary SSL fine.

    So who knows. Perhaps it is outlook, perhaps you missed some config somewhere.
    Cyberpanel Managed & Unmanaged Shared & VPS Hosting by Cyberpanel Experts.

    https://www.cyberhosting.org
  • Finally, I got it.
    I noticed that the last domain you add will have SSL validation error in mail server and will use www.example.com. I was able to validate the SSL for the mail server on 4 domains by installing SSL one by one then to validate the last website I made a dummy.com website (activate SSL) to validate all my website mailservers.
    Note: Issuing SSL on websites and subdomains has no issue and I am using Cloudflare.
    Thanks guys for your help.
Sign In or Register to comment.
CyberPanel Discord

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion