AutoSSL with Let's Encrypt 'Cert hostname DOES NOT VERIFY'


#1

I reached out to my hosting support but they don’t support Let’s Encrypt so I’m reaching out here.
My domain is vphcodes.com. I ran the script in my build of WHM as noted here, https://blog.cpanel.com/announcing-cpanel-whms-official-lets-encrypt-with-autossl-plugin/

I selected the two domains I have in the manageSSL menu in WHM and it seems that they both have CA signed certs now. My problem is my mail accounts don’t pass the checktls.com test. Here’s a paste of the results, https://paste.pound-python.org/show/OkBOSuyvgFxk2orBJocP/
Specifically line 41 is explaining the host could not be verified, and my inmotionhosting support has done all sorts of things that haven’t solved the problem. Mostly my fault though since they shouldn’t be expected to support 3rd party stuff. They changed my server hostname to mail.vphcodes.com to match my PTR record, but strangely the checktls report still shows that it’s comparing my old server hostname against the cert domain. The MXToolbox is showing my ‘rDNS does not match SMTP banner’’ https://mxtoolbox.com/SuperTool.aspx?action=smtp%3Amail.vphcodes.com&run=toolpage#
When I telnet in via telnet vphcodes.com 587 the banner is the old hostname of my server. So it seems like the support team just changed the hostname and nothing else?

I think I found a cpanel thread that could alleviate that but it was involving multiple dedicated IPs, where as I have one on a VPS(I can request more if need be). I don’t think that’s related to the cert issue though.

Quoting the support guy, ‘Unfortunately the server’s hostname only has an A record on the server, and does not have a document root by design. Becuase of this fact, the validation method of control that’s used by free certificate programs like auto ssl and letsencrypt do not work, because they used a hashed file that they access through the Internet to validate control. There is no way for them to do this with a server’s hostname because there is no web root.’

I’ve got root on a CentOS Linux release 7.3.1611 with Apache 2.4.25

I’m confident that I can get my server to pass the hostname check, I just need to be pointed in the right direction(step by step would be great too haha). My mail is being sent and received, but on the receiving end it seems like there’s a good chance it lands in spam, probably partially due to the lack of host verification. I plan to have more domains in the future and it would be lovely to have autossl setup the certs for those both web and email automatically. is it a matter of messing with the exim.conf file?

Thanks in advance guys x.x I’ve been reading docs and trying to figure this out for a couple days.


#2

Hi @FRWB,

First of all, the title is a bit wrong, the fact to issue certificates for your domain is not breaking your mail server at all :wink:

The line 41 says the test is trying to send an email to vadimATvphcodesDOTcom (I ofuscated your mail a little bit) and the certificate presented by your mail server (exim) only covers the domain vps27185.inmotionhosting.com and that is the reason it is not verified. Test it yourself, perform a test again but this time to whatever@vps27185.inmotionhosting.com, the mail will fail because you don’t manage that mail address but the host will verify without issues.

From a shell you can check the hostname:

hostname -s
hostname -f

The first command should show mail and the second one mail.vphcodes.com

The EHLO banner from Exim should take the hostname from the system, did you restart your mail server?, or even better, your entire server?. If after a restart it doesn’t change maybe is because there is a directive defined in the exim conf pointing to vps27185.inmotionhosting.com. You should review the cPanel manual if that is the case to change the directive to point to mail.vphcodes.com.

I just want to remember that web panels are a bit mystic and all the changes should be performed from the web interface, if you try to change the conf files manually you would get a mess on your server.

The only way to pass the hostname check if you are able to configure exim to use the same certificate as you already got for your webserver that covers vphcodes.com, www.vphcodes.com and mail.vphcodes.com. As I don’t use cPanel at all I can’t say the steps to configure it, sorry, maybe other buddies on the community could point to you in the right direction… maybe you could have more luck on cPanel forums.

If you plan to have more domains, every domain should be added to the certificate of the mail server, or use exim sni feature to provide different certs for the domains. Again, it is something that should be configured on exim but don’t know whether cPanel allos it in an easy way or not.

Believe me, if your mails are going to spam, won’t be because this “issue”.

Conclusion: Your mail server should present mail.vphcodes.com on HELO banner. You should check how to configure exim to use the cert from Let’s Encrypt that you already got for your web server. This is not a big issue to me.

