Certificate for courier-imapd on ns1.site.com will expire in less then 30

GoTTi

Member
Dec 6, 2002
19
0
151
Certificate for courier-imapd on ns1.site.com will expire in less then 30 days. You should install a new certifcate as soon as possible. You can install a new certificate in WHM under "Manager Service SSL Certificates", or by clicking this link: https://ns1.site.com:2087/scripts2/manageservicecrts

what does this mean? i got it in my email box today.
 

sparek-3

Well-Known Member
Aug 10, 2002
2,022
227
368
cPanel Access Level
Root Administrator
It means that the certificate used for IMAPS on your server will expire in 30 days. If this is a purchased certificate you will need to renew that certificate and reinstall it, following the link in that message.

However, I have also seen where the e-mail system has sent out false positives. Your certificate may not really be expiring in 30 days. You may want to use that link and check for sure to see when it is expiring.

If the IMAP service is just using a self-signed certificate then I don't think there is much to worry about. cPanel will generate a new self-signed certificate for the IMAP service after it expires.
 

GoTTi

Member
Dec 6, 2002
19
0
151
ive never installed a cert or anything, so im not sure what it is. i dont alter my server aside from the default stuff already on there, so more then likely this is then just a message from the server and it will re-do whatever it needs to do automatically?
 

sparek-3

Well-Known Member
Aug 10, 2002
2,022
227
368
cPanel Access Level
Root Administrator
You are probably using a self-signed certificate for IMAP-ssl. I believe cPanel will reissue another self-signed certificate if the old certificate expires. But someone else might want to correct me if I'm wrong.
 

bsasninja

Well-Known Member
Sep 2, 2004
527
0
166
same here

Today I updated cpanel to release 25623 and I received the same message for

cpanel
courier-imapd
courier-pop3d

Is the first time I receive this message, never used a custom certificate for this services.

I hope some of the guys of cpanel staff talk about this issue.

Thanks!
 

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,607
79
458
cPanel Access Level
Root Administrator
What is shown in the Manage Service Certificates interface in WHM for these services?
 

bsasninja

Well-Known Member
Sep 2, 2004
527
0
166
says this:

Courier (POP3) Mail Server
Issuer: C=US, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=server1.domain.com/[email protected]
Not Before: Jul 10 22:34:35 2007 GMT
Not After: Jul 9 22:34:35 2008 GMT
Subject: C=US, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=server1.domain.com/[email protected]
Self Signed: YES

And in the right column says: Install new Certificate Reset Certificate

Expiring on July 9th. Same as courier-imapd and cpanel.

What should I do??
 

krisdv

Well-Known Member
Jun 18, 2003
176
0
166
Belgium
Have the same on several servers. Would be nice to have a procedure how to generate the new self-signed certificate and afterwards install it via the "Manage Service Certificates interface".
 
Last edited:

sparek-3

Well-Known Member
Aug 10, 2002
2,022
227
368
cPanel Access Level
Root Administrator
Just clicking Reset Certificate will create and install a new self-signed certificate for that service.

I think, though I am not sure, that if the certificate expires cPanel will create a new self-signed certificate anyway. So in fact if you are using a self-signed certificate for these services, you really never have to worry about resetting them. Still I suppose it is always a good idea to manually reset the certificates just to be on the safe side. (Someone from cPanel can best answer this question).

You can reset the certificates now and it will generate a new self-signed certificate which will expire a year from today (I think). You don't have to wait and reset it on the date that the certificate expires.

If you are using a purchased certificate, then you don't need to follow these rules. If you purchased a certificate for these services and it is expiring then you need to renew that certificate with your certificate authority. However the line of questioning in this thread seems to be for self-signed certificates.
 

PPNSteve

Well-Known Member
Mar 13, 2003
413
3
168
Somewhere in Ilex Forest
cPanel Access Level
Root Administrator
Twitter
Have the same on several servers. Would be nice to have a procedure how to generate the new self-signed certificate and afterwards install it via the "Manage Service Certificates interface".
ditto that.. all the unknowns listed can't be good.. so how do we generate/install a proper self-signed cert for these backend services?
 

sparek-3

Well-Known Member
Aug 10, 2002
2,022
227
368
cPanel Access Level
Root Administrator
The unknowns really don't matter because the certificate is self-signed. You can fill out your own CSR and generate a self-signed certificate to get rid of these unknowns, but it won't really affect anything. I've never come across a situation where a customer questioned the integrity of the self-signed certificate solely because there was no location information in the certificate. They have questioned the self-signed certificate, but because their browser is not able to recognize the certificate as being authoritative (which is the nature of self-signed certificates).

To generate a self-signed certificate that answers these Unknowns you need to generate a CSR for the domain. In the WHM scroll down to Generate a SSL Certificate and Signing Request. Answer the questions as you see fit. The Host to make cert for field needs to be the hostname of the server (i.e. host.domain.com, server.domain.com, etc.). It can actually be any domain that resolves to the server, but generally you want this to be something universal, because all of the domains that are hosted on that server will be using this certificate.

