IMAP/POP SSL Failed SNI
We have a cpanel for mail only with let's encrypt installed, everything worked fine until today. We get certificate warnings when connecting to POP or IMAP, we are getting the default SSL from the server.
All our clients connect on mail.[domainname.extension] and the SSL is created but not visible in the directory /var/cpanel/ssl/domain_tls/
Also not in the file /etc/dovecot/sni.conf
Rebuild with : /scripts/build_mail_sni --rebuild_dovecot_sni_conf, doesn't do anything because i think it looks for the files in /var/cpanel/ssl/domain_tls/
I removed an SSL from a website, and did a new request, SSL is generated succesfull but not placed in /var/cpanel/ssl/domain_tls/
When i get the CRT from Manage SSL Host and install it again with : Install an SSL Certificate on a Domain the files are created in /var/cpanel/ssl/domain_tls/
And after /scripts/build_mail_sni --rebuild_dovecot_sni_conf that domain works again, but i dont want to do this manualy for all the domains.
Help needed !
-
We're experiencing the same issue. 0 -
Same here 0 -
This is not working for me. All mail connections are identifying as the main server SSL, and SNI is not working. I have tried to rebuild after switching to Comodo...I even removed and let autossl regenerate, and still getting errors for mail connections. 0 -
As @ispweb mentions, you can also workaround by adding domains manually to your /etc/dovecot/sni.conf
file and restart Dovecot. Keep a backup cos atm, running the/scripts/build_mail_sni --rebuild_dovecot_sni_conf
script will remove them.0 -
UGH...ok...that doesn't help with thousands of accounts...oh man. What a massive mess. 0 -
Switched to the cPanel certs for the moment but more often than not cPanel is responding with The "cPanel (powered by Sectigo)" provider cannot currently accept incoming requests. The system will try again later. So not exactly a fix. 0 -
Does the hotfix mentioned in thread fix the issue? 0 -
Not fully my clients still have problems that outlook reports cannot establish secure connection 0 -
An additional problem is that LetsEncrypt is rate-limited to 50 certificate validations per domain per week. So if you have been running AutoSSL a lot, in an attempt to get your certs to validate, you may well hit the limit. I'm stuck with a number of invalid certs which I can't renew because "MASTER DCV: A rate limit prevents DCV." 0 -
Yes same problem for me and new problem is client using mail.domain.com ssl connection to send email now revcieve error that domain certificate do not fit to server certificate, any ideas ?? 0 -
A temporary workaround, if your certificate is waiting to revalidate, is to get the mail client to connect to the FQDN of the server. I have one domain that is firmly stuck because of rate limiting, so I got them to connect to ds.myserver.com (insert your FQDN). Because Dovecot is presenting the server cert, the mail client accepts it. Of course you'd need to change it back when your domain cert validates. Probably easier just to create an exception in the mail client for the server's cert. That way, when the domain cert validates, the client should automatically switch over. 0 -
That is not a solution, try to explain hundreds of clients to change their SMTP configuration and this is also not the issue. The problem is not with dovecot only with smtp. 0 -
Indeed. Perhaps explaining that if their mail client raises an exception, they can click through and accept it, just so they can keep working until DV completes. They shouldn't notice when the exception is no longer required, at least that's my understanding of how mail clients work. 0 -
When making an SMTP connection to Exim, the client specifies via SNI which certificate they are expecting. According to the /etc/exim.conf setting "tls_certificate =" the SMTP server hostname (from SNI) is looked up in /var/cpanel/ssl/domain_tls/ If there should be a folder e.g. "mail.example.com" it should contain a file called "combined" containing the appropriate SSL certificate and chain. As far as I can tell, AutoSSL doesn't update the certificate in /var/cpanel/ssl/domain_tls/. I'm not sure which cPanel component is supposed to do that. (And I haven't updated anything on the server recently, so this might be e.g. a side-effect of LetsEncrypt's old trust root expiring recently). The quickest workaround I can think of is to manually create directory /var/cpanel/ssl/domain_tls/mail.example.com/ containing a file called "combined" containing the appropriate private key and certificates (whole trust chain). I don't want to do that by hand for 1000 domains though, so I will see if I can write some script for this... 0 -
... just so they can keep working until DV completes.
My Domain Validation with LetsEncrypt did complete. The problem is, the new certificates didn't get put into /var/cpanel/ssl/domain_tls/ for whatever reason.0 -
My Domain Validation with LetsEncrypt did complete. The problem is, the new certificates didn't get put into /var/cpanel/ssl/domain_tls/ for whatever reason.
Neither did mine, until I ran the cPanel patch script this morning.0 -
[root@one mail.mydomain.pl]# ls -la total 104 drw-r--r-- 2 root root 4096 Oct 1 08:33 . drwx--x--x 1100 root root 69632 Oct 1 13:16 .. -rw-r--r-- 1 root root 3793 Oct 1 08:33 certificates -rw-r--r-- 2 root root 6325 Oct 1 08:33 certificates.cache -rw-r----- 1 root mail 5468 Oct 1 08:33 combined -rw-r--r-- 2 root root 6 There all there still thunderbird reports error when sending email 0 -
-rw-r----- 1 root mail 5468 Oct 1 08:33 combined
For clues, run "openssl s_client -connect localhost:smtps -servername mail.mydomain.pl -CAfile /etc/ssl/certs/ca-bundle.crt" and see which certificate was offered by Exim (subject=/CN=...), and exactly the validation error was. For me, it was "certificate is expired", not referring to my certificate though, but to the old LetsEncrypt root CA that expired recently.0 -
Did it pointing to hostname.pl not to mail.domain.pl 0 -
Did it pointing to hostname.pl not to mail.domain.pl
That should be ok. You got the certificate for hostname.pl which should have a Subject Alternative Name for each subdomain including mail.domain.pl. Important is, you should get "Verify return code: 0 (ok)" which means the certificate and chain are all correct. Then it should be OK for your clients too.0 -
Nope that do not work, i get 0 ok but client gets : Sending of the message failed. Unable to communicate securely with peer: requested domain name does not match the server"s certificate. The configuration related to mail.domain.pl must be corrected. 0 -
We're currently working on a plan that will more properly update the SNI configurations as well, as that will also run as part of an updated autofixer. I'll post in the main thread at as I get more updates. 0
Please sign in to leave a comment.
Comments
26 comments