Note: if your mail server is going to be mail.vphcopdes.com you should change your MX DNS record to point to it instead of vphcodes.com

I hope some other community members could advice you about how to configure cPanel to accomplish your goal ;).

Good luck,.
sahsanu


#3

I’ve renamed the thread thanks :slight_smile:

Yes i just found the exim manual today, and you’re right there is a directive that must be changed in the exim configuration manager, I’ve found it I’m just a little reluctant to change it without getting confirmation about what exactly should go there. I’ll post on the cpanel forums.

this is helpful thank you.

ok so i should use the same cert that i’ve already received, that helps. i’ll know what to ask on cpanel forums. hopefully someone else will chime in here. i’ll change the mx record.


#4

So when I try the command;
openssl s_client -connect your.mx.com:465

or;

openssl s_client -connect your.mx.com:993

I noticed that the CN on my cert is the old hostname, rather than the new vps hostname. Shouldn’t this be something that’s updated when the cert is re-issued? Is there an easy way to force a cert to be re-issued to a new CN?


#5

Hi @FRWB,

The default certificate that your exim mail server uses is the default cpanel certificate, tha should not be a problem since exim supports SNI so if you want to check what is the cert your mail server will serve for your domain vphcodes.com you should append -servername vphcodes.com to the openssl s_client command:

Real examples with your domain:

openssl s_client -connect vphcodes.com:465 -servername vphcodes.com
openssl s_client -connect vphcodes.com:993 -servername vphcodes.com

If you want to check the certficate in the same command:

openssl s_client -connect vphcodes.com:465 -servername vphcodes.com | openssl x509 -noout -text
openssl s_client -connect vphcodes.com:993 -servername vphcodes.com | openssl x509 -noout -text

And you will see that the certificate served by exim and dovecot has a CN=www.vphcodes.com and covers the following domains too DNS:mail.vphcodes.com, DNS:vphcodes.com, DNS:www.vphcodes.com

So this is working as expected, you should not worry about it.

In recent versions of certbot (since 0.10.0) there is a new switch --cert-name to force the name of your cert, so you would get whatever you uses in that switch on your CommonName issued certificate. I don’t know whether Autossl for cPanel allows it but I suppose it doesn’t. Anyway, CommonName is something deprecated, in a future, CN could be just a random string, the important thing is what are the SAN (Subject Alternative Name) that appear on your certificate, in your case these are your SAN (DNS:mail.vphcodes.com, DNS:vphcodes.com, DNS:www.vphcodes.com) so again, this is something that you should not worry about.

Note:You MX DNS entry still points to vphcodes.com instead of mail.vphcodes.com :wink:

Cheers,
sahsanu


#6

but the checktls.com test is getting vps27185.inmotionhosting.com from the cert and comparing that against the hostname. where else would it be getting that name?

Well I have CNAME records that point mail.vphcodes.com to vphcodes.com. and another one that points www.vphcodes.com to vphcodes.com. I read that CNAME and MX records are not supposed to coexist. Are you saying I should delete the CNAME records and change the MX record to my IP to mail.vphcodes.com? Right now the zone is vphcodes.com and it’s pointing to vphcodes.com as an mx record. Can I even put an IP in as the zone? x.x


#7

In principle, if mail.vphcodes.com is a CNAME for vphcodes.com, your MX record can simply say “vphcodes.com MX 10 vphcodes.com” or whatever. While that might seem redundant or pointless, it’s indicating that you’ve explicitly thought about the question of what machine receives e-mail for the domain and set a policy for it.


#8

Hi @FRWB,

The checktls.com test seems is not using SNI to communicate with your mail server, that is the reason your mail server presents the default certificate that in your case is a cPanel cert issued to vps27185.inmotionhosting.com. I don’t know how to change it from cPanel but in exim4 conf you should have the directives tls_certificate and tls_privatekey pointing to this cPanel cert… you should change them to point to your Let’s Encrypt certificate and restart the mail server so your certificate for vphcodes.com will be the default and you should pass the checktls tests.

As usual, be careful about what you changes and always perform a backup before any change/modification to your conf files.

Well, there should be no problem to keep your MX record pointing to vphcodes.com but if your mail server is mail.vphcodes.com it is logic that your MX record for vphcodes.com domain should point to mail.vphcodes.com instead of vphcodes.com. If you want to change it, you should remove CNAME from mail.vphcodes.com and create an A record pointing to your ip.

