Exim presents wrong certificate after updating SSL host

grindlay

Well-Known Member
Dec 8, 2004
55
3
158
Edinburgh, Scotland
cPanel Access Level
Root Administrator
I use Cloudflare CDN to manage security on my domain. I've run into the same problem described in multiple threads where the LetsEncrypt certificate validation service fails due to cloudflare - the workaround is a cumbersome 'pause cloudflare on the domain every 3 months' and run AutoSSL. This becomes unmanageable as the number of accounts increases.
In an effort to find a solution, I disabled AutoSSL, removed the LetsEncrypt certificates and installed Cloudlare's Origin certificate instead.
This works perfectly for https but when I try to connect my mail client (Exim/Dovecot) they are presented with the root certificate for my domain, throwing a warning.
Understand that this has something to do with Domain TLS in cPanel, but have no idea where to look for a solution.
Any ideas please?
Webmail works, I get a 'B' on ssllabs.com (due to support of TLS 1.0 and 1.1)
Update: I have a theory that this is because Cloudflare's origin certificates are only valid to secure the connections between my server and cloudflare - I still need a certificate to secure the connection between clients and cloudflare CDN. Apologies for my limited knowledge in this area.
 
Last edited:

sneader

Well-Known Member
Aug 21, 2003
1,195
64
178
La Crosse, WI
cPanel Access Level
Root Administrator
We use AutoSSL with Let's Encrypt, and have many clients running Cloudflare. Our clients are not "pausing Cloudflare every 3 months". Validation will fail for DNS validation, of course, since Cloudflare is doing your DNS. But then AutoSSL & Let's Encrypt will fall back to File Based validation, and that will work just fine. i.e. it will come to the customer's domain and try to pull up something like https://example.com/.well-known/acme-challenge/blahblah.txt -- if successful, and it will be, with or without Cloudflare, then the certificate is validated and renewed/installed. For things like cpcalendar, cpcontacts, webmail, etc., these should have "proxied" disabled at CloudFlare (makes no sense for them to be proxied anyway, and that will block those from being authenticated).

Regarding your B grade, in Cloudflare, navigate to SSL/TLS > Edge Certificates, and look at "Minimum TLS Version". The default is TLS 1.0, but if you want to remove support for them, then change this setting to TLS 1.2.

- Scott
 
  • Like
Reactions: cPRex

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,439
1,004
313
cPanel Access Level
Root Administrator
@sneader 's behavior is also what I am used to seeing. We definitely don't want a system in place where users have to disable Cloudflare every few months in order to stay secure.

If you see this problem with another domain on your machine we'd be happy to check directly if you submit a ticket to our team.
 
  • Like
Reactions: sneader

grindlay

Well-Known Member
Dec 8, 2004
55
3
158
Edinburgh, Scotland
cPanel Access Level
Root Administrator
Thanks for the replies. Doing a search on these forums for "cloudflare DCV" produces a lot of results but the errors are wide and varied and in some case clearly DNS mis-configuration. In my case, DCV was failing due to IP v6 resolution - the only solution I've found is to pause Cloudflare, but next time it fails, I'll post the error and see if I can get to the bottom of it.
 
  • Like
Reactions: sneader and cPRex