The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Certificate for courier-imapd on ns1.site.com will expire in less then 30

Discussion in 'General Discussion' started by GoTTi, Jun 17, 2008.

  1. GoTTi

    GoTTi Member

    Joined:
    Dec 6, 2002
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    Certificate for courier-imapd on ns1.site.com will expire in less then 30 days. You should install a new certifcate as soon as possible. You can install a new certificate in WHM under "Manager Service SSL Certificates", or by clicking this link: https://ns1.site.com:2087/scripts2/manageservicecrts

    what does this mean? i got it in my email box today.
     
  2. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,382
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    It means that the certificate used for IMAPS on your server will expire in 30 days. If this is a purchased certificate you will need to renew that certificate and reinstall it, following the link in that message.

    However, I have also seen where the e-mail system has sent out false positives. Your certificate may not really be expiring in 30 days. You may want to use that link and check for sure to see when it is expiring.

    If the IMAP service is just using a self-signed certificate then I don't think there is much to worry about. cPanel will generate a new self-signed certificate for the IMAP service after it expires.
     
  3. GoTTi

    GoTTi Member

    Joined:
    Dec 6, 2002
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    ive never installed a cert or anything, so im not sure what it is. i dont alter my server aside from the default stuff already on there, so more then likely this is then just a message from the server and it will re-do whatever it needs to do automatically?
     
  4. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,382
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    You are probably using a self-signed certificate for IMAP-ssl. I believe cPanel will reissue another self-signed certificate if the old certificate expires. But someone else might want to correct me if I'm wrong.
     
  5. bsasninja

    bsasninja Well-Known Member

    Joined:
    Sep 2, 2004
    Messages:
    528
    Likes Received:
    0
    Trophy Points:
    16
    same here

    Today I updated cpanel to release 25623 and I received the same message for

    cpanel
    courier-imapd
    courier-pop3d

    Is the first time I receive this message, never used a custom certificate for this services.

    I hope some of the guys of cpanel staff talk about this issue.

    Thanks!
     
  6. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    What is shown in the Manage Service Certificates interface in WHM for these services?
     
  7. bsasninja

    bsasninja Well-Known Member

    Joined:
    Sep 2, 2004
    Messages:
    528
    Likes Received:
    0
    Trophy Points:
    16
    says this:

    Courier (POP3) Mail Server
    Issuer: C=US, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=server1.domain.com/emailAddress=ssl@server1.domain.com
    Not Before: Jul 10 22:34:35 2007 GMT
    Not After: Jul 9 22:34:35 2008 GMT
    Subject: C=US, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=server1.domain.com/emailAddress=ssl@server1.domain.com
    Self Signed: YES

    And in the right column says: Install new Certificate Reset Certificate

    Expiring on July 9th. Same as courier-imapd and cpanel.

    What should I do??
     
  8. krisdv

    krisdv Well-Known Member

    Joined:
    Jun 18, 2003
    Messages:
    175
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Belgium
    Have the same on several servers. Would be nice to have a procedure how to generate the new self-signed certificate and afterwards install it via the "Manage Service Certificates interface".
     
    #8 krisdv, Jun 20, 2008
    Last edited: Jun 20, 2008
  9. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,382
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Just clicking Reset Certificate will create and install a new self-signed certificate for that service.

    I think, though I am not sure, that if the certificate expires cPanel will create a new self-signed certificate anyway. So in fact if you are using a self-signed certificate for these services, you really never have to worry about resetting them. Still I suppose it is always a good idea to manually reset the certificates just to be on the safe side. (Someone from cPanel can best answer this question).

    You can reset the certificates now and it will generate a new self-signed certificate which will expire a year from today (I think). You don't have to wait and reset it on the date that the certificate expires.

    If you are using a purchased certificate, then you don't need to follow these rules. If you purchased a certificate for these services and it is expiring then you need to renew that certificate with your certificate authority. However the line of questioning in this thread seems to be for self-signed certificates.
     
  10. PPNSteve

    PPNSteve Well-Known Member

    Joined:
    Mar 13, 2003
    Messages:
    393
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Somewhere in Ilex Forest
    cPanel Access Level:
    Root Administrator
    Twitter:
    ditto that.. all the unknowns listed can't be good.. so how do we generate/install a proper self-signed cert for these backend services?
     
  11. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,382
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    The unknowns really don't matter because the certificate is self-signed. You can fill out your own CSR and generate a self-signed certificate to get rid of these unknowns, but it won't really affect anything. I've never come across a situation where a customer questioned the integrity of the self-signed certificate solely because there was no location information in the certificate. They have questioned the self-signed certificate, but because their browser is not able to recognize the certificate as being authoritative (which is the nature of self-signed certificates).