Current conf:

$ dig mx vphcodes.com
[...]
;; ANSWER SECTION:
vphcodes.com.           885     IN      MX      0 vphcodes.com.
[...]

$ dig mail.vphcodes.com
;; ANSWER SECTION:
mail.vphcodes.com.      899     IN      CNAME   vphcodes.com.
vphcodes.com.           899     IN      A       104.247.79.172

After the changes:

$ dig mx vphcodes.com
[...]
;; ANSWER SECTION:
vphcodes.com.           885     IN      MX      0 mail.vphcodes.com.
[...]

$ dig mail.vphcodes.com
[...]
;; ANSWER SECTION:
mail.vphcodes.com.      899     IN      A       104.247.79.172
[...]

Sorry but I don’t understand what you mean.

Cheers,
sahsanu


#9

Ah I think this exactly what I need to do. I’ll give it a shot and post my results here.

Thanks for the step by step. I had changed the MX record before reading this but just changed the CNAME to an A record as you recommended. That looks totally right to me. I’ll test the behavior after the TTL but it should continue to function fine.


#10

so the conf is a bit convoluted,

tls_certificate = ${if and \
    { \
        {gt{$tls_in_sni}{}} \
        {!match{$tls_in_sni}{/}} \
    } \
    {${if exists {/var/cpanel/ssl/domain_tls/$tls_in_sni/combined} \
        {/var/cpanel/ssl/domain_tls/$tls_in_sni/combined} \
        {${if exists {${sg{/var/cpanel/ssl/domain_tls/$tls_in_sni/combined}{(.+/)[^.]+(.+/combined)}{\$1*\$2}}} \
            {${sg{/var/cpanel/ssl/domain_tls/$tls_in_sni/combined}{(.+/)[^.]+(.+/combined)}{\$1*\$2}}} \
            {/etc/exim.crt} \
        }} \
    }} \
    {/etc/exim.crt} \
}


tls_privatekey = ${if and \
    { \
        {gt{$tls_in_sni}{}} \
        {!match{$tls_in_sni}{/}} \
    } \
    {${if exists {/var/cpanel/ssl/domain_tls/$tls_in_sni/combined} \
        {/var/cpanel/ssl/domain_tls/$tls_in_sni/combined} \
        {${if exists {${sg{/var/cpanel/ssl/domain_tls/$tls_in_sni/combined}{(.+/)[^.]+(.+/combined)}{\$1*\$2}}} \
            {${sg{/var/cpanel/ssl/domain_tls/$tls_in_sni/combined}{(.+/)[^.]+(.+/combined)}{\$1*\$2}}} \
            {/etc/exim.key} \
        }} \
    }} \
    {/etc/exim.key} \
}

this exim crt is the only one in this directory. i found /pki/tls/certs/mail.vphcodes.com.crt and there is a key file here: /ssl/private/mail.vphcodes.com.key. would it be as simple as replacing every instance of exim.crt and exim.key with those ones i found? sloppy but i have a feeling it would work heh. figured i’d ask here in case you guys have any input, otherwise i’ll just perform a backup then go for it. thanks for all your input sahsanu.


#11

Hi @FRWB,

Checking the exim conf you posted, yes, replacing /etc/exim.crt and /etc/exim.key by your mail.vphcodes.com.crt and mail.vphcodes.com.key respectively and restarting exim mail server should work. Take into account that when you renew your cert, you should replace these files again.

As you said, first, backup all the files that you will replace :slight_smile: Also, as these certs are provided by cPanel you should take care because in case a software update they could be replaced again.

Note: the next time, if you reply me, please use @sahsanu or I won’t be notified and could miss your message ;).

Good luck,
sahsanu


#12

@sahsanu
Will do. Well since making the replacement now the STARTTLS command is being rejected during the test. I moved the crt and key files to the same etc directory as the original exim.crt but still no luck.
https://paste.pound-python.org/show/EPAsiM9UjrxP59WtVnsx/

both of the original exim.crt and exim.key have the @ sign after their filenames when performing an ls. from a little google-fu it would mean these two files have extended attributes? i’m having a tough time viewing these extended attributes. I would install pyxattr.x86_64 with yum but I’ll wait on your advice. maybe there is a way to view them without downloading a tool. I’m guessing there are some special permissions on the original crt and key files to allow some restricted daemons access to them and that’s causing the STARTTLS to be rejected?