Click on Create. This will generate three blobs of text, a Certificate Signing Request, a Private Key, and a Self-Signed Certificate. Copy the Private Key (probably won't need it) and Self-Signed Certificate blobs into a text file.

Now go back to the top of the WHM, click the link Manage Service SSL Certificates and for the desired service click on Install new Certificate. In the top box, paste the Self-Signed Certificate blob that you just created. When you click out of that textbox, the javascript on this page should automatically fetch the certificate hostname and the private key. If it doesn't then fill in these fields appropriately. Then click on Submit.

You have now installed a self-signed certificate for that service with specific answers to the Unknown fields. You can install this same certificate for each of the services. But note the hostname that you made the certificate out for. If you install this for Exim Server, then to properly use the secure SSL SMTP, then when you connect to the outgoing mail server you have to use the hostname that you created the certificate for (host.domain.com). Otherwise your e-mail client will complain about a server name and certificate name mismatch. You will still get a warning popup on all of your clients saying that the certificate is not recognized as authoritative, but again you can't bypass this with a self-signed certificate (though you can permanently accept the certificate to bypass this in the future -- until the certificate expires).
 
  • Like
Reactions: Metro2

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,607
79
458
cPanel Access Level
Root Administrator
I think, though I am not sure, that if the certificate expires cPanel will create a new self-signed certificate anyway. So in fact if you are using a self-signed certificate for these services, you really never have to worry about resetting them. Still I suppose it is always a good idea to manually reset the certificates just to be on the safe side. (Someone from cPanel can best answer this question).
The above is correct. When a certificate expires, whether it is self-signed or from a CA, cPanel will automatically create a self-signed certificate to replace the expired certificate.

As sparek-3 mentioned, for certificates obtained from a CA you need to replace it before the expiration date to prevent its replacement with the self-signed one.
 

nuqnet

Registered
Jul 24, 2007
4
0
51
Is ther anything that can be done to clear up false positives? Mine is good through Sep 21 2009 as seen below.

Issuer: C=US, O=Equifax Secure Inc., CN=Equifax Secure Global eBusiness CA-1
Not Before: Sep 11 19:16:53 2007 GMT
Not After: Sep 21 19:16:53 2009 GMT
Subject: C=US, O=host.nuqnet.com, OU=GT63087791, OU=See www.rapidssl.com/resources/cps (c)07, OU=Domain Control Validated - RapidSSL(R), CN=host.nuqnet.com
Self Signed: NO
 

GoTTi

Member
Dec 6, 2002
19
0
151
i am now getting these email errors:

Certificate for cpanel and Certificate for courier-pop3d. 3 errors tottal now, same error message just different service i guess.

what is causing this and how do we fix it?
 

opt2bout

Well-Known Member
Nov 10, 2006
69
1
158
Expired certificiates--NOT

We have installed certs for the services which do not expire until Jun 10 2010, however every time we update cPanel, we get errors telling us that the certificates for service (courier, ftp, etc.) were expired. This has happened on servers with Release and Current builds in the last month.
 

a66fm

Well-Known Member
Jul 12, 2003
78
0
156
Greece
same issue here but in my case i use a turbo ssl certificate that will expire on 2011

Not Before: Apr 29 07:00:11 2008 GMT
Not After: Apr 29 07:00:11 2012 GMT

but the last 2 days i also get the "Certificate for * on * will expire in less then 30 days"






WHM 11.23.2 cPanel 11.23.3-C26039
 

cPanelDavidG

Technical Product Specialist
Nov 29, 2006
11,212
13
313
Houston, TX
cPanel Access Level
Root Administrator
same issue here but in my case i use a turbo ssl certificate that will expire on 2011

Not Before: Apr 29 07:00:11 2008 GMT
Not After: Apr 29 07:00:11 2012 GMT

but the last 2 days i also get the "Certificate for * on * will expire in less then 30 days"






WHM 11.23.2 cPanel 11.23.3-C26039
So you are sure the notice refers to that SSL certificate and not any other SSL certificate on the server (e.g. service SSL certificates)?
 

a66fm

Well-Known Member
Jul 12, 2003
78
0
156
Greece
So you are sure the notice refers to that SSL certificate and not any other SSL certificate on the server (e.g. service SSL certificates)?
yes iam !!! the actuall email(s) that i get is similar to the one below

Certificate for courier-pop3d on xxxx.yyyy.net will expire in less then 30 days. You should install a new certifcate as soon as possible. You can install a new certificate in WHM under "Manager Service SSL Certificates", or by clicking this link: https://xxxx.yyyy.net:2087/scripts2/manageservicecrts
 

opt2bout

Well-Known Member
Nov 10, 2006
69
1
158
I know that often people will install the cert for their website, but forget to also install the cert for the services. You installed the cert for courier-pop3d via WHM, correct?
Just for the record, our latest cPanel update to current did not do this.
We were getting Emails stating that our service certificates were expired and were replaced with self-signed certs. Even though we updated the cert for each service individually, and the display showed that the cert was valid.
Our latest update to cPanel 25971 did not cause these erroneous messages to occur.