    To generate a self-signed certificate that answers these Unknowns you need to generate a CSR for the domain. In the WHM scroll down to Generate a SSL Certificate and Signing Request. Answer the questions as you see fit. The Host to make cert for field needs to be the hostname of the server (i.e. host.domain.com, server.domain.com, etc.). It can actually be any domain that resolves to the server, but generally you want this to be something universal, because all of the domains that are hosted on that server will be using this certificate.

    Click on Create. This will generate three blobs of text, a Certificate Signing Request, a Private Key, and a Self-Signed Certificate. Copy the Private Key (probably won't need it) and Self-Signed Certificate blobs into a text file.

    Now go back to the top of the WHM, click the link Manage Service SSL Certificates and for the desired service click on Install new Certificate. In the top box, paste the Self-Signed Certificate blob that you just created. When you click out of that textbox, the javascript on this page should automatically fetch the certificate hostname and the private key. If it doesn't then fill in these fields appropriately. Then click on Submit.

    You have now installed a self-signed certificate for that service with specific answers to the Unknown fields. You can install this same certificate for each of the services. But note the hostname that you made the certificate out for. If you install this for Exim Server, then to properly use the secure SSL SMTP, then when you connect to the outgoing mail server you have to use the hostname that you created the certificate for (host.domain.com). Otherwise your e-mail client will complain about a server name and certificate name mismatch. You will still get a warning popup on all of your clients saying that the certificate is not recognized as authoritative, but again you can't bypass this with a self-signed certificate (though you can permanently accept the certificate to bypass this in the future -- until the certificate expires).
     
    Metro2 likes this.
  12. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    The above is correct. When a certificate expires, whether it is self-signed or from a CA, cPanel will automatically create a self-signed certificate to replace the expired certificate.

    As sparek-3 mentioned, for certificates obtained from a CA you need to replace it before the expiration date to prevent its replacement with the self-signed one.
     
  13. nuqnet

    nuqnet Registered

    Joined:
    Jul 24, 2007
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Is ther anything that can be done to clear up false positives? Mine is good through Sep 21 2009 as seen below.

    Issuer: C=US, O=Equifax Secure Inc., CN=Equifax Secure Global eBusiness CA-1
    Not Before: Sep 11 19:16:53 2007 GMT
    Not After: Sep 21 19:16:53 2009 GMT
    Subject: C=US, O=host.nuqnet.com, OU=GT63087791, OU=See www.rapidssl.com/resources/cps (c)07, OU=Domain Control Validated - RapidSSL(R), CN=host.nuqnet.com
    Self Signed: NO
     
  14. GoTTi

    GoTTi Member

    Joined:
    Dec 6, 2002
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    i am now getting these email errors:

    Certificate for cpanel and Certificate for courier-pop3d. 3 errors tottal now, same error message just different service i guess.

    what is causing this and how do we fix it?
     
  15. opt2bout

    opt2bout Well-Known Member

    Joined:
    Nov 10, 2006
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    6
    Expired certificiates--NOT

    We have installed certs for the services which do not expire until Jun 10 2010, however every time we update cPanel, we get errors telling us that the certificates for service (courier, ftp, etc.) were expired. This has happened on servers with Release and Current builds in the last month.
     
  16. a66fm

    a66fm Well-Known Member

    Joined:
    Jul 12, 2003
    Messages:
    78
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Greece
    same issue here but in my case i use a turbo ssl certificate that will expire on 2011

    Not Before: Apr 29 07:00:11 2008 GMT
    Not After: Apr 29 07:00:11 2012 GMT

    but the last 2 days i also get the "Certificate for * on * will expire in less then 30 days"






    WHM 11.23.2 cPanel 11.23.3-C26039
     
  17. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    So you are sure the notice refers to that SSL certificate and not any other SSL certificate on the server (e.g. service SSL certificates)?
     
  18. a66fm

    a66fm Well-Known Member

    Joined:
    Jul 12, 2003
    Messages:
    78
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Greece
    yes iam !!! the actuall email(s) that i get is similar to the one below

     
  19. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    I know that often people will install the cert for their website, but forget to also install the cert for the services. You installed the cert for courier-pop3d via WHM, correct?
     
  20. opt2bout

    opt2bout Well-Known Member

    Joined:
    Nov 10, 2006
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    6
    Just for the record, our latest cPanel update to current did not do this.
    We were getting Emails stating that our service certificates were expired and were replaced with self-signed certs. Even though we updated the cert for each service individually, and the display showed that the cert was valid.
    Our latest update to cPanel 25971 did not cause these erroneous messages to occur.
     
Loading...

Share This Page