"Cert Hostname DOES NOT VERIFY" after MX record change

GoceRibeski · March 18, 2021, 2:52pm

My web server is: uname -a

Linux p3plcpnl0215.prod.phx3.secureserver.net 2.6.32-954.3.5.lve1.4.81.el6.x86_64 #1 SMP Mon Feb 1 12:39:21 EST 2021 x86_64 x86_64 x86_64 GNU/Linux

My hosting provider is: GoDaddy cPanel shared Linux hosting

The problem is:

Getting this error msg from checktls.com, also getting security warnings from email clients(Outlook).

Cert Hostname DOES NOT VERIFY (mail.adwdevelopments.com != .prod.phx3.secureserver.net | DNS:.prod.phx3.secureserver.net | DNS:prod.phx3.secureserver.net)

(see RFC-2818 section 3.1 paragraph 4 for info on wildcard ("*") matching)

So email is encrypted but the host is not verified

The problem started when I changed the domain DNS MX record:

from MX = p3plcpnl0215.prod.phx3.secureserver.net

to MX = mail.adwdevelopments.com

This change was required by the hosting, as they changed something in their working.

Question:

How to fix this?

JuergenAuer · March 18, 2021, 3:01pm

Hi @GoceRibeski

there exists no certificate with that domain name.

Why don't you use adwdevelopments.com as mail host?

A subdomain mail... isn't required.

Rip · March 18, 2021, 3:01pm

Hi @GoceRibeski Welcome to the community!
So my take is that your certificate doesn't cover mail.adwdevelopments.com, it only covers the apex domain name.
So you will need to expand the certificate to cover the mail.adwdevelopments.com and you should be set.
@JuergenAuer is correct that a mail subdomain isn't required, but if you want to use it you'll need to expand the cert to cover it. (and it is already set up!)

JuergenAuer · March 18, 2021, 3:10pm

If this change was required by the hosting, you don't manage your own server.

So your hoster has to fix it. mail. points to a new GoDaddy server - https://check-your-website.server-daten.de/?q=mail.adwdevelopments.com

Host	Type	IP-Address	is auth.	∑ Queries	∑ Timeout
mail.adwdevelopments.com	A	192.186.231.233 Scottsdale/Arizona/United States (US) - GoDaddy.com, LLC Hostname: ip-192-186-231-233.ip.secureserver.net	yes	1	0
	AAAA		yes
www.mail.adwdevelopments.com	A	192.186.231.233 Scottsdale/Arizona/United States (US) - GoDaddy.com, LLC Hostname: ip-192-186-231-233.ip.secureserver.net	yes	1	0
	AAAA		yes

I don't think you control that server, so GoDaddy must create and install a certificate.

-->> Ask GoDaddy.

Rip · March 18, 2021, 3:25pm

Good catch @JuergenAuer

dig @8.8.8.8 adwdevelopments.com MX +short
0 p3plcpnl0215.prod.phx3.secureserver.net.

@GoceRibeski These are godaddy servers. (they use their own certificates)

Did you change your MX record because you intend to host your own mailserver?
Or is godaddy going to continue to host your mail for you?

Please give us some more detail so we wont have to guess.

GoceRibeski · March 22, 2021, 3:04pm

Thanks @JuergenAuer , @Rip !

I don’t have root access, so I guess I can't do more.

My hosting IP is 192.186.231.233
$ hostname
p3plcpnl0215.prod.phx3.secureserver.net

I did change the MX = adwdevelopments.com but the error appeared again:

   Cert Hostname DOES NOT VERIFY (adwdevelopments.com != *.prod.phx3.secureserver.net | DNS:*.prod.phx3.secureserver.net | DNS:prod.phx3.secureserver.net)
    (see RFC-2818 section 3.1 paragraph 4 for info on wildcard ("*") matching) So email is encrypted but the host is not verified

I’m using cPanel email from GoDaddy hosting, don't intend to change it for now.

This is the guide that I used few years ago when I set the cert:

Now I’m back to using MX = p3plcpnl0215.prod.phx3.secureserver.net . Mail does not work sometimes, and GoDaddy support says that the problem is in MX, should be mail.adwdevelopments.com, but that does not solves the problem too.

Rip · March 22, 2021, 3:58pm

Hi @GoceRibeski

But the tutorial you linked above is based on it. Now I'm confused... but @griffin is more familiar with GoDaddy hosting than I. Maybe he'll share some of his knowledge with us here.

JuergenAuer · March 22, 2021, 4:25pm

You have to ask GoDaddy, it's their system.

mail.adwdevelopments.com has 192.186.231.233, that's ip-192-186-231-233.ip.secureserver.net, p3plcpnl0215.prod.phx3.secureserver.net has 184.168.200.180, a different ip address.

May be you have to change the ip address of mail.adwdevelopments.com.

But none of these two ip addresses sends a certificate with your domain name, not with the subdomain, not with the main domain. So if you use your own domain name as MX, the certificate is invalid.

griffin · March 23, 2021, 5:19am

Thanks for tagging me on this @Rip!

GoDaddy is strange when it comes to securing the mail server of a shared hosting instance. When developing CertSage (my ACME client specifically designed to acquire Let's Encrypt certificates for GoDaddy shared hosting), I had to determine which subdomains should be included when attempting to acquire a certificate. I debated on the usefulness of securing the mail subdomain. This really comes down to how you want to configure email clients on your devices that manage email accounts on your mail server. I've found that by using mail. instead of the x.prod.y.secureserver.net, I often have to configure the SMTP (outbound) for my email clients to "accept all certificates". This seems to indicate that the server is presenting the default (Starfield) certificate rather than the Let's Encrypt certificate despite the email clients being configured to contact the server via the mail. domain name. If I just configure the x.prod.y.secureserver.net as my SMTP (outbound) server in my email clients, I do not need to "accept all certificates".

I suspect this may have something to do with ensuring that the SPF TXT records that GoDaddy automatically creates will work without customization.

system · April 22, 2021, 5:19am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.