Cert Hostname Does Not Verify
I have the Comodo AutoSSL & Mail SNI enabled for the domains on my server. When I attempt to do TLS Email Tests I get errors saying the following:
[LIST]
Cert Hostname DOES NOT VERIFY (example.com != server1.example.com) for my main domain
[LIST]
Cert Hostname DOES NOT VERIFY (domain.com != server1.example.com) for one of my client's domains.
This is causing me issues as some email programs will not allow me to use secure connection to receive emails.
-
Hello, Could you verify a valid SSL certificate was installed for an affected domain name? For instance, when accessing the domain name via your web browser via the https URL and viewing the certificate, does it show as a signed certificate? Thank you. 0 -
Hello, Can you please try using hostname of your certificate as MX record for domains. Please check if you still get this error. Regards, 0 -
Hello, Could you verify a valid SSL certificate was installed for an affected domain name? For instance, when accessing the domain name via your web browser via the https URL and viewing the certificate, does it show as a signed certificate? Thank you.
Yes, a valid SSL certificate is installed for both domains. Navigating to https and viewing the certificate for each shows the correct domain listed in the Common Name of the certificate.0 -
Hello, Can you please try using hostname of your certificate as MX record for domains. Please check if you still get this error. Regards,
Hostname of which certificate? I have more than one certificate and two of them are Domain Valid SSL certificates that CPanel's AutoSSL gets from Comodo. In the DV certs there is no hostname listed only a Common Name which is the same as the Domain Name for each and that is already listed in my MX records.0 -
Hi, You need to check if the MX record is connecting to SSL ports. You can try using the below command from command line. -- openssl s_client -connect your.mx.com:465 openssl s_client -connect your.mx.com:993 -- Regards, 0 -
The problem here is that POP3 and IMAP services are using the SSL certificate for my server's FQDN/hostname server1.domain.com rather than the domain specific certificate I've enabled SNI for Mail on all domains. Has nothing to do with MX records and everything to do with cPanel not properly associating the SSL certificates to the mail server via SNI. I could do this manually via configuration files on my server but that sort of defeats the purpose of my paying cPanel for software that's suppose to do this for me. 0 -
Hi, Please have a look at the below article: Manage SSL Hosts - Version 60 Documentation - cPanel Documentation Thanks 0 -
Hi, same issue is happening to me on several servers where server hostname SSL cert was updated and after that SNI does not work for client domains anymore, even I have enabled SNI for mail. 0 -
Hello, Please let us know the version of cPanel installed on systems where Mail SNI isn't working: cat /usr/local/cpanel/version
Thank you.0 -
Hello, Please let us know the version of cPanel installed on systems where Mail SNI isn't working:
cat /usr/local/cpanel/version
Thank you.
11.60.0.35 on every server0 -
Hello @MironJ, Could you open a support ticket using the link in my signature so we can take a closer look and see what's happening? You can post the ticket number here so we can update this thread with the outcome. Thank you. 0 -
Hi Michael, Here is: cPanel tickets ID# 8151245 Thank you 0 -
Hi Michael, Here is: cPanel tickets ID# 8151245 Thank you
It looks like this may have occurred on systems with older email clients that don't support SNI. Could you verify if you are experiencing any additional issues? Thank you.0 -
I'm having this same issue. When I telnet mail.mydomain.com 587 the 220 banner says my hostname(which i changed from the original vps123.myhost.com hostname in an attempt to resolve this). When I send a HELO mail.mydomain.com it responds with 250 mail.mydomain.com Hello blah blah but when I run the checkTLS test I get: [020.448] Cert Hostname DOES NOT VERIFY (mail.mydomain.com != vps123.myhost.com) [020.448] So email is encrypted but the host is not verified When checking the certs on my domains they look properly signed. Running cpanel version 62.0 (build 17). I have two domains on my VPS on one IP. In the Manage SSL section of cpanel it says my main domain does not require SNI, while it says the second domain does, but both domains fail the checktls.com test with the error I mentioned earlier. I've been stumped with this for a couple days. where is the test getting my old hostname before I changed it? I've found this thread, SOLVED - Easy FIX your SMTP banner, SMTP greeting and Reverse DNS for Dedicated IPs but it looks like he's using 2 IPs in his config, what would I do differently for a one IP setup? would i even need to mess with /etc/malips since I only have one? 0 -
When I send a HELO mail.mydomain.com it responds with 250 mail.mydomain.com Hello blah blah but when I run the checkTLS test I get: [020.448] Cert Hostname DOES NOT VERIFY (mail.mydomain.com != vps123.myhost.com) [020.448] So email is encrypted but the host is not verified When checking the certs on my domains they look properly signed.
