Announcement

Collapse
No announcement yet.

Lets's encrypt SSL certificate, issues with mail clients.

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Lets's encrypt SSL certificate, issues with mail clients.

    Hi All,
    Just wondering if the LE SSL certificate for the server name is/was a good decision as I have imported cPanel accounts and nearly everyone get the message that the SSL certificate is not trusted. It doesn't matter if it are Apple devices or Windows based clients. Anyone experience with this or advice?

    Nico

  • #2
    Originally posted by Nico View Post
    Hi All,
    Just wondering if the LE SSL certificate for the server name is/was a good decision as I have imported cPanel accounts and nearly everyone get the message that the SSL certificate is not trusted. It doesn't matter if it are Apple devices or Windows based clients. Anyone experience with this or advice?

    Nico
    You need to make sure that every account, domain you issued a Let's encrypt certificate, might be possible you transfered SSL files from cpanel. I have no issues with that since i issued a LE ssl per account and its GREEN so no warning etc.

    Cheers.

    Comment


    • #3
      Hi

      @albahost

      Nico was referring to the mail SSL

      The simplest way to overcome this as the mail server does not use sni is to set all mx records for domains to use your server FQDN SSL

      This then does not cause issues when setting up email on devices

      Existent email accounts already setup would need the mail servers used manually changing to correct SSL used for server FQDN and all should then work lovely

      You can change the dns template to reflect mx to use - this is for new siteworx accounts created and not existent siteworx accounts already created

      Please make sure though that a correct A records exists for the mail server FQDN SSL and that a correct PTR (RDNS) exists and matches mail server FQDN used

      Lastly, please remember that resellers have their own dns template so you may want to ensure all reseller account dns template has the correct mx record set

      Many thanks

      John

      Comment


      • #4
        Oh, sorry then i misunderstood it, didn't read the title...

        Comment


        • #5
          Hi albahost

          No need to apologize. Your posts are more then welcome and very helpful to everyone

          Many thanks

          John

          Comment


          • #6
            Originally posted by d2d4j View Post
            Hi albahost

            No need to apologize. Your posts are more then welcome and very helpful to everyone

            Many thanks

            John
            Thanks, im still unsure what does Nico means with "certificate not trusted" a webmail login or? Since i've created valid FQDN on A record and now imported an account from whm cpanel to interworx and tested it i don't see any warning nor ssl issue...

            Comment


            • #7
              Hi albahost

              Sorry as an example

              Mail server FQDN say is sslmydomain.url and has an SSL setup

              A siteworx account has an mx record of mail.siteworx.url and has a LE SSL setup on the domain covering mail.siteworx.url

              The email client is trying to use the mx record of mail.siteworx.url and checking the SSL against mail.siteworx.co.uk but the mail server is serving sslmydomain.url as itís ssl.

              The client setup warns of insecure ssl due to no match of ssl

              I am not sure if dovecot overcomes this by serving correct ssl for the siteworx account mx record but guess not

              I thought CPanel overcame this by a single ssl containing all domain ssl but could be wrong sorry

              I hope that explains better

              Many thanks

              John

              Comment


              • #8
                Originally posted by d2d4j View Post
                Hi albahost

                Sorry as an example

                Mail server FQDN say is sslmydomain.url and has an SSL setup

                A siteworx account has an mx record of mail.siteworx.url and has a LE SSL setup on the domain covering mail.siteworx.url

                The email client is trying to use the mx record of mail.siteworx.url and checking the SSL against mail.siteworx.co.uk but the mail server is serving sslmydomain.url as itís ssl.

                The client setup warns of insecure ssl due to no match of ssl

                I am not sure if dovecot overcomes this by serving correct ssl for the siteworx account mx record but guess not

                I thought CPanel overcame this by a single ssl containing all domain ssl but could be wrong sorry

                I hope that explains better

                Many thanks

                John
                Hi John,

                For some reason interworx are missing some modification in theri dns while creating a domain, i managed to install the ssl with SAN manually by installing certbot and then:

                sudo certbot --apache -d domain.com -d mail.domain.com

                the -d is to include subdomain-domain and it will ask if you wan't to force to use https you have the choice to force it or not.
                Even the dns "www" was created i get an error from certbot that it doesnt have a valid DNS for www, so i was forced to remove from -d www.domain.com and include only mail.domain.com and domain.com.
                I will investigate in this matter and let you know if i come with another solution.

