AutoSSL to generate LE SAN/UCC cert for IMAPS/POP3S
How can I use AutoSSL to generate a Lets Encrypt SAN/UCC TLS cert for IMAPS/POP3S in Cpanel for all or selected domains (for eg, to ensure 'mail.DOMAIN.COM' doesnt give an SSL error for clients)?
-
Hey there! I suppose I need a bit more context before I can answer this one. Can you let me know how you are creating the mail subdomain for your users and where you have that pointed? Once I know that I should be able to get you better information.
0 -
The mail subdomains are all created in their accounts with the same document Root, and all domains on the server ALL point to the same main IP as the base IP of the server itself. (ie there is only 1 IP for everything) all mail.DOMAIN.COM point to the single ip.
0 -
If that's the case, I would expect AutoSSL to handle this without an issue. Are you seeing problems with the AutoSSL implementation on that system?
0 -
Im assisting WhipWorks on this ticket - no,
echo | openssl s_client -servername mail.DOMAIN.COM -connect mail.DOMAIN.COM:imaps 2>/dev/null | openssl x509 -noout -text | grep DNS
produces exactly one name, the main hostname of the cpanel server, not MAIL.DOMAIN.COM - no SAN's in the key. So of course anyone not using the server base hostname but instead their own MAIL.DOMAIN.COM will get an error or warning.
Please advise how to use AutoSSL to generate this key with multiple SANs for every mail.domain.com account in it?
Strong underline: This is for IMAPS (and SMTP) service. Not HTTPS.0 -
Hey Ken Chase!
I'm saying this should already be happening on the server by default - if the domain exists on the system, AutoSSL should be creating a certificate for it.
It would likely be best to create a ticket as something is happening specifically with your configuration and not a general cPanel issue.
0 -
What's curious is autoSSL works for apache just fine:
# DOMAIN=customer.com ; echo | openssl s_client -servername $DOMAIN -connect $DOMAIN:https 2>/dev/null | openssl x509 -noout -text | grep DNSDNS:customer.com, DNS:www.customer.com
So that makes sense - there are no SANs, but the primary name in the cert is equal to the hostname, as Apache is presenting a different certificate depending on the request, so it all works fine.
(This is not how SAN keys work, this is a different individual cert being presented for each site. I figure this is just the way that cpanel does things? Allowing multiple different certs to be custom ordered and provided by each customer as they wish, instead of all bundled into one LE cert, for eg.)
But this is not happening with IMAPS as per above. I dont know if IMAP doesnt have the ability to present different keys as apache does, or if there's some major setup error on our instance. I suppose details will be investigated in the ticket.0 -
Hi cPRex,
Currently, some of our customers are having issues with authentication. Mostly on phones, and some we found are Outlook programs that are on Windows 7. With that, our customers are going to try and update their Windows to 10. With the phones though, whatever combination of email servers, ports, and SSL isn't working. For some reason mail.domainname.com isn't verifying. But using our mail server directly somehow works.
Please let me know where and how we can open a ticket to get this resolved. Thank you.
0 -
If your cPanel license is purchased directly from cPanel you can create support ticket in WHM -> Support -> Create Support Ticket
0
Please sign in to leave a comment.
Comments
8 comments