Auto SSL certificate for mail only

I have been using CWP for a few years and I have a recurring problem with SSL.
This happens when I use my CWP server only to host emails. I can point the @ - A record to another server or I can have another server pointing to my email records.
When I do this, AutoSSL returns a message: "Some of the selected services will not be installed, due to DNS redirection problems. Services that will be skipped: maindomain"
I continue installing the certificate only for mail and webmail and it completes successfully.
However, when I try to access these subdomains, the browser does not recognize it as a valid certificate, because it is generated with the address of my hostname "host.server.com" and this makes the certificate invalid.
Has anyone ever experienced this? Is there a solution?

Do you have http -> https 301 redirects in place for the domain/www.domain? It needs HTTP access to complete the process successfully.

As  understand you have some domain name (I will call it domain.com) pointed to some IP (1.1.1.1) and want two subdomains webmail.domain.com, mail.domain.com pointed to 2.2.2.2 to be accessible over HTTPS. You are able to request the SSL certificates for the domain.com and subdomains successfully but the subdomains show warning when you access them over HTTPS.

I just recommend you to go to "CWP admin" --> "WebServer Settings" --> "SSL Certificates" --> List installed (tab) --> "Admin Services" near the domain associated with the subdomains you want to apply the SSL for --> "Check the options Webmail, Mail" --> "Apply the changes".

Wait some time and check if the problem is solved.

how to do this?

Do you have http -> https 301 redirects in place for the domain/www.domain? It needs HTTP access to complete the process successfully.

In Admin Services, the certificates for mail and webmail are installed. However, since the main domain is pointed to another server, it creates the certificates with my host's domain. For example: site.com is my website's domain. The certificate is generated with the host.server.com domain. And this prevents the certificate from being validated in the browser.

As  understand you have some domain name (I will call it domain.com) pointed to some IP (1.1.1.1) and want two subdomains webmail.domain.com, mail.domain.com pointed to 2.2.2.2 to be accessible over HTTPS. You are able to request the SSL certificates for the domain.com and subdomains successfully but the subdomains show warning when you access them over HTTPS.

I just recommend you to go to "CWP admin" --> "WebServer Settings" --> "SSL Certificates" --> List installed (tab) --> "Admin Services" near the domain associated with the subdomains you want to apply the SSL for --> "Check the options Webmail, Mail" --> "Apply the changes".

Wait some time and check if the problem is solved.

Try to do following:

1. Access your server as root over SSH
2. Go to:

Code: [Select]

/root/.acme.sh/cwp_certs/DOMAIN/where DOMAIN is the domain name your subdomains are associated with.
3. Edit the file (make backup of the file before you modify it):

Code: [Select]

DOMAIN.confRemove all objects pointed to a 3rd party server and listed in:

Code: [Select]

Le_Domain=
Le_Alt=Leave only objects (subdomains) pointed to this server. Move some subdomain listed in "Le_Alt" to "Le_Domain".

4. Try to request the new SSL via the admin area of CWP.

However, I am not sure if this way is correct to fix the problem.

In my server2, the DNS configuration:

domain.com A 2.2.2.2
mail.domain.com A 1.1.1.1
webmail.domain.com A 1.1.1.1
smtp.domain.com A 1.1.1.1
imap.domain.com A 1.1.1.1
pop.domain.com A 1.1.1.1
pop3.domain.com A 1.1.1.1
domain.com MX mx.server1.com

In my server1, /root/.acme.sh/cwp_certs/www.domain.com/mail.domain.com.conf

Le_Domain='mail.domain.com'
Le_Alt='webmail.domain.com'
Le_Webroot='/usr/local/apache/autossl_tmp/'
Le_PreHook=''
Le_PostHook=''
Le_RenewHook=''
Le_API='https://acme-v02.api.letsencrypt.org/directory'
Le_Keylength='ec-256'
Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/1961123261396/310612395210307'
Le_LinkOrder='https://acme-v02.api.letsencrypt.org/acme/order/1961261123396/312310695210307'
Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/03b47ed123d6aa00b71f7da7a0a01ccea7c56ce'
Le_CertCreateTime='1728123049081'
Le_CertCreateTimeStr='2024-10-04T13:38:01Z'
Le_Listen_V4='1'
Le_NextRenewTimeStr='2024-12-02T13:38:01Z'
Le_NextRenewTime='1731233146681'
Le_RealCertPath='/etc/pki/tls/certs/domain.com.cert'
Le_RealCACertPath=''
Le_RealKeyPath='/etc/pki/tls/private/domain.com.key'
Le_ReloadCmd=''
Le_RealFullChainPath='/etc/pki/tls/certs/domain.com.bundle'