Hello, It's possible this is an issue with the CheckTLS website. Try checking the certificate manually using the openssl command. EX:openssl s_client -connect mail.domain.com:993 -servername domain.com
Does it return the correct certificate for the domain name? Thank you.0 -
Hello, It's possible this is an issue with the CheckTLS website. Try checking the certificate manually using the openssl command. EX:
openssl s_client -connect mail.domain.com:993 -servername domain.com
Does it return the correct certificate for the domain name? Thank you.
It spits back,CONNECTED(00000003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = www.mydomain.com verify return:1 --- Certificate chain 0 s:/CN=www.mydomain.com i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 i:/O=Digital Signature Trust Co./CN=DST Root CA X3 --- Server certificate -----BEGIN CERTIFICATE----- blah blah
fVVSvz9tHp9aG2fT0Jn4EZ67BzN285Yp2g== -----END CERTIFICATE----- subject=/CN=www.mydomain.com issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 --- No client certificate CA names sent Server Temp Key: ECDH, secp384r1, 384 bits --- SSL handshake has read 3209 bytes and written 426 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 8265129A3FE61E6168C4CFAB906C69D7E12B037A27267E0567C6AB418CE93FDE Session-ID-ctx: Master-Key: 5C8D8003B34ABEFB873638E64F8988F46087191373773A3533CFC1A47BB07B47AE27923C118D538441498E0141B300BB Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 24 ed 40 b2 91 47 4c 40-63 d3 5e 25 14 5f 99 d5 $.@..GL@c.^%._.. 0010 - 06 54 a0 f9 87 b8 7e e1-b8 29 e8 12 72 3f 62 e5 .T....~..)..r?b. 0020 - c2 bb 41 bc 1e 3d 03 e0-9e 84 d3 56 c8 bb 10 a1 ..A..=.....V.... 0030 - d6 3d 27 27 54 e1 94 36-62 82 54 80 1d 87 dc 9a .=''T..6b.T..... 0040 - e2 49 75 92 fb f4 eb eb-3f 0f 27 3e 30 29 de 51 .Iu.....?.'>0).Q 0050 - 63 7c a8 46 e6 25 55 12-63 8e fb d9 23 ae e7 18 c|.F.%U.c...#... 0060 - 63 c0 fb dc a1 c8 68 d2-7d 83 ff e4 1f 75 cf 85 c.....h.}....u.. 0070 - 95 d2 5f c9 c8 58 2c 5d-62 79 57 e7 cc 60 c3 ac .._..X,]byW..`.. 0080 - d4 2b 0c 3f 2c 48 9a e7-fd 81 6e f9 f4 56 48 e6 .+.?,H....n..VH. 0090 - 3f 5c 1e 81 83 07 30 16-38 b7 86 b1 78 ab 23 2b ?\....0.8...x.#+ 00a0 - 78 86 d4 dd a8 6b 6a 4b-88 e6 d3 b5 0b e1 d6 ce x....kjK........ Start Time: 1490222805 Timeout : 300 (sec) Verify return code: 0 (ok) --- * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE NAMESPACE AUTH=PLAIN AUTH=LOGIN] Dovecot ready. CONNECTED(00000003) * BAD Error in IMAP command received by server. depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = www.mydomain.com verify return:1 --- Certificate chain 0 s:/CN=www.mydomain.com i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 i:/O=Digital Signature Trust Co./CN=DST Root CA X3 --- Server certificate -----BEGIN CERTIFICATE----- depth=2 BAD Error in IMAP command received by server. * BYE Too many invalid IMAP commands. closed
Looks like it's saying 'bad error in IMAP command received by server'? That's not referring to the command you had me try is it? Should I compare this info against the certificate I see in the chrome dev tools?0 -
and if there was a problem with the checktls site i would expect there to be fails with a lot more email addresses. a gmail address, an office 365 address, a yahoo address all pass the same test with flying colors. 0 -
I followed your instructions in that post I linked to and although the changes took without issue in exim, I'm still getting the 'cert hostname does not verify' on checktls, as well as 'rDNS does not match smtp banner' on mxtoolbox. does exim have some default banner masking that i need to disable? 0 -
alright so the banner check rDNS discrepancy comes up even for big EMS, so i guess that's not a big issue and isn't related to the cert check. 0 -
Hello, Are you experiencing any issues with actual email receiving or delivery using SSL/TLS in your email clients? The output from the openssl command suggests Mail SNI is working properly and fetching the correct certificate. Thank you. 0 -
Hello, Are you experiencing any issues with actual email receiving or delivery using SSL/TLS in your email clients? The output from the openssl command suggests Mail SNI is working properly and fetching the correct certificate. Thank you.
