[Case 187749] Reinstalling an SSL certificate without SNI mail enabled

[texas90]

I received this error in email.
Can someone tell me what exactly does this error mean?
I didn't change any files so why can't the system find that file and directory?

Starting Dovecot Imap: doveconf: Fatal: Error in configuration file /etc/dovecot/sni.conf line 2: ssl_cert: Can't open file /var/cpanel/ssl/installed/certs/paypcla_com_...............crt: No such file or directory

 

[cPanelMichael]

Hello

Check to verify if the file referenced in that error message exists. EX:

ls -al /var/cpanel/ssl/installed/certs/$.crt

If it exists, then feel free to open a support ticket so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome.

Thank you.

 

[texas90]

After a few minutes Imap started running again. Should I do somthing now or all is well?

 

[cPanelMichael]

You can open a support ticket if this happens again so we can take a closer look and determine why it's happening.

Thank you.

 

[visiba]

We're having the same problem since cPanel upgraded to 11.48.3.0

Startup Log:
Starting Dovecot Imap: doveconf: Fatal: Error in configuration file /etc/dovecot/sni.conf line 17: ssl_cert: Can't open file /var/cpanel/ssl/installed/certs/www_xxx_6529_362a663e4d04a4d256eaacc36d58dfc5.crt: No such file or directory
[FAILED]


EDIT: imap recovered after 4 failed restart attempts.

 

[cPanelMichael]

Hello,

Is there a SSL certificate installed for the domain name referenced on line 17 of /etc/dovecot/sni.conf?

Thank you.

 

[sneader]

FYI, we were alerted last night that IMAP and POP3 were down. The error is the same as others have mentioned:

Startup Log:
Starting Dovecot Imap: doveconf: Fatal: Error in configuration file /etc/dovecot/sni.conf line 7: ssl_cert: Can't open file /var/cpanel/ssl/installed/certs/www_redacted_com_ba7f1_81135_1429798925_2a9fa1e68b8cd97a98c73e06b8bd950f.crt: No such file or directory
[FAILED]

In checking /etc/dovecot/sni.conf, there is no reference to the domain I've redacted above on line 7, or anywhere in the config. We DO have an SSL certificate installed for this customer, and I think it was last week that I renewed that SSL certificate, and during installation, I'm very sure I unchecked the SNI checkbox. I definitely did NOT do anything related to SSL on this server yesterday... so I'm unsure why it chose last night to break Dovecot.

EDIT: I see that last night we were auto-updated from 11.48.3.0 to 11.48.4.2, so now we know WHY we got this error last night and not previously.

Frankly, I'd just as soon disable SNI for email at this time, especially if it's going to cause problems like this, but I am not sure of the best way. I never purposely enabled it, ever. It must have been auto-enabled during a WHM upgrade at some point.

- Scott

 

[cPanelMichael]

Hello,

Internal case number 187749 is open to address an issue where reinstalling an SSL certificate without SNI mail enabled (it was previously enabled) leaves a stale entry in /etc/dovecot/sni.conf. Please open a support ticket using the link in my signature if this is not what's happened in your circumstance. You can post the ticket number here so we can update this thread with the outcome.

Thank you.

 

[sneader]

Thanks, Michael. That is exactly what is happening. Did my description help find this, or did you already have an open case on this?

- Scott

 

[cPanelMichael]

Thanks, Michael. That is exactly what is happening. Did my description help find this, or did you already have an open case on this?

Another customer opened a support ticket which allowed us to reproduce the issue and open an internal case. However, we do appreciate your description of the issue. Thank you for confirming it's the same problem that you are experiencing.

Thank you.

 

[sneader]

It happened again last night. I'm assuming the Internal case hasn't actually created a fix for this yet?

- Scott

 

[sneader]

Michael, is there a work-around for now? i.e. if I do not want to use SNI for mail at this time, can I do something so that future WHM updates don't cause POP and IMAP to repeatedly fail and cause late night alerts?

- Scott

 

[cPanelMichael]

There's no update for this case to report at this time. You can monitor our change log for the case number to see when it's been released:

11.48 - Change Log

This thread is noted in the internal case. The workaround at this time is to reinstall the certificate again and make sure SNI is enabled. Or, run the following command to repair the sni.conf file:

/scripts/build_mail_sni --rebuild_map_file --rebuild_dovecot_sni_conf

Thank you.

 

[nwd]

Thanks @cPanelMichael, your code fixed they same issue I was having with same error etc... I do want to add some additional info that has lead myself to this same issue in case others are searching for it, since most got to this error from some other means and not doing anything with SNI/installing new certificate.
For example, I had an GeoTrust SSL on the cPanel services /server itself, but then changed the hostname (using on different new server/ISP etc...) and then went in to Manage Service SSL Certificates, under actions, Reset Certificate (wanted to use self-cert SSL) where it updated the correct certificate domain (newhostname.domain.com).
After I did that, this situation in this thread occurred and your script fixed that. If this helps one extra person searching for these other keywords to find your solution, great.

 

[cPanelMichael]

I am happy to see your issue is now addressed. Thank you for the additional information.

 

[sneader]

FYI, we had this happen again last night. In a slightly different plot twist... we had changed a customer's domain name via Modify Account. The customer had an SSL certificate prior to the change, and after the change we installed a new SSL certificate. Both times, we left the checkbox checked for SNI Mail.

When the server tried to do an upcp last night, Dovecot (IMAP & POP) died and could not be restarted. The error was:

Starting Dovecot Imap: doveconf: Fatal: Error in configuration file /etc/dovecot/sni.conf line 52: ssl_cert: Can't open file /var/cpanel/ssl/installed/certs/theolddomain_com_e005b_34329_1462060799_3ffefc813e05fd8c48747457c2367eac.crt: No such file or directory

Sure enough, when looking at /etc/dovecot/sni.conf, the OLD domain name (and the NEW domain name) were both in there. I'm assuming the fix is to simply remove the lines related to the OLD domain and restart Dovecot... which seemed to work. But maybe that sni.conf will get rebuilt with bad information and hose us again?

- Scott

 

[cPanelMichael]

But maybe that sni.conf will get rebuilt with bad information and hose us again?

Internal case CPANEL-3114 adds a sanity check for the sni.conf file. It's scheduled for inclusion with cPanel version 56.

Thank you.