The Community Forums

Interact with an entire community of cPanel & WHM users.
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[Case 187749] Reinstalling an SSL certificate without SNI mail enabled

Discussion in 'E-mail Discussions' started by texas90, Feb 20, 2015.

  1. texas90

    texas90 Member

    Joined:
    Jun 10, 2014
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I received this error in email.
    Can someone tell me what exactly does this error mean?
    I didn't change any files so why can't the system find that file and directory?

    Starting Dovecot Imap: doveconf: Fatal: Error in configuration file /etc/dovecot/sni.conf line 2: ssl_cert: Can't open file /var/cpanel/ssl/installed/certs/paypcla_com_...............crt: No such file or directory
     
    #1 texas90, Feb 20, 2015
    Last edited: Feb 20, 2015
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Check to verify if the file referenced in that error message exists. EX:

    Code:
    ls -al /var/cpanel/ssl/installed/certs/$.crt
    If it exists, then feel free to open a support ticket so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
  3. texas90

    texas90 Member

    Joined:
    Jun 10, 2014
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    After a few minutes Imap started running again. Should I do somthing now or all is well?
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  5. visiba

    visiba Member

    Joined:
    Feb 24, 2013
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    We're having the same problem since cPanel upgraded to 11.48.3.0

    Startup Log:
    Starting Dovecot Imap: doveconf: Fatal: Error in configuration file /etc/dovecot/sni.conf line 17: ssl_cert: Can't open file /var/cpanel/ssl/installed/certs/www_xxx_6529_362a663e4d04a4d256eaacc36d58dfc5.crt: No such file or directory
    [FAILED]


    EDIT: imap recovered after 4 failed restart attempts.
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  7. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    FYI, we were alerted last night that IMAP and POP3 were down. The error is the same as others have mentioned:

    In checking /etc/dovecot/sni.conf, there is no reference to the domain I've redacted above on line 7, or anywhere in the config. We DO have an SSL certificate installed for this customer, and I think it was last week that I renewed that SSL certificate, and during installation, I'm very sure I unchecked the SNI checkbox. I definitely did NOT do anything related to SSL on this server yesterday... so I'm unsure why it chose last night to break Dovecot.

    EDIT: I see that last night we were auto-updated from 11.48.3.0 to 11.48.4.2, so now we know WHY we got this error last night and not previously.

    Frankly, I'd just as soon disable SNI for email at this time, especially if it's going to cause problems like this, but I am not sure of the best way. I never purposely enabled it, ever. It must have been auto-enabled during a WHM upgrade at some point.

    - Scott
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Internal case number 187749 is open to address an issue where reinstalling an SSL certificate without SNI mail enabled (it was previously enabled) leaves a stale entry in /etc/dovecot/sni.conf. Please open a support ticket using the link in my signature if this is not what's happened in your circumstance. You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
  9. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    Thanks, Michael. That is exactly what is happening. Did my description help find this, or did you already have an open case on this?

    - Scott
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Another customer opened a support ticket which allowed us to reproduce the issue and open an internal case. However, we do appreciate your description of the issue. Thank you for confirming it's the same problem that you are experiencing.

    Thank you.
     
  11. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    It happened again last night. I'm assuming the Internal case hasn't actually created a fix for this yet?

    - Scott
     
  12. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    Michael, is there a work-around for now? i.e. if I do not want to use SNI for mail at this time, can I do something so that future WHM updates don't cause POP and IMAP to repeatedly fail and cause late night alerts?

    - Scott
     
  13. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    There's no update for this case to report at this time. You can monitor our change log for the case number to see when it's been released:

    11.48 - Change Log

    This thread is noted in the internal case. The workaround at this time is to reinstall the certificate again and make sure SNI is enabled. Or, run the following command to repair the sni.conf file:

    Code:
    /scripts/build_mail_sni --rebuild_map_file --rebuild_dovecot_sni_conf
    Thank you.
     
    nwd likes this.
  14. nwd

    nwd Member

    Joined:
    Feb 28, 2014
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thanks @cPanelMichael, your code fixed they same issue I was having with same error etc... I do want to add some additional info that has lead myself to this same issue in case others are searching for it, since most got to this error from some other means and not doing anything with SNI/installing new certificate.
    For example, I had an GeoTrust SSL on the cPanel services /server itself, but then changed the hostname (using on different new server/ISP etc...) and then went in to Manage Service SSL Certificates, under actions, Reset Certificate (wanted to use self-cert SSL) where it updated the correct certificate domain (newhostname.domain.com).
    After I did that, this situation in this thread occurred and your script fixed that. If this helps one extra person searching for these other keywords to find your solution, great.
     
  15. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  16. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    FYI, we had this happen again last night. In a slightly different plot twist... we had changed a customer's domain name via Modify Account. The customer had an SSL certificate prior to the change, and after the change we installed a new SSL certificate. Both times, we left the checkbox checked for SNI Mail.

    When the server tried to do an upcp last night, Dovecot (IMAP & POP) died and could not be restarted. The error was:

    Sure enough, when looking at /etc/dovecot/sni.conf, the OLD domain name (and the NEW domain name) were both in there. I'm assuming the fix is to simply remove the lines related to the OLD domain and restart Dovecot... which seemed to work. But maybe that sni.conf will get rebuilt with bad information and hose us again?

    - Scott
     
  17. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Internal case CPANEL-3114 adds a sanity check for the sni.conf file. It's scheduled for inclusion with cPanel version 56.

    Thank you.
     
Loading...

Share This Page