SSL cert warning when opening mail client

nitdna

Member
Nov 13, 2013
17
0
1
cPanel Access Level
Root Administrator
Hi

I have a lot of users receiving this security warning about the SSL certificate when opening their mail client (most use Outlook 2010):
The server you are connected to is using a security certificate that cannot be verified.
The target principal name is incorrect.

The main domain used for this VPS is listed in the certificate, ourdomain.com.au.
Users have their own domain for the incoming mail server: mail.theirdomain.com.au for example.
Both domains point to the same IP address - the shared IP for the server.

Could someone advise on how to go about having the principal name error resolved without having to change all the incoming mail servers? Is there something I can do on the server with the SSL certificate for the domains?
 

24x7server

Well-Known Member
Apr 17, 2013
1,912
99
78
India
cPanel Access Level
Root Administrator
Twitter
Hello,

I think you are using self signed SSl certificate for your mail services and due to that you are getting this issue when you trying to connect your mail server using SSL connection. You will have to install SSL certificate for your mail services through WHM : Manage Service SSL Certificates
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,267
463
Hello :)

You can install a signed certificate for each service via:

"WHM Home >> Service Configuration >> Manage Service SSL Certificates"

However, in addition, the users will need to use the hostname that you install the certificate for in their email client to avoid seeing those types of warning messages.

Thank you.
 

nitdna

Member
Nov 13, 2013
17
0
1
cPanel Access Level
Root Administrator
Thanks Guys

The following services have already got the signed certificate applied to them:
FTP Server
Exim (SMTP) Server
Dovecot Mail Server
cPanel/WHM/Webmail Service

So, if there are numerous (talking around 80) accounts that are all hosting mail and all have different domain names, do the users for each domain have to use the main hostname or is there a way they can use their domain (mail.theirdomain.com.au) for the incoming mail server using this certificate?
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
As far as I know only one SSL can be installed for the non-apache services. Likely the users will need to use the hostname to avoid a cert mis-match warning.
 

nitdna

Member
Nov 13, 2013
17
0
1
cPanel Access Level
Root Administrator
OK, so upon further investigation, the incoming mail server does need to use the hostname - so that answers that, thanks.

Found that even though this is now set correctly, the certificate for the hostname is still using an old certificate.
The one that is listed as being apllied to the services listed above is not the certificate being used when connecting to the mail server.

Under "WHM Home -> SSL/TLS -> Manage SSL Hosts" the IP address and doamin are listed correctly with correct certificte.
It is also set as the shared certificate (not sure if this makes any difference).

So this signed certificate is set for the sevices and the domain, yet when connecting to this it is trying to use the original self signed certificate. Is there another section I need to check?
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Manage SSL Hosts only handles Apache. You need to reapply the cert in the Manage Service SSL Certificates area Michael mentioned. I know you said you already did this, so try re-installing it and restarting the service.
 

nitdna

Member
Nov 13, 2013
17
0
1
cPanel Access Level
Root Administrator
OK, will re-install and restart service and let you know, thanks.

- - - Updated - - -

That has done the trick! Thanks for your help and time!
So steps taken for those who may be intereseted...
- Under "WHM Home >> Service Configuration >> Manage Service SSL Certificates"
- Reset the certificate for the services - this removes the current cert and replaces it with a self-signed one.
- Install the certificate for the services (the signed one).
- Restarted the services.
It is now using the correct certificate.