I'm very new to having a website and am perpetually confused about SSL. Having ignored this for a while, I need to revisit. Please be kind, I am very ignorant!
My web server is: Netcetera
My hosting provider is: Squarespace
I have Let's Encrypt SSL via Squarespace for my website however it doesn't seem to extend to my domain webmail. I had a bother at the very start when I paid for SSL via Netcetera but then discovered Squarespace has it built in so I cancelled that. It's hard to judge what's going on form the netcetera dashboard as it thinks I have no SSL on the whole domain, but I believe my email lacks SSL certification. I do want to get this resolved as I think it's also making it more likely emails sent from my domain are going into spam.
I need to understand if there is a way for the Squarespace SSL to extend to webmail linked to the domain, or if I need to go back to netcetera and discuss with them about the cover just my webmail. Many thanks!
Hello @SqNetP, welcome to the Let's Encrypt community.
We really need a FQDN of your web server.
The Top-level domain is important and that is needed.
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you're using Certbot):
Thank you for assisting us in helping YOU!
Isn't Netcetera another hosting provider, just like Squarespace? If so, could you explain what the relationship between the two is? Usually, one only has a single hosting provider.
Also, when you're on shared hosting, there often is little you can do yourself, so you might be dependend on what your hosting provider(s?) offer you as a customer.
Thanks for the reply. I mostly don't understand all those other things in the list, hence not giving answers to them.
The domain is pamelabuchan.co.uk.
I haven't run any commands so there are no outputs. I don't know what a root shell is. I use Squarespace to manage my website, but Netcetera uses Plexus for me to manage the stuff to do with my domain name provision and webmail which is part of the package they provide. I don't know what the client is to know what the version is.
@Osiris I am probably getting the terms wrong. I get my domain name from netcetera as a package which includes webmail. The website is on Squarespace.
To add, when I first set the website up and bought an SSL subscription, it messed up Squarespace completely, hence ditching it. But maybe I need to buy a separate one for the webmail only somehow, though I might've tried that. It was a few months ago and I can't remember exactly what I did then...
If Netcetera also provides the webmail, how could you use the certificate from Squarespace on Netcetera? If those are two separate entities/hosting providers and they don't have some kind of partnership to exchange certificates (which I highly doubt), you need to enable SSL on Netceteras part of the story, not Squarespace.
Also, what's the URL of the webmail?Nevermind, seems to be simply
On a side note: one of the two authorative DNS servers for
ns2305.nameservers.co.uk) is responding with "REFUSED". The other one,
ns2304.nameservers.co.uk seems to work. This could lead to DNS resolving issued for your visitors.
Another edit: What seems to be the problem with your webmails TLS/certificate? I'm currently seeing a perfectly fine Let's Encrypt certificate and it seems this cert is also automatically renewed every 2 months: crt.sh | webmail.pamelabuchan.co.uk
@Osiris here is what I find for DNS Records DNS Lookup - Check DNS Records
That tool doesn't seem to detect the malfunctioning authorative nameserver, see pamelabuchan.co.uk | DNSViz for more info.
Thanks so much for taking time to help. I'm afraid I literally understand none of what you have both just said! I would like to fix the DNS if this is an issue. I had constant DNS errors when I used the purchased SSL but they all resolved once I ditched it.
@Osiris perhaps there is no issue with the webmail then and I'm worrying for nothing. When I try to add to thunderbird I says the certificate doesn't match the site and somebody could be trying to impersonate it. Obviously I am not impersonating it. I had similar problems when I tried to set up a gmail alias so it would have more storage etc. Gmail was having none of it.
Thunderbird is not the same as webmail? What exact settings are you using in Thunderbird?
No thunderbird is the client that I'd rather be using to manage webmail rather than the built in web-based interface. I have accepted an exemption to the security certificate but I believe it is picking up what is said in the hardenize report, that the domain names don't match. Perhaps that's just becuase of the squarespace-netcetera issue. I don't know though if this makes my webmail vulnerable in any way.
I know what Thunderbird is. It operates on entirely different protocols, mostly IMAP. Which is something entirely different compared to webmail, so that's why I'm asking what exact settings you're using in Thunderbord, so I can try to see what's wrong with it.
That report does not report anything about IMAP. What you're seeing is likely due to the IMAP server being configured for a different hostname. Without the exact details, I can only guess.
I don't know how to answer your question. I don't understand why webmail and imap are mutually exclusive. I have gmail on webmail and on imap through thunderbird too, ditto all my office 365 based accounts on webmail and on outlook. It is functioning fine in thunderbird so I don't think the settings are relevant. The question relates to the certificate which thunderbird checks when adding an account and which it said didn't match the domain name. I've added an exemption so thunderbird has added the account. I just didn't know if this is an issue I need to be concerned about with regards to the security of my email linked to my domain.
@SqNetP do you have an IT support person to call upon for help?
I suspect that if we use an analogy here it might help a little bit, for the SSL (i.e TLS) side and your Thunderbird certificate mismatch.
Say you have 2 houses and want one key to open both houses, you need both houses' locks to be keyed the same basically a copy of each other.
Now if we name the houses
- Squarespace Inc.
- Netcetera Ltd.
Then presently your 1. Squarespace Inc. is keyed fine for your one key.
However your 2. Netcetera Ltd. is NOT keyed for your one key.
So you need a locksmith (i.e. IT support person) to rekey 2. Netcetera Ltd. to use your one key.
They you do that by copying the Private Key and Certificate from 1. Squarespace Inc. to 2. Netcetera Ltd. so they both can provide the same response. The one key (i.e. a SSL Certificate) needs to have the DNS names of both systems in it.
House 1. A pamelabuchan.co.uk 3600 126.96.36.199
House 2. MX pamelabuchan.co.uk 3600 10 mail.pamelabuchan.co.uk. (188.8.131.52)
They're not, did I say they were? I just wanted to know your Thunderbird settings so I can check.
Wow, so.. You're saying it functions fine? But it also gives certificate errors? How is it functioning fine when it throws errors? So it's not functioning fine I guess?
Look, from my point of view this is really simple: either you'll provide the exact settings you're using in Thunderbird which gives you a certificate error, so I can help you figure it out or you don't provide any details and I cannot help you. It's that simple.
I had really great support from Netcetera when I set things up. They are my IT support person. So if copy what you've put at the end and message them about this, will that make sense to them?
I can edit the DNS registry on the netcetera dashboard. There were loads of issues getting it all started and the help people just sorted it out. It was months ago so I can't remember specifically but the registry wasn't letting my edit the nameservers, or refused to remember them or something just weird. They just fixed it from their side.
I'm sorry I'm so enormously ignorant on this. I'm an expert in a number of scientific fields but websites I have nearly no knowledge about!
I believe it would make sense to them.
There is nothing to be sorry for. You are being polite, respectful, and kind.
Thank you, I will get in touch with them.
If I dig a little bit further, without getting any information from OP I can see there's an IMAP server running on the IP
184.108.40.206 (which is also used for the webmail), but it presents an expired Plesk self signed certificate when using
webmail.pamelabuchan.co.uk as hostname, whereas it presents a valid certificate for the FQDN
webmail.pamelabuchan.co.uk when using
mail.pamelabuchan.co.uk as a hostname (as suggested by the Netcetera knowledge page about setting up an IMAP client. Which is weird. And would trigger an incorrect hostname error in Thunderbird.
Netcetera should make sure that the certificate used in Dovecot also contains the
mail subdomain and not only the
Also note that connections to port 25 (SMTP) are timing out from my point of view, which is weird, as that should work according to the suggested settings in the above mentioned guide by Netcetera.