[Case 187749] Reinstalling an SSL certificate without SNI mail enabled

texas90

Member
Jun 10, 2014
22
0
1
cPanel Access Level
Root Administrator
I received this error in email.
Can someone tell me what exactly does this error mean?
I didn't change any files so why can't the system find that file and directory?

Starting Dovecot Imap: doveconf: Fatal: Error in configuration file /etc/dovecot/sni.conf line 2: ssl_cert: Can't open file /var/cpanel/ssl/installed/certs/paypcla_com_...............crt: No such file or directory
 
Last edited:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,203
363
Hello :)

Check to verify if the file referenced in that error message exists. EX:

Code:
ls -al /var/cpanel/ssl/installed/certs/$.crt
If it exists, then feel free to open a support ticket so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome.

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,203
363
You can open a support ticket if this happens again so we can take a closer look and determine why it's happening.

Thank you.
 

visiba

Member
Feb 24, 2013
11
2
53
cPanel Access Level
Root Administrator
We're having the same problem since cPanel upgraded to 11.48.3.0

Startup Log:
Starting Dovecot Imap: doveconf: Fatal: Error in configuration file /etc/dovecot/sni.conf line 17: ssl_cert: Can't open file /var/cpanel/ssl/installed/certs/www_xxx_6529_362a663e4d04a4d256eaacc36d58dfc5.crt: No such file or directory
[FAILED]


EDIT: imap recovered after 4 failed restart attempts.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,203
363
Hello,

Is there a SSL certificate installed for the domain name referenced on line 17 of /etc/dovecot/sni.conf?

Thank you.
 

sneader

Well-Known Member
Aug 21, 2003
1,178
57
178
La Crosse, WI
cPanel Access Level
Root Administrator
FYI, we were alerted last night that IMAP and POP3 were down. The error is the same as others have mentioned:

Startup Log:
Starting Dovecot Imap: doveconf: Fatal: Error in configuration file /etc/dovecot/sni.conf line 7: ssl_cert: Can't open file /var/cpanel/ssl/installed/certs/www_redacted_com_ba7f1_81135_1429798925_2a9fa1e68b8cd97a98c73e06b8bd950f.crt: No such file or directory
[FAILED]
In checking /etc/dovecot/sni.conf, there is no reference to the domain I've redacted above on line 7, or anywhere in the config. We DO have an SSL certificate installed for this customer, and I think it was last week that I renewed that SSL certificate, and during installation, I'm very sure I unchecked the SNI checkbox. I definitely did NOT do anything related to SSL on this server yesterday... so I'm unsure why it chose last night to break Dovecot.

EDIT: I see that last night we were auto-updated from 11.48.3.0 to 11.48.4.2, so now we know WHY we got this error last night and not previously.

Frankly, I'd just as soon disable SNI for email at this time, especially if it's going to cause problems like this, but I am not sure of the best way. I never purposely enabled it, ever. It must have been auto-enabled during a WHM upgrade at some point.

- Scott
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,203
363
Hello,

Internal case number 187749 is open to address an issue where reinstalling an SSL certificate without SNI mail enabled (it was previously enabled) leaves a stale entry in /etc/dovecot/sni.conf. Please open a support ticket using the link in my signature if this is not what's happened in your circumstance. You can post the ticket number here so we can update this thread with the outcome.

Thank you.
 

sneader

Well-Known Member
Aug 21, 2003
1,178
57
178
La Crosse, WI
cPanel Access Level
Root Administrator
Thanks, Michael. That is exactly what is happening. Did my description help find this, or did you already have an open case on this?

- Scott
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,203
363
Thanks, Michael. That is exactly what is happening. Did my description help find this, or did you already have an open case on this?
Another customer opened a support ticket which allowed us to reproduce the issue and open an internal case. However, we do appreciate your description of the issue. Thank you for confirming it's the same problem that you are experiencing.

Thank you.
 

sneader

Well-Known Member
Aug 21, 2003
1,178
57
178
La Crosse, WI
cPanel Access Level
Root Administrator
It happened again last night. I'm assuming the Internal case hasn't actually created a fix for this yet?

- Scott
 

sneader

Well-Known Member
Aug 21, 2003
1,178
57
178
La Crosse, WI
cPanel Access Level
Root Administrator
Michael, is there a work-around for now? i.e. if I do not want to use SNI for mail at this time, can I do something so that future WHM updates don't cause POP and IMAP to repeatedly fail and cause late night alerts?

- Scott
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,203
363
There's no update for this case to report at this time. You can monitor our change log for the case number to see when it's been released:

11.48 - Change Log

This thread is noted in the internal case. The workaround at this time is to reinstall the certificate again and make sure SNI is enabled. Or, run the following command to repair the sni.conf file:

Code:
/scripts/build_mail_sni --rebuild_map_file --rebuild_dovecot_sni_conf
Thank you.
 
  • Like
Reactions: nwd

nwd

Member
Feb 28, 2014
14
0
51
cPanel Access Level
Root Administrator
Thanks @cPanelMichael, your code fixed they same issue I was having with same error etc... I do want to add some additional info that has lead myself to this same issue in case others are searching for it, since most got to this error from some other means and not doing anything with SNI/installing new certificate.
For example, I had an GeoTrust SSL on the cPanel services /server itself, but then changed the hostname (using on different new server/ISP etc...) and then went in to Manage Service SSL Certificates, under actions, Reset Certificate (wanted to use self-cert SSL) where it updated the correct certificate domain (newhostname.domain.com).
After I did that, this situation in this thread occurred and your script fixed that. If this helps one extra person searching for these other keywords to find your solution, great.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,203
363
I am happy to see your issue is now addressed. Thank you for the additional information.
 

sneader

Well-Known Member
Aug 21, 2003
1,178
57
178
La Crosse, WI
cPanel Access Level
Root Administrator
FYI, we had this happen again last night. In a slightly different plot twist... we had changed a customer's domain name via Modify Account. The customer had an SSL certificate prior to the change, and after the change we installed a new SSL certificate. Both times, we left the checkbox checked for SNI Mail.

When the server tried to do an upcp last night, Dovecot (IMAP & POP) died and could not be restarted. The error was:

Starting Dovecot Imap: doveconf: Fatal: Error in configuration file /etc/dovecot/sni.conf line 52: ssl_cert: Can't open file /var/cpanel/ssl/installed/certs/theolddomain_com_e005b_34329_1462060799_3ffefc813e05fd8c48747457c2367eac.crt: No such file or directory
Sure enough, when looking at /etc/dovecot/sni.conf, the OLD domain name (and the NEW domain name) were both in there. I'm assuming the fix is to simply remove the lines related to the OLD domain and restart Dovecot... which seemed to work. But maybe that sni.conf will get rebuilt with bad information and hose us again?

- Scott
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,203
363
But maybe that sni.conf will get rebuilt with bad information and hose us again?
Internal case CPANEL-3114 adds a sanity check for the sni.conf file. It's scheduled for inclusion with cPanel version 56.

Thank you.