Warning: No server certificate defined; TLS connections will fail.

Bdzzld

• August 08, 2016 07:24

Hi, Whenever the Advanced Editor of the Exim Configuration Editor within WHM is selected, the following is always added to the /var/log/exim_paniclog file: XXX-XX-XX XX:XX:XX Warning: No server certificate defined; TLS connections will fail. Suggested action: either install a certificate or change tls_advertise_hosts option
All SSL certifcates are working without problems though. Can you please explain? Note: This occurs in versions .56 and .58 (I still have both running).

• 

  Infopro

  • August 08, 2016 12:56

  I see that here as well:
  2016-08-08 08:49:59 Warning: No server certificate defined; TLS connections will fail. Suggested action: either install a certificate or change tls_advertise_hosts option 2016-08-08 08:50:32 Warning: No server certificate defined; TLS connections will fail. Suggested action: either install a certificate or change tls_advertise_hosts option
  There's a forum thread here about this as well: Warning: No server certificate defined; TLS connections will fail

  0
• 

  Bdzzld

  • August 08, 2016 17:53

  @Infopro: Thanks for your reaction. I also noticed the other thread you're referring about, but I don't think it's entirely identical, although they share the same error(?) message.
  JH/04 Certificate name checking on server certificates, when exim is a client, is now done by default. The transport option tls_verify_cert_hostnames can be used to disable this per-host. The build option EXPERIMENTAL_CERTNAMES is withdrawn. JH/06 Verification of the server certificate for a TLS connection is now tried (but not required) by default. The verification status is now logged by default, for both outbound TLS and client-certificate supplying inbound TLS connections.
  Further more I don't understand why the error(?) is there in the first place; the installed SSL certificate is for servername.domainname.ext, and the server has an identical hostname. Restarting exim won't cause the error(?). Only as previously explained.

  0
• 

  cPanelMichael

  • August 08, 2016 18:39

  Hello, It's important to note the output is listed as "Warning" as opposed to an error. It shouldn't cause any issues with email usage or delivery. There's additional discussion about the purpose of this message on the Exim user's list at: TLS changes in 4.87 | exim | users Thank you.

  0
• 

  Bdzzld

  • August 08, 2016 18:55

  @cPanelMichael : You're right... it's a warning and not an error. But warnings about TLS connections that may fail more or less tend to an error in my personal opinion. On the Exim user's list it's suggested to change tls_advertise_hosts to empty instead of "*", to avoid getting the warning. Do you agree or is it better to just neglect these warnings at all?

  0
• 

  cPanelMichael

  • August 19, 2016 14:38

  Hello, The following Exim document explains this feature a little more: Exim Specification - 38. Encrypted SMTP connections using TLS/SSL When Exim has been built with TLS support, it advertises the availability of the STARTTLS command to client hosts that match tls_advertise_hosts, but not to any others. The default value of this option is unset, which means that STARTTLS is not advertised at all. This default is chosen because it is sensible for systems that wants to use TLS only as a client. To make it work as a server, you must set tls_advertise_hosts to match some hosts. You can, of course, set it to * to match all hosts. However, this is not all you need to do. TLS sessions to a server won't work without some further configuration at the server end (see below).
  Here are the default entries on a cPanel server:
  # grep tls_advertise_hosts /etc/exim.conf tls_advertise_hosts = * # grep tls_certificate /etc/exim.conf tls_certificate = ${if exists {/etc/mail_sni_map} {${extract{crtfile}{${lookup {$tls_sni} lsearch {/etc/mail_sni_map} {$value}}}{$value}{/etc/exim.crt}}} {/etc/exim.crt}}
  I don't recommend suppressing the warning messages by changing the "tls_advertise_hosts" entry to null, as it's a good way of encouraging the use of SSL. Thank you.

  0
• 

  Bdzzld

  • August 19, 2016 17:43

  Thanks for the additional explanation. I've decided to simply just neglect the warnings (They do not show up that much in the first place; only when the Exim Configuration Editor is being executed).

  0
• 

  cPanelMichael

  • November 09, 2016 17:17

  Hello, I wanted to note the following change to the tls_certificate entry in /etc/exim.conf as of cPanel version 60:
  tls_certificate = ${if and \ { \ {gt{$tls_in_sni}{}} \ {!match{$tls_in_sni}{/}} \ } \ {${if exists {/var/cpanel/ssl/domain_tls/$tls_in_sni/combined} \ {/var/cpanel/ssl/domain_tls/$tls_in_sni/combined} \ {${if exists {${sg{/var/cpanel/ssl/domain_tls/$tls_in_sni/combined}{(.+/)[^.]+(.+/combined)}{\$1*\$2}}} \ {${sg{/var/cpanel/ssl/domain_tls/$tls_in_sni/combined}{(.+/)[^.]+(.+/combined)}{\$1*\$2}}} \ {/etc/exim.crt} \ }} \ }} \ {/etc/exim.crt} \ }
  This adds support for the Domain TLS functionality introduced in cPanel version 60 and documented at: What is Domain TLS - cPanel Knowledge Base - cPanel Documentation Thank you.

  0

Please sign in to leave a comment.