But, in navigator, the certificate point to host.server1.com instead of domain.com

Try to do following:

1. Access your server as root over SSH
2. Go to:

Code: [Select]

/root/.acme.sh/cwp_certs/DOMAIN/where DOMAIN is the domain name your subdomains are associated with.
3. Edit the file (make backup of the file before you modify it):

Code: [Select]

DOMAIN.confRemove all objects pointed to a 3rd party server and listed in:

Code: [Select]

Le_Domain=
Le_Alt=Leave only objects (subdomains) pointed to this server. Move some subdomain listed in "Le_Alt" to "Le_Domain".

4. Try to request the new SSL via the admin area of CWP.

However, I am not sure if this way is correct to fix the problem.

I don't understand this:

But, in navigator, the certificate point to host.server1.com instead of domain.com

Could you please clear this (provide screenshot or something like that) ?

What I have done to solve the problem is to change the A record to the IP of server1, generate the certificate and then I change the A record to the IP of server2... but isn't there a more correct way to do this?

I don't understand this:

But, in navigator, the certificate point to host.server1.com instead of domain.com

Could you please clear this (provide screenshot or something like that) ?

Go to "CWP admin" --> "WebServer Settings" --> "SSL Certificates" --> List installed (tab) --> "Admin Services" near the domain associated with the subdomains you want to apply the SSL for --> "Check the options Webmail, Mail" --> "Apply the changes".

Make sure the SSL is installed and you have "Webmail", "Mail"  in the column "Services" associated with the domain name.

Currently it looks like you haven't enabled the SSL for the domain name.

If it doesn't work still then show us what you see in the column "services" in the row of the problematic domain like this:
https://i.imgur.com/VcGsYAV.png

The problem is:

1 - AutoSSL can't install the certificate for the maindomain, because it's pointed to another server.

2 - AutoSSL asks if I want to skip the maindomain and generate the certificate only for the subdomains (mail and webmail).

3 - The certificate generation process is completed.

4 - But the certificates are invalid, because the SSL is signed with my host's domain instead of being signed with the maindomain.

I can't believe no one has had this same problem? Has anyone ever tried to use CWP only as an email server?

Go to "CWP admin" --> "WebServer Settings" --> "SSL Certificates" --> List installed (tab) --> "Admin Services" near the domain associated with the subdomains you want to apply the SSL for --> "Check the options Webmail, Mail" --> "Apply the changes".

Make sure the SSL is installed and you have "Webmail", "Mail"  in the column "Services" associated with the domain name.

Currently it looks like you haven't enabled the SSL for the domain name.

If it doesn't work still then show us what you see in the column "services" in the row of the problematic domain like this:
https://i.imgur.com/VcGsYAV.png

up!

Just thinking aloud but I wonder if using a subdomain would work for you?

If you point your MX to mail.yourdomain.com, create an A record for mail.yourdomain.com to point to your mail server and then add a new user on your mail server (using mail.yourdomain.com as the user domain name).

Haven't tried myself but might be worth a shot.

Thank you for your reply.
But the problem is not the email configuration. I set up the MX, mail, webmail, etc. and it works correctly.
The problem is the generation of the SSL certificate.
AutoSSL generates the certificate with my host's domain (host.server.com) because the main domain is on another server.
When I access mail.domain.com or webmail.domain.com the certificate is invalid.

Just thinking aloud but I wonder if using a subdomain would work for you?

If you point your MX to mail.yourdomain.com, create an A record for mail.yourdomain.com to point to your mail server and then add a new user on your mail server (using mail.yourdomain.com as the user domain name).

Haven't tried myself but might be worth a shot.

Ya but I'm thinking you can generate a new account using the subdomain (mail.yourdomain.com) as the account domain on your mail server. It will need an A record pointed correctly to it and Lets Encrypt should issue a new SSL for it when you click create (just ensure AutoSSL is ticked under additional options). Lets Encrypt certs can't do what you want at the moment but it might work for a subdomain.

I haven't tested but am assuming this might work for you.