Certificate for courier-imapd on ns1.site.com will expire in less then 30
Certificate for courier-imapd on ns1.site.com will expire in less then 30 days. You should install a new certifcate as soon as possible. You can install a new certificate in WHM under "Manager Service SSL Certificates", or by clicking this link: https://ns1.site.com:2087/scripts2/manageservicecrts
what does this mean? i got it in my email box today.
It means that the certificate used for IMAPS on your server will expire in 30 days. If this is a purchased certificate you will need to renew that certificate and reinstall it, following the link in that message.
However, I have also seen where the e-mail system has sent out false positives. Your certificate may not really be expiring in 30 days. You may want to use that link and check for sure to see when it is expiring.
If the IMAP service is just using a self-signed certificate then I don't think there is much to worry about. cPanel will generate a new self-signed certificate for the IMAP service after it expires.
ive never installed a cert or anything, so im not sure what it is. i dont alter my server aside from the default stuff already on there, so more then likely this is then just a message from the server and it will re-do whatever it needs to do automatically?
You are probably using a self-signed certificate for IMAP-ssl. I believe cPanel will reissue another self-signed certificate if the old certificate expires. But someone else might want to correct me if I'm wrong.
same here
Today I updated cpanel to release 25623 and I received the same message for
cpanel
courier-imapd
courier-pop3d
Is the first time I receive this message, never used a custom certificate for this services.
I hope some of the guys of cpanel staff talk about this issue.
Thanks!
What is shown in the Manage Service Certificates interface in WHM for these services?
says this:
Courier (POP3) Mail Server
Issuer: C=US, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=server1.domain.com/emailAddress=ssl@server1.domain.com
Not Before: Jul 10 22:34:35 2007 GMT
Not After: Jul 9 22:34:35 2008 GMT
Subject: C=US, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=server1.domain.com/emailAddress=ssl@server1.domain.com
Self Signed: YES
And in the right column says: Install new Certificate Reset Certificate
Expiring on July 9th. Same as courier-imapd and cpanel.
What should I do??
Have the same on several servers. Would be nice to have a procedure how to generate the new self-signed certificate and afterwards install it via the "Manage Service Certificates interface".
Last edited by krisdv; 06-20-2008 at 04:07 AM. Reason: Typo
Just clicking Reset Certificate will create and install a new self-signed certificate for that service.
I think, though I am not sure, that if the certificate expires cPanel will create a new self-signed certificate anyway. So in fact if you are using a self-signed certificate for these services, you really never have to worry about resetting them. Still I suppose it is always a good idea to manually reset the certificates just to be on the safe side. (Someone from cPanel can best answer this question).
You can reset the certificates now and it will generate a new self-signed certificate which will expire a year from today (I think). You don't have to wait and reset it on the date that the certificate expires.
If you are using a purchased certificate, then you don't need to follow these rules. If you purchased a certificate for these services and it is expiring then you need to renew that certificate with your certificate authority. However the line of questioning in this thread seems to be for self-signed certificates.
ditto that.. all the unknowns listed can't be good.. so how do we generate/install a proper self-signed cert for these backend services?Originally Posted by krisdv
The unknowns really don't matter because the certificate is self-signed. You can fill out your own CSR and generate a self-signed certificate to get rid of these unknowns, but it won't really affect anything. I've never come across a situation where a customer questioned the integrity of the self-signed certificate solely because there was no location information in the certificate. They have questioned the self-signed certificate, but because their browser is not able to recognize the certificate as being authoritative (which is the nature of self-signed certificates).
To generate a self-signed certificate that answers these Unknowns you need to generate a CSR for the domain. In the WHM scroll down to Generate a SSL Certificate and Signing Request. Answer the questions as you see fit. The Host to make cert for field needs to be the hostname of the server (i.e. host.domain.com, server.domain.com, etc.). It can actually be any domain that resolves to the server, but generally you want this to be something universal, because all of the domains that are hosted on that server will be using this certificate.
Click on Create. This will generate three blobs of text, a Certificate Signing Request, a Private Key, and a Self-Signed Certificate. Copy the Private Key (probably won't need it) and Self-Signed Certificate blobs into a text file.
Now go back to the top of the WHM, click the link Manage Service SSL Certificates and for the desired service click on Install new Certificate. In the top box, paste the Self-Signed Certificate blob that you just created. When you click out of that textbox, the javascript on this page should automatically fetch the certificate hostname and the private key. If it doesn't then fill in these fields appropriately. Then click on Submit.
You have now installed a self-signed certificate for that service with specific answers to the Unknown fields. You can install this same certificate for each of the services. But note the hostname that you made the certificate out for. If you install this for Exim Server, then to properly use the secure SSL SMTP, then when you connect to the outgoing mail server you have to use the hostname that you created the certificate for (host.domain.com). Otherwise your e-mail client will complain about a server name and certificate name mismatch. You will still get a warning popup on all of your clients saying that the certificate is not recognized as authoritative, but again you can't bypass this with a self-signed certificate (though you can permanently accept the certificate to bypass this in the future -- until the certificate expires).
The above is correct. When a certificate expires, whether it is self-signed or from a CA, cPanel will automatically create a self-signed certificate to replace the expired certificate.
As sparek-3 mentioned, for certificates obtained from a CA you need to replace it before the expiration date to prevent its replacement with the self-signed one.
Is ther anything that can be done to clear up false positives? Mine is good through Sep 21 2009 as seen below.
Issuer: C=US, O=Equifax Secure Inc., CN=Equifax Secure Global eBusiness CA-1
Not Before: Sep 11 19:16:53 2007 GMT
Not After: Sep 21 19:16:53 2009 GMT
Subject: C=US, O=host.nuqnet.com, OU=GT63087791, OU=See www.rapidssl.com/resources/cps (c)07, OU=Domain Control Validated - RapidSSL(R), CN=host.nuqnet.com
Self Signed: NO
i am now getting these email errors:
Certificate for cpanel and Certificate for courier-pop3d. 3 errors tottal now, same error message just different service i guess.
what is causing this and how do we fix it?
Expired certificiates--NOT
We have installed certs for the services which do not expire until Jun 10 2010, however every time we update cPanel, we get errors telling us that the certificates for service (courier, ftp, etc.) were expired. This has happened on servers with Release and Current builds in the last month.
LinkBack URL
About LinkBacks
Reply With Quote