Basic help with SSL & Email

DavidR

Well-Known Member
Feb 25, 2003
177
0
166
I've honestly never messed with the SSL/TLS (what exactly is TLS?) settings on my email, but now I want to make sure it works. I see where all the certs are located in WHM for the various services, and if I use the SSL (TLS fails) setting on my client I can get a connection and send/receive email. But each time I open my email client, I get a message about BAD signatures in my certificates. I realized these are some sort of self-signing cert installed automatically by cPanel, but is there a way to stop those messages? I can't imagine cPanel put them in there for use with that kind of error message popping up by design.

I'm sure someone can point me to a thread with all this answered, but I haven't been able to find it ;)

Thanks!
 

cPanelDavidG

Technical Product Specialist
Nov 29, 2006
11,212
13
313
Houston, TX
cPanel Access Level
Root Administrator
Even a nudge in the right direction would be appreciated ;)
Are you using the self-signed certs that come with cPanel/WHM or are you using a cert you purchased? Note, self-signed certs will pretty much always throw a warning when using a SSL-based service such as HTTPS or mail over SSL unless the user chooses to permanently ignore such warnings for your server.

If you are using a purchased cert, this should not happen.
 

DavidR

Well-Known Member
Feb 25, 2003
177
0
166
Thanks. Yes, the self signed certs that were automatically installed. Unfortunately, I'm using Evolution as my mail client and it doesn't appear to have a way to ignore the errors. Which domain is used to request a cert for those services, the main server domain? Will this cause more errors since the server domain and the various email accounts use different domain names? I've used cPanel for years and just never messed with this.
 

cPanelDavidG

Technical Product Specialist
Nov 29, 2006
11,212
13
313
Houston, TX
cPanel Access Level
Root Administrator
Thanks. Yes, the self signed certs that were automatically installed. Unfortunately, I'm using Evolution as my mail client and it doesn't appear to have a way to ignore the errors. Which domain is used to request a cert for those services, the main server domain? Will this cause more errors since the server domain and the various email accounts use different domain names? I've used cPanel for years and just never messed with this.
If you connect to a domain and the server throws a certificate for a different domain, that too will cause a warning (domain1.com is using a certificate for domain2.com).

However, you can manage SSL certificates for services by going to WHM -> Service Configuration -> Manage Service SSL Certificates
 

DavidR

Well-Known Member
Feb 25, 2003
177
0
166
Ok, I really want to get this clear in my head. When I go to WHM -> Service Configuration -> Manage Service SSL Certificates, I have a row of 5 certificates, 2 for email, 2 for WHM and 1 for ftp. I can click Install new Cert, but it asks for the cert and that's it. Where do I create the signing request for this? And if I do, what domain do I use for it? I'm very familiar with doing this for domain accounts, but I'm lost here. And when I get a cert, do I use the same one for each of these, or do I request 5 different certs for the same domain?

I don't usually ask for a step by step but I could sure use it here :(
 

cPanelDavidG

Technical Product Specialist
Nov 29, 2006
11,212
13
313
Houston, TX
cPanel Access Level
Root Administrator
Ok, I really want to get this clear in my head. When I go to WHM -> Service Configuration -> Manage Service SSL Certificates, I have a row of 5 certificates, 2 for email, 2 for WHM and 1 for ftp. I can click Install new Cert, but it asks for the cert and that's it. Where do I create the signing request for this? And if I do, what domain do I use for it? I'm very familiar with doing this for domain accounts, but I'm lost here. And when I get a cert, do I use the same one for each of these, or do I request 5 different certs for the same domain?

I don't usually ask for a step by step but I could sure use it here :(
If you click "Reset Certificate" you will revert to a self-signed certificate.

If you click "Install Certificate" you will be prompted to enter information regarding the SSL certificate you purchased. This can be the same certificate as one would acquire for HTTPS. You can use the same certificate for HTTPS and all of the services.

Currently you can only have 1 domain registered as having a SSL certificate on these services. Here is an existing feature request relating to this functionality: http://bugzilla.cpanel.net/show_bug.cgi?id=5982
 

DavidR

Well-Known Member
Feb 25, 2003
177
0
166
Ok, to clarify, I do a cert signing request as I would for any domain, request if for my server.mydomain.com name, then install the cert I get for all my services, correct?
 

cPanelDavidG

Technical Product Specialist
Nov 29, 2006
11,212
13
313
Houston, TX
cPanel Access Level
Root Administrator
Ok, to clarify, I do a cert signing request as I would for any domain, request if for my server.mydomain.com name, then install the cert I get for all my services, correct?
Yes, but you would then need to make sure your users are connecting to server.mydomain.com rather than theirdomain.com.

For cPanel/WHM/webmail, there's a tweak setting to force this. However, no setting currently exists to force connections to redirect to another hostname.
 

DavidR

Well-Known Member
Feb 25, 2003
177
0
166
Ah, hence the bug report. I get it, thanks! Yes, I agree this is very necessary now.