                Cheers.
                Last edited by AlbaHost; 09-25-2019, 03:45 PM.

                Comment


                • #9
                  Hi albahost

                  Many thanks

                  Sorry just on my way back but called for a coffee

                  You can create all subdomain from LE by selecting the records to add. Iíll take a screenshot tommorow but sorry if Iím not understanding you fully.

                  So LE would cover www. mail. subdomain. Etc

                  The issue is the mail server SSL record it servers but a SAN SSL should overcome this and as itís only mail server, you do not need any other subdomain.

                  I would email support(at)interworx.com and let them know you can create a SAN SSL to come sr all mail.siteworx.url as you may have resolved that

                  However, it stops in mind somewhere that there is a limit to how far the SAN SSL is searched but could be wrong

                  Either way kudos to you

                  Many thanks

                  John

                  Comment


                  • #10
                    Hi

                    Nico @albahost

                    Apologies there is sni for dovecot

                    I have the config files but so far not been able to make it work

                    I did see the sni tmp file but cannot remember how I activated it

                    If you look at /etc/dovecote/conf.d

                    Many thanks

                    John

                    Comment


                    • #11
                      Originally posted by d2d4j View Post
                      Hi

                      Nico @albahost

                      Apologies there is sni for dovecot

                      I have the config files but so far not been able to make it work

                      I did see the sni tmp file but cannot remember how I activated it

                      If you look at /etc/dovecote/conf.d

                      Many thanks

                      John
                      Yes it contains the file called: 95-iworx-sni-hosts.conf but normally when you create a host interworx should add automatically the host details with ssl cert directory in there but unfortunately it does contain only main server file, mine is:

                      local_name server1.albahost.net {
                      ssl_cert = </home/server1/var/server1.albahost.net/ssl/server1.albahost.net.chain.pem
                      ssl_key = </home/server1/var/server1.albahost.net/ssl/server1.albahost.net.priv.key
                      }

                      So you have to add manually for other domains which it would be like this:


                      local_name server1.albahost.net {
                      ssl_cert = </home/server1/var/server1.albahost.net/ssl/server1.albahost.net.chain.pem
                      ssl_key = </home/server1/var/server1.albahost.net/ssl/server1.albahost.net.priv.key
                      }
                      local_name "domain.com mail.domain.com" {
                      ssl_cert = </home/server1/var/domain.com/ssl/domain.com.chain.pem
                      ssl_key = </home/server1/var/domain.com/ssl/domain.com.priv.key
                      }


                      restart your dovecot and check out.
                      Last edited by AlbaHost; 09-26-2019, 10:09 AM.

                      Comment


                      • #12
                        Hi d2d4j AlbaHost

                        I am sorry for my silence as I am struggling with the cPanel Import, it's a mountain of errors and issues. I am prioritising at the moment.
                        All Softaculous information is not transferred, so customers installations are missing...
                        User can't login to Siteworx as it give weird form error...
                        Passwords from cPanel mailboxes are not accepted, seems to do with % ^ & characters used... and so on.
                        Roundcube contacts list missing and so on.
                        Kind regards,
                        Nico

                        P.S. does this mean the users will be able to use their own domain name to send / receive email instead of the server name?
                        Last edited by Nico; 09-26-2019, 09:44 AM.

                        Comment


                        • #13
                          Hi

                          AlbaHost - will test in test server tonight to see if ours does the same

                          Sni is only on davecot and not sendmail - so only half of email (pop imap)

                          Nico - sorry to hear you still have issues importing

                          I would advice opening a support ticket with IW and let them have a look to see whatís what. Please do this from nodeworx, remote support

                          I would also ssh into server and run as root or sudo service iworx restart

                          If this does not resolve issue with siteworx login - could you post a screenshot showing error

                          Many thanks

                          John

                          Comment


                          • #14
                            Hi

                            Nico - sorry no

                            This is because the smtp is not sni

                            So best to keep using server mail FQDN for the moment

                            Many thanks

                            John

                            Comment


                            • #15
                              Nico Even if this would be possible i would not recommend it, due for spam etc. Im suprised that interworx tech/support is non exist in this forum, except a mod John...
                              Last edited by AlbaHost; 09-26-2019, 01:19 PM.

                              Comment

                              Working...
                              X