Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Cert Hostname Does Not Verify

Discussion in 'Security' started by James Bowlin, Jan 12, 2017.

Tags:
  1. James Bowlin

    James Bowlin Member

    Joined:
    Jun 18, 2015
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Kansas
    cPanel Access Level:
    Root Administrator
    I have the Comodo AutoSSL & Mail SNI enabled for the domains on my server. When I attempt to do TLS Email Tests I get errors saying the following:
    • Cert Hostname DOES NOT VERIFY (example.com != server1.example.com) for my main domain
    • Cert Hostname DOES NOT VERIFY (domain.com != server1.example.com) for one of my client's domains.
    This is causing me issues as some email programs will not allow me to use secure connection to receive emails.
     
    #1 James Bowlin, Jan 12, 2017
    Last edited by a moderator: Jan 12, 2017
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you verify a valid SSL certificate was installed for an affected domain name? For instance, when accessing the domain name via your web browser via the https URL and viewing the certificate, does it show as a signed certificate?

    Thank you.
     
  3. NOC_Serverpoint

    NOC_Serverpoint Well-Known Member

    Joined:
    Jul 3, 2016
    Messages:
    102
    Likes Received:
    6
    Trophy Points:
    18
    cPanel Access Level:
    Website Owner
    Hello,

    Can you please try using hostname of your certificate as MX record for domains. Please check if you still get this error.

    Regards,
     
  4. James Bowlin

    James Bowlin Member

    Joined:
    Jun 18, 2015
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Kansas
    cPanel Access Level:
    Root Administrator
    Yes, a valid SSL certificate is installed for both domains. Navigating to https and viewing the certificate for each shows the correct domain listed in the Common Name of the certificate.
     
  5. James Bowlin

    James Bowlin Member

    Joined:
    Jun 18, 2015
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Kansas
    cPanel Access Level:
    Root Administrator
    Hostname of which certificate? I have more than one certificate and two of them are Domain Valid SSL certificates that CPanel's AutoSSL gets from Comodo. In the DV certs there is no hostname listed only a Common Name which is the same as the Domain Name for each and that is already listed in my MX records.
     
  6. NOC_Serverpoint

    NOC_Serverpoint Well-Known Member

    Joined:
    Jul 3, 2016
    Messages:
    102
    Likes Received:
    6
    Trophy Points:
    18
    cPanel Access Level:
    Website Owner
    Hi,

    You need to check if the MX record is connecting to SSL ports. You can try using the below command from command line.
    --
    openssl s_client -connect your.mx.com:465
    openssl s_client -connect your.mx.com:993
    --

    Regards,
     
  7. James Bowlin

    James Bowlin Member

    Joined:
    Jun 18, 2015
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Kansas
    cPanel Access Level:
    Root Administrator
    The problem here is that POP3 and IMAP services are using the SSL certificate for my server's FQDN/hostname server1.domain.com rather than the domain specific certificate I've enabled SNI for Mail on all domains. Has nothing to do with MX records and everything to do with cPanel not properly associating the SSL certificates to the mail server via SNI. I could do this manually via configuration files on my server but that sort of defeats the purpose of my paying cPanel for software that's suppose to do this for me.
     
  8. NOC_Serverpoint

    NOC_Serverpoint Well-Known Member

    Joined:
    Jul 3, 2016
    Messages:
    102
    Likes Received:
    6
    Trophy Points:
    18
    cPanel Access Level:
    Website Owner
  9. James Bowlin

    James Bowlin Member

    Joined:
    Jun 18, 2015
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Kansas
    cPanel Access Level:
    Root Administrator
    Already done that prior to posting here. Email SNI is enabled on all domain SSL Certificates in Manage SSL Hosts. Having a look around the forums here and it appears this is a bug that supposedly got fixed in prior releases of cPanel but I guess not. I'm going to do what was suggested in one of the other postings to see if it works.
     
  10. MironJ

    MironJ Active Member

    Joined:
    Dec 9, 2009
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    56
    cPanel Access Level:
    Root Administrator
    Hi, same issue is happening to me on several servers where server hostname SSL cert was updated and after that SNI does not work for client domains anymore, even I have enabled SNI for mail.
     
  11. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Please let us know the version of cPanel installed on systems where Mail SNI isn't working:

    Code:
    cat /usr/local/cpanel/version
    Thank you.
     
  12. MironJ

    MironJ Active Member

    Joined:
    Dec 9, 2009
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    56
    cPanel Access Level:
    Root Administrator
    11.60.0.35 on every server
     
  13. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @MironJ,

    Could you open a support ticket using the link in my signature so we can take a closer look and see what's happening? You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
  14. MironJ

    MironJ Active Member

    Joined:
    Dec 9, 2009
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    56
    cPanel Access Level:
    Root Administrator
    Hi Michael,

    Here is: cPanel tickets ID# 8151245

    Thank you
     
  15. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    It looks like this may have occurred on systems with older email clients that don't support SNI. Could you verify if you are experiencing any additional issues?

    Thank you.
     
  16. FRWB

    FRWB Member

    Joined:
    Mar 20, 2017
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Chicago
    cPanel Access Level:
    Root Administrator
    I'm having this same issue. When I telnet mail.mydomain.com 587 the 220 banner says my hostname(which i changed from the original vps123.myhost.com hostname in an attempt to resolve this). When I send a HELO mail.mydomain.com it responds with 250 mail.mydomain.com Hello blah blah but when I run the checkTLS test I get:
    [020.448] Cert Hostname DOES NOT VERIFY (mail.mydomain.com != vps123.myhost.com)
    [020.448] So email is encrypted but the host is not verified

    When checking the certs on my domains they look properly signed.

