Hey,
I don’t understand what’s happening right now, before it was working, but now I can issue as many certificates as I want, webmail.support-e-mail.com keep showing as http and https doesn’t work, and when I analyse that with internet tools it says certificate mismatch for cpanel url.
What should I do ?
Thanks in advance
Hi @Botefa
You have reached this limit:
Up to 5 certificates can be issued per exact same set of hostnames every 7 days.
Wait 7 days till you can issue a certificate for the same set of domains (mail.support-e-mail.com and webmail.support-e-mail.com). I don’t know what you did but you issued 5 certificates in 45 minutes for the same set of domains.
Hey,
yeah it wasn’t workign so I tried again and again and again and again, is there something I could do to not have this issue in 7 days?
And is there a way to still log to my webmail by waiting those 7 days? Because I’m locked out 
Well, the certificates were issued so at least the last one should be in your server… if you didn’t remove it.
Check whether the certificate is still there (replace YourUser by the actual user):
openssl x509 -in /usr/local/hestia/data/users/YourUser/ssl/mail.support-e-mail.com.crt -noout -subject -dates -issuer -ext subjectAltName
Or
openssl x509 -in /home/YourUser/conf/mail/support-e-mail.com/ssl/support-e-mail.com.crt -noout -subject -dates -issuer -ext subjectAltName
Oh wow, you’re probably going to save my life!
One thing I can totally say: I didn’t touched anything
1 :
Could not open file or uri for loading certificate from /usr/local/hestia/data/users/me/ssl/mail.support-e-mail.com.crt
40070BD0007F0000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:../crypto/store/store_register.c:237:scheme=file
40070BD0007F0000:error:80000002:system library:file_open:No such file or directory:../providers/implementations/storemgmt/file_store.c:267:calling stat(/usr/local/hestia/data/users/me/ssl/mail.support-e-mail.com.crt)
Unable to load certificate
2 :
Could not open file or uri for loading certificate from /home/me/conf/mail/support-e-mail.com/ssl/support-e-mail.com.crt
40876C43997F0000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:../crypto/store/store_register.c:237:scheme=file
40876C43997F0000:error:80000002:system library:file_open:No such file or directory:../providers/implementations/storemgmt/file_store.c:267:calling stat(/home/me/conf/mail/support-e-mail.com/ssl/support-e-mail.com.crt)
Unable to load certificate
Unfortunately seems the certificates have gone…
ls -la /usr/local/hestia/data/users/me/ssl/
ls -la /home/me/conf/mail/support-e-mail.com/
ls -la /home/me/conf/mail/support-e-mail.com/ssl/
Argh yes it seems they are not here anymore
It might be a dumb question but am I still going to be able to receive emails while not having an SSL? Or are they all going to be lost?
It will depend on how the mail server sending you emails is configured. Most should have no issue using port 25 without TLS, but some will try to send them via TLS, and in this case, it will depend on whether they accept the certificate announced by your mail server (which is not the one for the domain they are sending to).
You could issue a new certificate if you add a new subdomain to that certificate, webmail.support-e-mail.com, mail.support-e-mail.com and for example botefa.support-e-mail.com. The problem is that you can’t do that using Hestia, you should try a third party acme client and once you get the certificate, add it to your mail domain in Hestia.
Waow thank you so much for all these informations, I understand a bit better now, is gmail.com going to have issues with that you think?
Otherwise I just issued a certificate with cloudflare, it seems to have worked, but I’m not that technical and I’m wondering if will cause issues using cloudflare certificate?
I’m not using their proxy
I don’t know, but that’s easy to test, just send a mail from gmail to your domain and you will know the answer.
Which one? Trusted certificates are only “valid” if you are using Cloudflare as a proxy (which you can’t, at least for the mail subdomain, because Cloudflare doesn’t proxy mail ports). If you issued a Cloudflare Origin Certificate, those certificates are valid but only trusted by Cloudflare, so you’ll face the same issues as if you had issued a self-signed certificate.
Seems to be working with gmail!
Argh, yes I issued a cloudflare origin certificate, I guess I’ll just have to wait then
Anyway if I miss e-mails it should be in /var/log/exim4 in either main.log or reject.log?
Actually I have nothign special excepted some things I don’t understand like:
2025-02-26 02:53:44 no host name found for IP address 195.211.191.25
2025-02-26 02:54:21 no host name found for IP address 194.187.176.44
2025-02-26 02:57:27 no host name found for IP address 60.211.206.17
2025-02-26 03:02:12 no host name found for IP address 195.211.191.25
I’m not sure if it his a big deal or not
Thank you so much for all your help!
If you lose emails, it’s normal not to see much in the logs, but if there is anything, you would see it in the mainlog.
It isn’t. That only says that the ip doesn’t have a PTR record.
❯ dig -x 195.211.191.25
; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> -x 195.211.191.25
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 20243
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;25.191.211.195.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
191.211.195.in-addr.arpa. 3579 IN SOA pns21.cloudns.net. support.cloudns.net. 2025020901 7200 1800 1209600 3600
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Wed Feb 26 03:23:42 CET 2025
;; MSG SIZE rcvd: 117
Thank you so much for all I learnt thanks to you!