CyberPanel is equipped with a built-in security certificate issuing mechanism. It uses the Let's Encrypt Certificate authority to obtain an SSL certificate for your websites. We have a great tutorial on how to create/issue SSL certificates for your domain here.

However, if CyberPanel is unable to obtain a certificate for your domain, it generates a self-signed certificate instead. This certificate, however, isn't acceptable to the browser and it throws a red screen warning that the connection might not be secure.

In this tutorial, we are going to see a few common errors that occur and how to fix them.

Major SSL Certificate issues in CyberPanel

1. A Record or IP Address Issue

CyberPanel can only get you certificates for the websites that are on the server and the domain that is connected to the server too. In order to verify this, you can use Whats My DNS to verify that the A record for your domain points to the server IP shown on the top left of the CyberPanel dashboard just below the CyberPanel logo.

What is CyberPanel (Main Dashboard)

If that doesn't match, kindly change the A record to this IP in your domain manager's DNS settings. If you are using Cloudflare, you might see a different IP on Whats My DNS but you should make sure that the IP in DNS setting is the same as the server IP.

2. ACME Client Verification

CyberPanel uses acme-client for issuance and regeneration of SSL certificates every 90 days. Sometimes either the client is outdated or removed from the server that makes the whole process impossible.

In order to check and update the ACME client to the latest version run the following command

wget -O -  https://get.acme.sh | sh

Now you can go back to the menu and choose Manage SSL from the SSL menu to issue SSL again.

3. Folder permissions

Let's Encrypt Authority verifies that you are indeed the owner and in control of the domain that you want to get a certificate for so they offer a few forms of verification.

CyberPanel uses file-based verification because it's easier and DNS records can take a very long time to propagate.

Sometimes, users change files and folder permission which makes it impossible CyberPanel to add the required file for the verification and the verification fails.

In order to fix these issues go to Websites->List Websites where you will see something like this

Click the Manage button next to the website that you want to issue SSL for and you will be greeted with a screen like this

Use the File Manager option to open the file manager for that website. Once the file manager is open, click the Fix Permissions button on the top right.

CyberPanel will fix the permissions for you and then you can issue a SSL certificate from SSL->Manage SSL as shown in the first issue.

4. ModSecurity Blocking

CyberPanel comes with ModSecurity that keeps your server and websites safe from a variety of hacking attempts and spam content, however sometimes as a false-positive, it can block legitimate traffic considering it spam or an attack.

Lets Encrypt verifies the identity of the domain by checking whether the file it provides is available at your domain or not. It does so by accessing that file from multiple servers to confirm that you are indeed the owner or authorized person for that domain. As they issue millions of certificates per day, their servers generate a lot of traffic and sometimes spam-fighting companies see a lot of similar traffic as spam and they put Lets Encrypt server IPs on their blacklists.

As a result, ModSecurity blocks all connections from those IPs and Let's Encrypt isn't able to verify the domain causing a failure to issue a SSL certificate.

There is a simple workaround to be able to issue SSL certificates in this case.

Go to Security-> ModSecurity Conf and you will be greeted with this screen

Turn off ModSecurity then go to SSL -> Manage SSL and issue SSL certificate for your website. Once you are done, turn the ModSecurity back on.

Debugging with command line

If none of the above worked for you, it means you have a different issue that needs to be debugged and fixed. In order to do that, go to your terminal and type the following.

/root/.acme.sh/acme.sh --issue -d <YOUR_DOMAIN> -d www.<YOUR_DOMAIN> --cert-file /etc/letsencrypt/live/<YOUR_DOMAIN>/cert.pem --key-file /etc/letsencrypt/live/<YOUR_DOMAIN>/privkey.pem --fullchain-file /etc/letsencrypt/live/<YOUR_DOMAIN>/fullchain.pem -w /home/<YOUR_DOMAIN>/public_html --force --debug

This command will give you detailed information on where and why the issue occurred so you can fix it.

After creating an email account in CyberPanel some users would like to configure their email accounts to third party email clients such as Outlook or Thunderbird.

Both these clients have auto-discover functionality, this functionality will try to automatically configure your email settings so that end-user won't have to do anything. For example, if on Thunderbird I configure:

Thunderbird may suggest the following settings:

Server hostname: mail.cyberpanel.net

IMAP Port: 143

Now Thunderbird will be looking for a valid SSL for mail.cyberpanel.net and if valid SSL is not offered by the server you will get a self-signed SSL error.

How to resolve Self-signed SSL Error

After version v1.9.4 of CyberPanel, upon website creation, CyberPanel will create mail.domain.com as a child domain to while creating a website and also issue SSL for it. Then CyberPanel will add edit /etc/dovecot/dovecot.conf and add the following to the file:

local_name mail.domain.com {
  ssl_cert = </etc/letsencrypt/livemail.domain.com/fullchain.pem
  ssl_key = </etc/letsencrypt/live/mail.domain.com/privkey.pem

and then restart dovecot service using systemctl restart dovecot. This way there will be no SSL errors on either Outlook or Thunderbird.

Manually setting this up

Let say you are on some of the old versions of CyberPanel or you have already created a website before upgrading to v1.9.4. You can go ahead and create mail.domain.com as a child-domain to your master domain also make sure to issue SSL for this domain.

Step 1: Open the file /etc/postfix/main.cf using any editor

sudo nano /etc/postfix/main.cf

Step 2: Comment the first two lines in that file by adding an # sign at the beginning.

# smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem 
# smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem

Step 3:  Add the following lines after changing. Remember to replace YourPrimaryMailServerDomain with the your own domain.

# provide the primary certificate for the server, to be used for outgoing connections 
smtpd_tls_chain_files = 

Step 4: In order to support SNI you need to add the following lines at the end

# provide the map to be used when SNI support is enabled 
tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map

After all the above steps your files should look like this

# smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
# smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem

# provide the primary certificate for the server, to be used for outgoing connections
smtpd_tls_chain_files =

# provide the map to be used when SNI support is enabled
tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map

Step 5: Create a new file in /etc/postfix with the name of vmail_ssl.map

sudo touch /etc/postfix/vmail_ssl.map

Step 6: Edit the file to add your domain's SSL certificates to the list like this

mail.yourprimarymailserverdomain.com /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/privkey.pem /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/fullchain.pem

Step 7 (Optional): If you have more than one domain to be supported add all of them one per line. The resulting file should look like this

# Compile with postmap -F hash:/etc/postfix/vmail_ssl.map when updating
# One host per line
mail.yourprimarymailserverdomain.com /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/privkey.pem /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/fullchain.pem
mail.yoursecondarymailserverdomain.com /etc/letsencrypt/live/mail.yoursecondarymailserverdomain.com/privkey.pem /etc/letsencrypt/live/mail.yoursecondarymailserverdomain.com/fullchain.pem
# add more domains with keys and certs as needed

Step 8: Open /etc/dovecot/dovecot.conf

sudo nano /etc/dovecot/dovecot.conf

Step 9: Append the following to the end of the file, replace domain.com with your own domain

local_name mail.domain.com {
  ssl_cert = </etc/letsencrypt/live/mail.domain.com/fullchain.pem
  ssl_key = </etc/letsencrypt/live/mail.domain.com/privkey.pem

Step 10: Re-compile postmap with SNI using the following command

postmap -F hash:/etc/postfix/vmail_ssl.map

Step 11: Restart Postfix.

systemctl restart postfix

Step 12: Restart Dovecot

systemctl restart dovecot

Connect again using a mail client and you should not see the error.