    Running cpanel version 62.0 (build 17).

    I have two domains on my VPS on one IP. In the Manage SSL section of cpanel it says my main domain does not require SNI, while it says the second domain does, but both domains fail the checktls.com test with the error I mentioned earlier. I've been stumped with this for a couple days. where is the test getting my old hostname before I changed it?

    I've found this thread, SOLVED - Easy FIX your SMTP banner, SMTP greeting and Reverse DNS for Dedicated IPs

    but it looks like he's using 2 IPs in his config, what would I do differently for a one IP setup? would i even need to mess with /etc/malips since I only have one?
     
    #16 FRWB, Mar 22, 2017
    Last edited: Mar 22, 2017
  17. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    It's possible this is an issue with the CheckTLS website. Try checking the certificate manually using the openssl command. EX:

    Code:
    openssl s_client -connect mail.domain.com:993 -servername domain.com
    Does it return the correct certificate for the domain name?

    Thank you.
     
  18. FRWB

    FRWB Member

    Joined:
    Mar 20, 2017
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Chicago
    cPanel Access Level:
    Root Administrator
    It spits back,
    Code:
    CONNECTED(00000003)
    depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
    verify return:1
    depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    verify return:1
    depth=0 CN = www.mydomain.com
    verify return:1
    ---
    Certificate chain
     0 s:/CN=www.mydomain.com
       i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
     1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
       i:/O=Digital Signature Trust Co./CN=DST Root CA X3
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    blah blah
    
    Code:
    fVVSvz9tHp9aG2fT0Jn4EZ67BzN285Yp2g==
    -----END CERTIFICATE-----
    subject=/CN=www.mydomain.com
    issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
    ---
    No client certificate CA names sent
    Server Temp Key: ECDH, secp384r1, 384 bits
    ---
    SSL handshake has read 3209 bytes and written 426 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-RSA-AES256-GCM-SHA384
        Session-ID: 8265129A3FE61E6168C4CFAB906C69D7E12B037A27267E0567C6AB418CE93FDE
        Session-ID-ctx:
        Master-Key: 5C8D8003B34ABEFB873638E64F8988F46087191373773A3533CFC1A47BB07B47AE27923C118D538441498E0141B300BB
        Key-Arg   : None
        Krb5 Principal: None
        PSK identity: None
        PSK identity hint: None
        TLS session ticket lifetime hint: 300 (seconds)
        TLS session ticket:
        0000 - 24 ed 40 b2 91 47 4c 40-63 d3 5e 25 14 5f 99 d5   $.@..GL@c.^%._..
        0010 - 06 54 a0 f9 87 b8 7e e1-b8 29 e8 12 72 3f 62 e5   .T....~..)..r?b.
        0020 - c2 bb 41 bc 1e 3d 03 e0-9e 84 d3 56 c8 bb 10 a1   ..A..=.....V....
        0030 - d6 3d 27 27 54 e1 94 36-62 82 54 80 1d 87 dc 9a   .=''T..6b.T.....
        0040 - e2 49 75 92 fb f4 eb eb-3f 0f 27 3e 30 29 de 51   .Iu.....?.'>0).Q
        0050 - 63 7c a8 46 e6 25 55 12-63 8e fb d9 23 ae e7 18   c|.F.%U.c...#...
        0060 - 63 c0 fb dc a1 c8 68 d2-7d 83 ff e4 1f 75 cf 85   c.....h.}....u..
        0070 - 95 d2 5f c9 c8 58 2c 5d-62 79 57 e7 cc 60 c3 ac   .._..X,]byW..`..
        0080 - d4 2b 0c 3f 2c 48 9a e7-fd 81 6e f9 f4 56 48 e6   .+.?,H....n..VH.
        0090 - 3f 5c 1e 81 83 07 30 16-38 b7 86 b1 78 ab 23 2b   ?\....0.8...x.#+
        00a0 - 78 86 d4 dd a8 6b 6a 4b-88 e6 d3 b5 0b e1 d6 ce   x....kjK........
    
        Start Time: 1490222805
        Timeout   : 300 (sec)
        Verify return code: 0 (ok)
    ---
    * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE NAMESPACE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
    CONNECTED(00000003)
    * BAD Error in IMAP command received by server.
    depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
    verify return:1
    depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    verify return:1
    depth=0 CN = www.mydomain.com
    verify return:1
    ---
    Certificate chain
     0 s:/CN=www.mydomain.com
       i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
     1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
       i:/O=Digital Signature Trust Co./CN=DST Root CA X3
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    depth=2 BAD Error in IMAP command received by server.
    * BYE Too many invalid IMAP commands.
    closed
    
    Looks like it's saying 'bad error in IMAP command received by server'? That's not referring to the command you had me try is it? Should I compare this info against the certificate I see in the chrome dev tools?
     
  19. FRWB

    FRWB Member

    Joined:
    Mar 20, 2017
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Chicago
    cPanel Access Level:
    Root Administrator
    and if there was a problem with the checktls site i would expect there to be fails with a lot more email addresses. a gmail address, an office 365 address, a yahoo address all pass the same test with flying colors.
     
  20. FRWB

    FRWB Member

    Joined:
    Mar 20, 2017
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Chicago
    cPanel Access Level:
    Root Administrator
    I followed your instructions in that post I linked to and although the changes took without issue in exim, I'm still getting the 'cert hostname does not verify' on checktls, as well as 'rDNS does not match smtp banner' on mxtoolbox.

    does exim have some default banner masking that i need to disable?
     
Loading...

Share This Page