Skip to content

SSL Certificates

enconf manages SSL certificates automatically via Let's Encrypt and additionally supports uploading custom certificates.

Overview

The SSL management shows all configured SSL certificates with their status.

Column Description
Domain Certificate domain
Type Let's Encrypt or Custom
Valid Until Expiration date
Status Valid, Expiring Soon, Expired

Let's Encrypt (Automatic)

Request Certificate

Let's Encrypt certificates are automatically issued in most cases when creating a website or domain.

Manual request:

  1. Navigate to domain management
  2. Select the desired domain
  3. Click Enable SSL

Prerequisites:

  • The domain must point to the server via A or AAAA record
  • Port 80 must be reachable for the ACME HTTP challenge
  • The domain must be publicly resolvable

Automatic DNS Check

Before activating SSL, the panel automatically checks via an external DNS resolver (Cloudflare 1.1.1.1) whether the domain's A record points to the server's IP. If the IP doesn't match, activation is rejected with a clear error message. This prevents failed Let's Encrypt challenges.

Automatic Renewal

  • The Certbot timer regularly checks all certificates
  • Certificates are automatically renewed 30 days before expiration
  • After renewal, Nginx is automatically reloaded

Let's Encrypt Limits

Let's Encrypt allows a maximum of 50 certificates per registered domain per week. For many subdomains, a wildcard certificate is recommended.

Troubleshooting

Problem Solution
DNS does not point to server Correct the A/AAAA record
Port 80 blocked Check firewall rule
Rate limit reached Wait 1 hour, then try again
Domain not resolvable Check DNS configuration
DNS points to wrong IP Correct the A record to the server IP (verified via external DNS 1.1.1.1)

Domain Aliases and Subdomains

When a domain alias or subdomain is created, the following happens automatically:

  1. DNS zone is created with A records pointing to the server IP
  2. Domain record is created in the panel (visible in the domain and SSL management)
  3. Nginx vhost is updated — the alias is added to the server_name directive

Enabling SSL for Aliases

When enabling SSL for a domain, all domain aliases of the associated site are automatically included as SANs (Subject Alternative Names) in the certificate. This means:

  • One certificate covers the primary domain + all aliases
  • All domains share the same Nginx server block and the same certificate
  • When new aliases are added, the certificate is automatically expanded (certbot --expand)

You only need to enable SSL for the primary domain — aliases are covered automatically.

DNS Must Be Correct

All domains in the certificate (primary + aliases) must have their A record pointing to the server IP. Otherwise the Let's Encrypt challenge will fail.

Wildcard Certificates (*.domain.com)

Wildcard certificates cover all subdomains of a domain (e.g. *.example.com). They are issued via the DNS-01 challenge from Let's Encrypt.

Prerequisites

  • The domain must use the panel's nameservers so the _acme-challenge TXT record can be set automatically
  • Customers with external DNS can use Let's Encrypt (HTTP-01) or upload a custom certificate instead

Request a Wildcard Certificate

  1. Navigate to SSL Certificates
  2. Click Enable SSL for the desired domain
  3. Select Wildcard (*.domain)
  4. Click Enable

The process takes 1–3 minutes as DNS propagation needs to complete.

ACME DNS Configuration

Mode Description
Automatic Uses the PowerDNS server that manages the DNS zone in the panel
External PowerDNS Uses an external PowerDNS instance (API URL + API Key required)

Configuration under Settings → Panel Settings → ACME DNS:

Setting Description
DNS Mode Automatic or External PowerDNS
PowerDNS API URL URL of the external PowerDNS API (e.g. http://ns1.example.com:8081)
PowerDNS API Key API key for authentication

Automatic Renewal

Wildcard certificates are automatically renewed 30 days before expiry — also via DNS-01 challenge.

External PowerDNS Instances

When using an external PowerDNS server, ensure the API URL is reachable from the panel server and the API key has permission to create and delete TXT records in the zone.

Custom Certificates (Custom SSL)

For domains that cannot or should not use Let's Encrypt:

Upload Certificate

  1. Navigate to SSL > Upload Certificate
  2. Upload the following files:
File Required Description
Certificate (.crt/.pem) Yes The SSL certificate
Private Key (.key) Yes The associated private key
CA Bundle (.ca-bundle) No Intermediate certificates (chain)
  1. Click Upload

Private Key

The private key is stored encrypted. Make sure the key is not password-protected.

Replace Certificate

  1. Select the existing certificate
  2. Click Replace
  3. Upload the new certificate and key

Panel SSL

The SSL certificate for the panel itself is configured under Settings > Server:

Options

Mode Description
Let's Encrypt Automatic certificate for the panel URL
Custom Upload a custom certificate
Self-Signed Self-signed certificate (for testing only)

Configure Panel SSL

  1. Navigate to Settings > Server
  2. Select the Panel SSL Mode
  3. For Custom: Upload certificate and key
  4. Click Save

Mail SSL

For encrypted email communication (IMAP/SMTP):

  1. Navigate to Settings > Server
  2. Configure the Mail SSL Mode
  3. Options are the same as for Panel SSL

Separate Certificates

It is recommended to use separate certificates for the panel and mail server so that the mail hostname (e.g. mail.example.com) is correctly included in the certificate.

Mail SNI (Per-Domain TLS Certificates)

enconf supports Server Name Indication (SNI) for mail services. This allows each domain to use its own TLS certificate for Postfix (SMTP) and Dovecot (IMAP/POP3) connections.

When SSL is enabled for a domain, the certificate is automatically pushed to both Postfix and Dovecot SNI maps. This means that mail clients connecting to mail.customer-domain.com receive the correct certificate for that domain, rather than the server's default mail certificate.

How it works:

  • When a Let's Encrypt or custom certificate is issued for a domain, the panel automatically updates the Postfix and Dovecot SNI configuration
  • No manual configuration is required
  • Each domain presents its own certificate during the TLS handshake
  • Falls back to the default mail certificate if no domain-specific certificate is available

Automatic Configuration

Mail SNI is configured automatically whenever SSL is enabled for a domain. There are no additional settings to configure.

Certificate Monitoring

The system automatically monitors all SSL certificates:

  • 30 days before expiration: Automatic renewal for Let's Encrypt
  • 14 days before expiration: Warning on the dashboard for custom certificates
  • Expired: Warning on the dashboard and system page
Home Features Preise Partner Über uns Integration Impressum Datenschutz AGB

© 2026 NetCell IT · Felix Netzel · In der Wüste 23a, 51381 Leverkusen