#13

If you’re running ls -F (for example due to an alias), it means that the file is a symbolic link (symlink). You can learn the target of the link with ls -l, stat, or readlink commands.


#14

ah i see. so they’re pointing to the real certs,

lrwxrwxrwx 1 root root     31 Mar 14 23:14 exim.crt -> /var/cpanel/ssl/exim/myexim.crt
lrwxrwxrwx 1 root root     31 Mar 14 23:14 exim.key -> /var/cpanel/ssl/exim/myexim.key

i guess i could try changing what they’re pointing to, to point to mine, but i doubt that’ll do it.

should i just reach out to cpanel support? they wanted root access when i opened a ticket x.x


#15

Hi @FRWB,

As I don’t use cPanel don’t know if changing them manually could have any adverse situation to cPanel, so at this point you should contact cPanel support or cPanel community forums,they would have the right answer and procedure to change this default cert… maybe it can be changed from the web gui and you don’t need to mess the conf manually.

I’m so sorry but I can’t advise any other thing :frowning:

Good luck,
sahsanu


#16

No worries I’ll still post here once I have a good answer, for the community at large :slight_smile:


#17

So cpanel support is a bit clueless on Let’s Encrypt it seems. I found a setting with their help that reset the cert to the new hostname, ‘WHM Home >> Service Configuration >> Manage Service SSL Certificates’. This reset to the proper hostname on the cert but it was self signed. I had to browse then select the Let’s Encrypt cert, and then the checktls.com test passed fine for my main domain vphcodes.com. My second domain is still raising the flag. Unfortunately it doesn’t look like there’s a setting for my second domain in that WHM page.

@sahsanu if i understood you correctly i should have my main domain and my second domain on the same Let’s Encrypt cert for the exim server, as in they should both appear as the SAN on the cert, that way they can both verify, and as i add more domains to my server i should update the cert as well. it seems like this is beyond the scope of cpanel or autossl features. Would this be something i could setup certbot to do?


#18

Hello @FRWB,

As far as I know, checktls.com only checks that the hostname of the server they are trying to connect is the same as the HELO of your server, so your second domain MX record should point to this host, I don’t know what is your second domain but if it is example.com its MX record should point to mail.vphcodes.com

I don’t think you need to include all the domains in the same cert. exim4 supports SNI so if you create a Let’s Encrypt certificate for your second domain and only for this domain and its subdomains it should work as expected because exim4 conf should be able to manage the correct cert because of this:

 tls_certificate = ${if and \
    { \
        {gt{$tls_in_sni}{}} \
        {!match{$tls_in_sni}{/}} \
    } \
    {${if exists {/var/cpanel/ssl/domain_tls/$tls_in_sni/combined} \
        {/var/cpanel/ssl/domain_tls/$tls_in_sni/combined} \
        {${if exists {${sg{/var/cpanel/ssl/domain_tls/$tls_in_sni/combined}{(.+/)[^.]+(.+/combined)}{\$1*\$2}}} \
            {${sg{/var/cpanel/ssl/domain_tls/$tls_in_sni/combined}{(.+/)[^.]+(.+/combined)}{\$1*\$2}}} \
            {/etc/exim.crt} \
        }} \
    }} \
    {/etc/exim.crt} \
}
[more conf below]

If the client that will connect to your mail server supports SNI you should have no problem at all but if you only want to pass the checktls.com test try what I said, change the mx record of your second domain and try the test again.

Cheers,
sahsanu


#19

Well I had it fixed and was passing the checktls test just fine until I changed my server hostname to comply with the release notes of version 60 of cpanel, https://documentation.cpanel.net/display/60Docs/60+Release+Notes#id-60ReleaseNotes-Changeinmail.aliasbehaviorforApacheserver

the ‘Manage Service SSL Certificates’ section in the WHM is what fixed my issues before, I simply set all services to use the let’s encrypt cert. although now it seems like the certificate properties still reflect mail.vphcodes.com when the server hostname is now bravo.vphcodes.com. It’s not affecting sending or receiving mail but I’ll still update this thread once I have a good answer.


#20

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.