The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mail SNI assigned certificates are not correct

Discussion in 'E-mail Discussions' started by lorio, Apr 24, 2016.

  1. lorio

    lorio Well-Known Member

    Joined:
    Feb 25, 2004
    Messages:
    243
    Likes Received:
    3
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    WHM 54.0 (build 21)
    CentOS 6.7
    Dedicated IP (not relevant for Mail SNI)
    The account was transfered (WHM version on both server identical)

    Account with
    main.tld
    parkeddomain.tld

    Both used for emails. Website is using parkeddomain.tld
    Website certificate is set to parkeddomain.tld.

    For both main.tld and parkeddomain.tld a certificate (CA, not selfissued) was installed.
    Since only one can be used for Mail SNI the main.tld was removed.

    Test of SNI domains with Thunderbird
    mailserver pop3 set to : main.tld
    Certificate missmatch : The certificate of the parkeddomain.tld is delivered to Thunderbird.

    mailserver pop3 set to : parkeddomain.tld
    Certificate missmatch : The certificate of the hostserver (normal behaviour without SNI) is delivered to Thunderbird.

    Is this a known issue. Any workaround to get this fixed. Perhaps order of installing or removing the certificates again?

    Before opening a ticket or a defect bug ticket I would like to get some feedback from others.
    Thanks in advance.
     
  2. lorio

    lorio Well-Known Member

    Joined:
    Feb 25, 2004
    Messages:
    243
    Likes Received:
    3
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I checked /etc/dovecot/sni.conf and found some of the issues.

    The CA bundle was not installed on transferred domains. The CA was installed on the old server before transfer was done.
    The bug here seems to be that the CA bundle is not transferred but requested by the new server.

    The SSL/CN=Secure Site Starter DV SSL CA - G2 cert isn't available on the net.
    Not sure why that cert isn't available. It isn't available on the CA site as well.
    Only the partners of the Symantec Encryption everywhere campaign provide them with the cert itself.

    There seems to be no proven way to add ca bundles to the OS (Centos 6) and get Cpanel recogonize them when installing via the GUI. The ca bundle isn't prefilled when using autofill. Which I would expect as a sign that the CA bundle is now available serverwide.

    Parked domains as web SNI and main domain as mail SNI. Is that possible? Doesn't seem to work from the GUI.
    But can a parked domain be added as local host entry in the dovecot SNI?
    If yes, what is the correct way to add entries there? What way is expected by cpanel?

    Thanks for reading.
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    This is addressed in cPanel version 58 with internal case CPANEL-5601.

    Could you let us know the specific vendor this CA Bundle was purchased from? What type of certificate is it?

    Aliases (Parked Domains) cannot have their own SSL certificates because they do not have their own Virtual Host. You would have to remove the domain names as aliases (parked domains) and add them as addon domains to allow them to have their own SSL certificates. Does the "Mail SNI" functionality work as expected if you switch the domain name from a parked domain to an addon domain name?

    Thank you.
     
Loading...

Share This Page