Auto SSL certificate for mail only

I have been using CWP for a few years and I have a recurring problem with SSL.
This happens when I use my CWP server only to host emails. I can point the @ - A record to another server or I can have another server pointing to my email records.
When I do this, AutoSSL returns a message: "Some of the selected services will not be installed, due to DNS redirection problems. Services that will be skipped: maindomain"
I continue installing the certificate only for mail and webmail and it completes successfully.
However, when I try to access these subdomains, the browser does not recognize it as a valid certificate, because it is generated with the address of my hostname "host.server.com" and this makes the certificate invalid.
Has anyone ever experienced this? Is there a solution?

Do you have http -> https 301 redirects in place for the domain/www.domain? It needs HTTP access to complete the process successfully.

As  understand you have some domain name (I will call it domain.com) pointed to some IP (1.1.1.1) and want two subdomains webmail.domain.com, mail.domain.com pointed to 2.2.2.2 to be accessible over HTTPS. You are able to request the SSL certificates for the domain.com and subdomains successfully but the subdomains show warning when you access them over HTTPS.

I just recommend you to go to "CWP admin" --> "WebServer Settings" --> "SSL Certificates" --> List installed (tab) --> "Admin Services" near the domain associated with the subdomains you want to apply the SSL for --> "Check the options Webmail, Mail" --> "Apply the changes".

Wait some time and check if the problem is solved.

how to do this?

Do you have http -> https 301 redirects in place for the domain/www.domain? It needs HTTP access to complete the process successfully.

In Admin Services, the certificates for mail and webmail are installed. However, since the main domain is pointed to another server, it creates the certificates with my host's domain. For example: site.com is my website's domain. The certificate is generated with the host.server.com domain. And this prevents the certificate from being validated in the browser.

As  understand you have some domain name (I will call it domain.com) pointed to some IP (1.1.1.1) and want two subdomains webmail.domain.com, mail.domain.com pointed to 2.2.2.2 to be accessible over HTTPS. You are able to request the SSL certificates for the domain.com and subdomains successfully but the subdomains show warning when you access them over HTTPS.

I just recommend you to go to "CWP admin" --> "WebServer Settings" --> "SSL Certificates" --> List installed (tab) --> "Admin Services" near the domain associated with the subdomains you want to apply the SSL for --> "Check the options Webmail, Mail" --> "Apply the changes".

Wait some time and check if the problem is solved.

Try to do following:

1. Access your server as root over SSH
2. Go to:

Code: [Select]

/root/.acme.sh/cwp_certs/DOMAIN/where DOMAIN is the domain name your subdomains are associated with.
3. Edit the file (make backup of the file before you modify it):

Code: [Select]

DOMAIN.confRemove all objects pointed to a 3rd party server and listed in:

Code: [Select]

Le_Domain=
Le_Alt=Leave only objects (subdomains) pointed to this server. Move some subdomain listed in "Le_Alt" to "Le_Domain".

4. Try to request the new SSL via the admin area of CWP.

However, I am not sure if this way is correct to fix the problem.

In my server2, the DNS configuration:

domain.com A 2.2.2.2
mail.domain.com A 1.1.1.1
webmail.domain.com A 1.1.1.1
smtp.domain.com A 1.1.1.1
imap.domain.com A 1.1.1.1
pop.domain.com A 1.1.1.1
pop3.domain.com A 1.1.1.1
domain.com MX mx.server1.com

In my server1, /root/.acme.sh/cwp_certs/www.domain.com/mail.domain.com.conf

Le_Domain='mail.domain.com'
Le_Alt='webmail.domain.com'
Le_Webroot='/usr/local/apache/autossl_tmp/'
Le_PreHook=''
Le_PostHook=''
Le_RenewHook=''
Le_API='https://acme-v02.api.letsencrypt.org/directory'
Le_Keylength='ec-256'
Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/1961123261396/310612395210307'
Le_LinkOrder='https://acme-v02.api.letsencrypt.org/acme/order/1961261123396/312310695210307'
Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/03b47ed123d6aa00b71f7da7a0a01ccea7c56ce'
Le_CertCreateTime='1728123049081'
Le_CertCreateTimeStr='2024-10-04T13:38:01Z'
Le_Listen_V4='1'
Le_NextRenewTimeStr='2024-12-02T13:38:01Z'
Le_NextRenewTime='1731233146681'
Le_RealCertPath='/etc/pki/tls/certs/domain.com.cert'
Le_RealCACertPath=''
Le_RealKeyPath='/etc/pki/tls/private/domain.com.key'
Le_ReloadCmd=''
Le_RealFullChainPath='/etc/pki/tls/certs/domain.com.bundle'

But, in navigator, the certificate point to host.server1.com instead of domain.com

Try to do following:

1. Access your server as root over SSH
2. Go to:

Code: [Select]

/root/.acme.sh/cwp_certs/DOMAIN/where DOMAIN is the domain name your subdomains are associated with.
3. Edit the file (make backup of the file before you modify it):

Code: [Select]

DOMAIN.confRemove all objects pointed to a 3rd party server and listed in:

Code: [Select]

Le_Domain=
Le_Alt=Leave only objects (subdomains) pointed to this server. Move some subdomain listed in "Le_Alt" to "Le_Domain".

4. Try to request the new SSL via the admin area of CWP.

However, I am not sure if this way is correct to fix the problem.

I don't understand this:

But, in navigator, the certificate point to host.server1.com instead of domain.com

Could you please clear this (provide screenshot or something like that) ?

What I have done to solve the problem is to change the A record to the IP of server1, generate the certificate and then I change the A record to the IP of server2... but isn't there a more correct way to do this?

I don't understand this:

But, in navigator, the certificate point to host.server1.com instead of domain.com

Could you please clear this (provide screenshot or something like that) ?

Go to "CWP admin" --> "WebServer Settings" --> "SSL Certificates" --> List installed (tab) --> "Admin Services" near the domain associated with the subdomains you want to apply the SSL for --> "Check the options Webmail, Mail" --> "Apply the changes".

Make sure the SSL is installed and you have "Webmail", "Mail"  in the column "Services" associated with the domain name.

Currently it looks like you haven't enabled the SSL for the domain name.

If it doesn't work still then show us what you see in the column "services" in the row of the problematic domain like this:
https://i.imgur.com/VcGsYAV.png

The problem is:

1 - AutoSSL can't install the certificate for the maindomain, because it's pointed to another server.

2 - AutoSSL asks if I want to skip the maindomain and generate the certificate only for the subdomains (mail and webmail).

3 - The certificate generation process is completed.

4 - But the certificates are invalid, because the SSL is signed with my host's domain instead of being signed with the maindomain.

I can't believe no one has had this same problem? Has anyone ever tried to use CWP only as an email server?

Go to "CWP admin" --> "WebServer Settings" --> "SSL Certificates" --> List installed (tab) --> "Admin Services" near the domain associated with the subdomains you want to apply the SSL for --> "Check the options Webmail, Mail" --> "Apply the changes".

Make sure the SSL is installed and you have "Webmail", "Mail"  in the column "Services" associated with the domain name.

Currently it looks like you haven't enabled the SSL for the domain name.

If it doesn't work still then show us what you see in the column "services" in the row of the problematic domain like this:
https://i.imgur.com/VcGsYAV.png