The mail is being received and delivered, but when I send out emails they are going into the spam folder on the recipient's end. I believe this lack of hostname verification against the certificate causes the email to be considered spam.0 -
Hi, Try this way You need to check if the MX record is connecting to SSL ports. You can try using the below command from command line. -- openssl s_client -connect your.mx.com:465 openssl s_client -connect your.mx.com:993 good luck ! 0 -
Hi, Try this way You need to check if the MX record is connecting to SSL ports. You can try using the below command from command line. -- openssl s_client -connect your.mx.com:465 openssl s_client -connect your.mx.com:993 good luck !
Both of those commands connect to the server just fine, but it looks like the first lines have the common name of my old vps hostname. I had this issue before changing my hostname I believe. How would I re-issue certs to the new hostname with autossl? I thought that's something it would do on it's own since it renews them by itself...0 -
Hello, That should happen automatically. Would you mind opening a support ticket using the link in my signature so we can take a closer look at your system? You can post the ticket number here so we can update this thread with the outcome. Thank you. 0 -
Hello, That should happen automatically. Would you mind opening a support ticket using the link in my signature so we can take a closer look at your system? You can post the ticket number here so we can update this thread with the outcome. Thank you.
Before we do that, someone from the Let's Encrypt forums I posted on mentioned that "The checktls.com test seems is not using SNI to communicate with your mail server, that is the reason your mail server presents the default certificate that in your case is a cPanel cert issued to vps123.myhosting.com. I don't know how to change it from cPanel but in exim4 conf you should have the directives tls_certificate and tls_privatekey pointing to this cPanel cert... you should change them to point to your Let's Encrypt certificate and restart the mail server so your certificate for mydomain.com will be the default and you should pass the checktls tests." Would you happen to know how to change these directives in cpanel? Or should I just go in and change these manually via ssh? I could give it a shot and if it doesn't work then I guess we can resort to a support ticket. Wouldn't want to make you guys do work without me giving it a good shot first lol.0 -
Hello @FRWB, I don't recommend changing those directives in Exim, as the information in your last reply suggests the issue is with how the CheckTLS website is communicating with the mail server as opposed to any actual issue with the Exim configuration. The mail is being received and delivered, but when I send out emails they are going into the spam folder on the recipient's end. I believe this lack of hostname verification against the certificate causes the email to be considered spam.
It's likely the issue with email reaching the SPAM folder on remote mail servers is entirely unrelated to the message from the CheckTLS website. You can review the following document to ensure your server follows the guidelines to keep email out of the SPAM folder: How to Keep your Email out of the Spam Folder - cPanel Knowledge Base - cPanel Documentation Additionally, if you'd like us to take a closer look and ensure SNI is enabled for your mail subdomains, feel free to open a support ticket using the link in my signature. Thank you.0 -
Hello @FRWB, I don't recommend changing those directives in Exim, as the information in your last reply suggests the issue is with how the CheckTLS website is communicating with the mail server as opposed to any actual issue with the Exim configuration. It's likely the issue with email reaching the SPAM folder on remote mail servers is entirely unrelated to the message from the CheckTLS website. You can review the following document to ensure your server follows the guidelines to keep email out of the SPAM folder:
0 -
Hello, To update, it looks like changing the MX record to server's hostname will correct the warning message on the CheckTLS tool (assuming the SSL certificate installed for the Exim service with the server's hostname is valid). Thank you. 1
Please sign in to leave a comment.
Comments
29 comments