SSL Issue, again (but I've read the other threads)

    Hello


    First of all, I made the search on the forum for other ssl issues.
    It's probably linked but I'm not able to link the errors I have and the solution proposed.


    I just made update from 1.1.5 to 1.1.9. I was surprised by the new questions asked so I can't guarantee I gave the correct answers.
    So after reading the threads, I made a

    Code
    1. perl imscp-autoinstall -dasr ssl


    I give the .key file when asked.
    When the Intermediate certificate was asked I give the sf_bundle.crt (Starfield certificate) as follow :
    It's in two parts, the intermediate and the root, isn't it ?



    Then I give my crt file.


    I have no error message. Everything sounds ok.
    When I check the certificate


    https://www.ssllabs.com/ssltes…yze.html?d=panel.cqfd.net


    https://www.ssllabs.com/ssltes…yze.html?d=panel.cqfd.netIt sounds correctly installed.


    When I check any of the customers certificates (no self signed, same provider, and with the same intermediate bundle in the GUI), it's ok too


    https://www.ssllabs.com/ssltest/analyze.html?d=cqfd.net


    https://www.ssllabs.com/ssltest/analyze.html?d=cqfd.netBut when I try to connect to FTPS service, Filezilla gives this error



    and when connecting using Outlook on SMTPS or IMAPS I have



    And if I use a computer secured by Avast, I have



    So, it "could" be linked to the ROOT CA as mentioned in other thread, but I'm sceptic as on the web server it sounds ok.


    It sounds it uses auto signed certificate for smtps, imaps and ftps instead of the one I provided for the panel (in the past, it used the self without any issue) as I've answered no when the installer asked if I have a wildcard certificate for *.panel.cqfd.net
    Should I say yes and choose the same files when asked ?


    I'm available for a teamviewer or a screen -x on the server if needed.


    Kind regards
    Cedric

    Hello ;


    i-MSCP now differentiate certificate for the panel access and the certificate for services such as mail, ftp...


    The CN of the certificate as show above seem wrong..

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

    SSH key for online support

    So, before the upgrade, I was able to use the same certificate for both panel and mail/ftp services, but now I'll have to buy several certificates ?
    And there is no way to use the same one for both ?


    All my customers have their ftps account configured to use panel.cqfd.net as server, their mail accounts configured to use panel.cqfd.net for IMAPS and SMTPS
    And now it's not possible anymore ?


    So I'm in the obligation to buy an expensive wildcard certificate thanks to this upgrade ?


    No way to use the same system as before ??


    I bought the certificate when there was a special deal at GoDaddy (4$ per year per cert) so I bought for five years and now, I have to buy a wildcard certificate for more than 200$ per year ?


    What's the goal of such updates ?


    Cedric

    @VirtualCed


    Hello;


    Nothing has been changed here. We just added the possibility to add a specific certificate for services such as ftp, mail and so on.


    Give me your teamviewer IDS and then I can maybe see what is wrong.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

    SSH key for online support

    I used the same certificate for both, panel and service, because I have a wildcard cert for my domain, and it is working.


    Give it a try.

    Re;


    @VirtualCed No teamviewer so?


    Anyway, after reading again your first post, it seem that for the services (mail, ftp) you do not use your own certificate but a self-signed wildcard certificate (which is generated by i-MSCP).
    Try to rerun the installer (perl imscp-autoinstall -dasr ssl) and for both , the panel and services, provides the same certificate informations.
    Then, by doing that, you'll get same behavior as in older i-MSCP versions.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

    SSH key for online support

    @Nuxwin I'll try this, and record what I do for reference. (screenflow)
    It if fails, we'll try using Teamviewer but my connection at home is so bad it's a real hard to use system.


    Ced

    @VirtualCed apache uses this cert file: /etc/imscp/${ADMIN_PANEL_URL}.pem
    another services use this cert file: /etc/imscp/imscp_services.pem
    Please, check this two files' content, are these same?


    And there was a question in the installer: Do you have a wildcard SSL certificate?
    What did you answer?


    If you have wildcard certificare: *.yourdomain.com However the admin url is: adminpanel.yourdomain.com and you answer the "yes" to above question than it's normal if you get certificate error because the *.yourdomain.com certificate is not enought to *.adminpanel.yourdomain.com.


    If I'm right there are two solutions:

    • you have to buy *.adminpanel.yourdomain.com wildcard certificate
    • you have to rerun installer and say No to above question

    Hello ;


    @jonci


    In the version 1.1.10, I've changed the question for the services SSL certificate. I've removed the wildcard word which make our users not happy.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

    SSH key for online support