Introduction

As you know Let's Encrypt are one of the largest providers of HTTPS certificates. Recently they have released expiration notice for DST Root CA X3 root certicates. Many of the domains hosted on cPanel servers currently facing an issue in which domains that use an SSL certificate from Let's Encrypt are showing the server's hostname as the common name, instead of the actual domain name that is on the certificate. This is causing browser errors and email client errors. This is affecting MacOS/iphone email app, Thunderbird, Outlooks, mobile device mail apps.

cPanel development team has published an autofixer for this issue that can run manually using the following command, you can see the cPanel article here

# /scripts/autorepair update_lets_encrypt_cabundles2

This command will also run automatically during the servers next /scripts/upcp cronjob

After running this cPanel script some domains are still having the same issues.

You're still encountering this issues are due to the incorrect permission on the SSL certificate files:

You can check the incorret permissions on the SSL certificate files by running the below command as root user on your cPanel server

# find /var/cpanel/ssl/domain_tls/* -type d -not -perm 755 -printf "%p %m\n" | wc -l
401

This command will return the SSL certificate files with incorrect permissions.

To fix the permissions issues detailed above by changing the permissions of all directories within `/var/cpanel/ssl/domain_tls/` to 755 using the following command:

# `find /var/cpanel/ssl/domain_tls/* -type d -not -perm 755 -exec chmod -v 755 {} \;`

After chnaging the permissions you can again verify it by running the first command again and see the results:

# find /var/cpanel/ssl/domain_tls/* -type d -not -perm 755 -printf "%p %m\n" | wc -l
0

This fix will resolve the Let's Encrypt SSL certificate issues with browsers and email clients. cPanel will release this fix on next version update.