eva2000
Well-Known Member
Might be a good idea to add a 3rd CA provider like ZeroSSL. For my own usage switching from Letsencrypt to ZeroSSL via acme.sh client was painless.
Update - The second patch has completed testing and has been released to resolve this issue. This will automatically be applied when the next cPanel update occurs. You can manually initiate an update or use the autorepair command below to apply this immediately.
Code:
/scripts/autorepair update_lets_encrypt_cabundles
Hi, is the script currently available?
Tested from various locations and it seems to stucks on Requesting script ...
Tested from various locations and it seems to stucks on Requesting script ...
Executed this script and it picked up a few accounts that I had missed. Which is good except for the one wildcard account where I deleted their ssl to try 'build it again' 
doh and letsencrypt wont let me grab new one
doh and letsencrypt wont let me grab new oneHi,
Anybody can confirm us that this patch works correctly and solve the problem?.
Thank you very much.
I can confirm, just ran on 5 servers and solved all the problems very fast!
In our end it's working properly. Some accounts were switched to Sectigo, but others not, as Sectigo seems to be too busy. After applying script, returning to Let's Encrypt and run AutoSSL for all users, remaining accounts seems to be SSL protected again.
BTW, affected server is a cPanel v86 with CentOS 6.
Patch seems to be working. Now running into Lets Encrypt rate limits ( 429, Too Many Requests) when getting a nonce. May be due to living in a cPanel heavy server farm and running into the " 500 Accounts per IP Range within an IPv6 /48 per 3 hours" limit. See what happens over the next few hours.
I run the script succesfully. The SSL tests I can run confirm the problem is fixed. However, I have customers using Apple Mail that still get the certificate warning after the fix. I've told them to restart mail, restart the computer, all to no avail. Any ideas?
Last edited:
After I ran the fix recommended by cPanel, I had to update the SSL certificates for each of the domain names as someone recommended above. (WHM->List Accounts->Choose an account->SSL/TLS->Manage SSL Sites->Update Certificate->Autofill by Domain->Install Certificate) Once I did that, Dovecot and Exim started to show the proper common names for the domain names. (If you need to check your certificates for a particular port, let me recommend https://www.sslshopper.com/ssl-checker.html. You can add a port to the end of your domain name [e.g. mail.example.com:993] to test certificates for other services)
The script worked for me, however I did have to manually trigger a rebuild of the Dovecot SNI configuration afterwards using the command:
/scripts/build_mail_sni --rebuild_dovecot_sni_conf && /scripts/build_mail_sni --restartsrvs
/scripts/build_mail_sni --rebuild_dovecot_sni_conf && /scripts/build_mail_sni --restartsrvs
I am running the same, but for some reason the script didn't seem to do anything for me - an AutoSSL run still returns errors:
9:48:15 AM ERROR TLS Status: Defective
Certificate expiry: 12/30/21, 7:07 AM UTC (89.93 days from now)
ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (0:10:CERT_HAS_EXPIRED).
ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (1:10:CERT_HAS_EXPIRED).
ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (2:10:CERT_HAS_EXPIRED).
ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (3:10:CERT_HAS_EXPIRED).
Manually reinstalling the certificates as suggested does get things working again, but not an ideal fix when there's 70+ accounts to deal with
Thanks ! That command seems to have fixed everything for all of our customers. The official instructions about this suggest that you should first backup /etc/dovecot/sni.conf before running those commands:
support.cpanel.net
How to rebuild your SNI configuration
Introduction If you're running into issues with your SSL certificate working for Apache but not for services such as dovecot (mail clients), it may be necessary to rebuild your Dovecot SNI config...
The fix released is expected to perform a re-install for existing certificates that were issued by Let's encrypt. If you are seeing continued issues like the SNI not being rebuilt or the certificates not passing validation checks through Apache due to this same error, please open a support request so that we can review any possible conflicts with the autorepair task performing as expected.
I have done the original working patch that was recommended but still have common name problems with mail clients.
For me neither
1. /scripts/build_mail_sni --rebuild_dovecot_sni_conf && /scripts/build_mail_sni --restartsrvs
neither
2. WHM->List Accounts->Choose an account->SSL/TLS->Manage SSL Sites->Update Certificate->Autofill by Domain->Install Certificate
solves the issue, the common name is still the main server hostname and thus giving problems with mail clients.
Does anyone have a working fix? I have ran update several times, autossl for all users several times.
For me neither
1. /scripts/build_mail_sni --rebuild_dovecot_sni_conf && /scripts/build_mail_sni --restartsrvs
neither
2. WHM->List Accounts->Choose an account->SSL/TLS->Manage SSL Sites->Update Certificate->Autofill by Domain->Install Certificate
solves the issue, the common name is still the main server hostname and thus giving problems with mail clients.
Does anyone have a working fix? I have ran update several times, autossl for all users several times.
