Solved CentOS7 - Google Says: TLS Negotiation failed, the certificate doesn't match the host.

S

SupermanInNY

Verified User
Joined
Sep 28, 2004
Messages
428
Hi All,

I migrated all my clients from a CentOS 6 server to a CentOS 7 server.
All is working fine,. except that suddenly, all clients who use gmail are getting an error with their hostname.


mail.domainname.com gives now an error msg:

TLS Negotiation failed, the certificate doesn't match the host.

When I put my Server's hostname instead of their personal mail.theirdomain.com in the hostname,. then it works fine.
I have LetsEncrypt with mail.theirdomainname.com set up and showing that it has an SSL.
However, if I try to access it via https,.. it shows a warning of "wrong certificate" and is showing indeed the server's hostname certificate.

So what I"m missing about this step?

:/usr/local/directadmin/conf # vi directadmin.conf

...
enable_ssl_sni=1
mail_sni=1
ssl=1

I rebooted the server after I applied these settings.

I have run

cd /usr/local/directadmin/scripts
./letsencrypt.sh request_single `hostname` 4096

(so at least this one is responding)

But, how to make it work with all ssl certificate locations?

/usr/local/directadmin/conf # exim -bV
Exim version 4.96 #2 built 31-Jul-2022 11:47:04
Copyright (c) University of Cambridge, 1995 - 2018
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2022
Berkeley DB: Berkeley DB 5.3.21: (May 11, 2012)
Support for: crypteq IPv6 Perl OpenSSL TLS_resume move_frozen_messages Content_Scanning DKIM DNSSEC Event OCSP PIPECONNECT PRDR Queue_Ramp SPF SRS TCP_Fast_Open
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb
Authenticators: cram_md5 dovecot plaintext spa
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Malware: f-protd f-prot6d drweb aveserver fsecure kavdaemon sophie clamd mksd avast sock cmdline
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
2022-07-31 16:08:31 cwd=/usr/local/directadmin/conf 2 args: exim -bV
Configuration file is /etc/exim.conf

/usr/local/directadmin/conf # less /etc/exim.conf
# SpamBlockerTechnology* powered exim.conf, Version 4.5.41
# July 18, 2022
# Exim configuration file for DirectAdmin
# Requires exim.pl as distributed by DirectAdmin here:
# http://files.directadmin.com/services/exim.pl version 21 or higher
# ClamAV optional
# SpamAssassin optional
# Dovecot/IMAP Mandatory
# *SpamBlockerTechnology is a Trademark of NoBaloney In


Thanks for any input.

-Sup.
 
interesting, have similar problem. also, only if we use the server hostname ssl it works.
did you fix your problem?
 
Hello.
I also had same like you, I contacted support for my server.
They suggested:

cd /usr/local/directadmin/custombuild
./build update
./build exim_conf

Now it works ok.
 
DBD2 said:
Hello.
I also had same like you, I contacted support for my server.
They suggested:

cd /usr/local/directadmin/custombuild
./build update
./build exim_conf

Now it works ok.
Click to expand...
Its too simple hahaha.
I see now in exim_conf there is handling of the certs

MAIL_SNI_OPT=`getDA_Opt mail_sni 1`
if [ "${MAIL_SNI_OPT}" -ge 1 ]; then
REPLACE_EXIM_TLS=false
if grep -m1 -q '^tls_certificate *= */etc/exim.\cert' /etc/exim.variables.conf; then
EXIM_TLS_FILE=/etc/exim.variables.conf
REPLACE_EXIM_TLS=true
elif grep -m1 -q '^tls_certificate *= */etc/exim.\cert' /etc/exim.conf; then
EXIM_TLS_FILE=/etc/exim.conf
REPLACE_EXIM_TLS=true
fi
if ${REPLACE_EXIM_TLS}; then
perl -pi -e 's|^tls_certificate *\= */etc/exim\.cert|tls_certificate=\$\{if exists\{/etc/virtual/snidomains\}\{\$\{lookup\{\$tls_in_sni\}nwildlsearch\{/etc/virtual/snidomains\}\{\$\{if exists\{/usr/local/directadmin/data/users/\$\{extract\{1\}\{:\}\{\$value\}\}/domains/\$\{extract\{2\}\{:\}\{\$value\}\}.cert.combined\}\{/usr/local/directadmin/data/users/\$\{extract\{1\}\{:\}\{\$value\}\}/domains/\$\{extract\{2\}\{:\}\{\$value\}\}.cert.combined\}\{/etc/exim.cert\}\}\}\{/etc/exim.cert\}\}\}\{/etc/exim.cert\}\}|' ${EXIM_TLS_FILE}
perl -pi -e 's|^tls_privatekey *\= */etc/exim\.key|tls_privatekey=\$\{if exists\{/etc/virtual/snidomains\}\{\$\{lookup\{\$tls_in_sni\}nwildlsearch\{/etc/virtual/snidomains\}\{\$\{if exists\{/usr/local/directadmin/data/users/\$\{extract\{1\}\{:\}\{\$value\}\}/domains/\$\{extract\{2\}\{:\}\{\$value\}\}.key\}\{/usr/local/directadmin/data/users/\$\{extract\{1\}\{:\}\{\$value\}\}/domains/\$\{extract\{2\}\{:\}\{\$value\}\}.key\}\{/etc/exim.key\}\}\}\{/etc/exim.key\}\}\}\{/etc/exim.key\}\}|' ${EXIM_TLS_FILE}
fi
fi
if ! grep -m1 -q '^tls_dhparam' /etc/exim.variables.conf; then
if [ ! -s /etc/exim_dh.pem ]; then
ensure_dhparam /etc/exim_dh.pem
chown mail:mail /etc/exim_dh.pem
chmod 400 /etc/exim_dh.pem
fi
if [ -s /etc/exim_dh.pem ]; then
echo 'tls_dhparam = /etc/exim_dh.pem' >> /etc/exim.variables.conf
echo 'tls_dh_max_bits = 4096' >> /etc/exim.variables.conf
fi
fi
EXIM_SRS_CONF=/etc/exim.srs.conf
if ! grep -q '^SRS_SECRET' ${EXIM_SRS_CONF} 2>/dev/null; then
echo -n "SRS_SECRET = " > ${EXIM_SRS_CONF}
/usr/bin/openssl rand -base64 48 >> ${EXIM_SRS_CONF}
fi
else ..........
Click to expand...

I didn't know about exim_conf. I wish I knew about this earlier.

Good job DBD2, I appreciate your input.
 
You must log in or register to reply here.
Back
Top