IMAP/POP SSL Failed SNI

[ispweb]

We have a cpanel for mail only with let's encrypt installed, everything worked fine until today. We get certificate warnings when connecting to POP or IMAP, we are getting the default SSL from the server.

All our clients connect on mail.[domainname.extension] and the SSL is created but not visible in the directory /var/cpanel/ssl/domain_tls/

Also not in the file /etc/dovecot/sni.conf

Rebuild with : /scripts/build_mail_sni --rebuild_dovecot_sni_conf , doesn't do anything because i think it looks for the files in /var/cpanel/ssl/domain_tls/

I removed an SSL from a website, and did a new request, SSL is generated succesfull but not placed in /var/cpanel/ssl/domain_tls/

When i get the CRT from Manage SSL Host and install it again with : Install an SSL Certificate on a Domain the files are created in /var/cpanel/ssl/domain_tls/

And after /scripts/build_mail_sni --rebuild_dovecot_sni_conf that domain works again, but i dont want to do this manualy for all the domains.

Help needed !

 

[LoadFactor]

We're experiencing the same issue.

 

[grindlay]

Same here

 

[grindlay]

Let's Encrypt AutoSSL certificates showing error: ERR_CERT_COMMON_NAME_INVALID

Symptoms We are currently facing an issue in which domains that use an SSL certificate from Let's Encrpyt are showing the server's hostname as the common name, instead of the actual domain name t...

support.cpanel.net

 

[ispweb]

Let's Encrypt AutoSSL certificates showing error: ERR_CERT_COMMON_NAME_INVALID

Symptoms We are currently facing an issue in which domains that use an SSL certificate from Let's Encrpyt are showing the server's hostname as the common name, instead of the actual domain name t...

support.cpanel.net

Thnx that solved the problem, hope that Let's Encrypt will be fixed soon..

 

[Raymond Hayes]

This is not working for me. All mail connections are identifying as the main server SSL, and SNI is not working. I have tried to rebuild after switching to Comodo...I even removed and let autossl regenerate, and still getting errors for mail connections.

 

[grindlay]

As @ispweb mentions, you can also workaround by adding domains manually to your

/etc/dovecot/sni.conf

file and restart Dovecot.
Keep a backup cos atm, running the

 /scripts/build_mail_sni --rebuild_dovecot_sni_conf

script will remove them.

 

[Raymond Hayes]

UGH...ok...that doesn't help with thousands of accounts...oh man. What a massive mess.

 

[LoadFactor]

Switched to the cPanel certs for the moment but more often than not cPanel is responding with

The “cPanel (powered by Sectigo)” provider cannot currently accept incoming requests. The system will try again later.

So not exactly a fix.

 

[Misiek]

Does the hotfix mentioned in thread fix the issue?

 

[grindlay]

Looks like the patch released this morning adds all your domains to /etc/dovecot/sni.conf
This works okay, assuming you have valid certs for each of the domains.

Let's Encrypt AutoSSL certificates showing error: ERR_CERT_COMMON_NAME_INVALID

Symptoms We are currently facing an issue in which domains that use an SSL certificate from Let's Encrypt are showing the server's hostname as the common name, instead of the actual domain name tha...

support.cpanel.net

 

[Misiek]

Not fully my clients still have problems that outlook reports cannot establish secure connection

 

[grindlay]

An additional problem is that LetsEncrypt is rate-limited to 50 certificate validations per domain per week. So if you have been running AutoSSL a lot, in an attempt to get your certs to validate, you may well hit the limit. I'm stuck with a number of invalid certs which I can't renew because "MASTER DCV: A rate limit prevents DCV."

 

[Misiek]

Yes same problem for me and new problem is client using mail.domain.com ssl connection to send email now revcieve error that domain certificate do not fit to server certificate, any ideas ??

 

[grindlay]

A temporary workaround, if your certificate is waiting to revalidate, is to get the mail client to connect to the FQDN of the server.
I have one domain that is firmly stuck because of rate limiting, so I got them to connect to ds.myserver.com (insert your FQDN). Because Dovecot is presenting the server cert, the mail client accepts it. Of course you'd need to change it back when your domain cert validates. Probably easier just to create an exception in the mail client for the server's cert. That way, when the domain cert validates, the client should automatically switch over.

 

[Misiek]

That is not a solution, try to explain hundreds of clients to change their SMTP configuration and this is also not the issue. The problem is not with dovecot only with smtp.

 

[grindlay]

Indeed. Perhaps explaining that if their mail client raises an exception, they can click through and accept it, just so they can keep working until DV completes. They shouldn't notice when the exception is no longer required, at least that's my understanding of how mail clients work.

 

[StevenC99]

When making an SMTP connection to Exim, the client specifies via SNI which certificate they are expecting.
According to the /etc/exim.conf setting "tls_certificate =" the SMTP server hostname (from SNI) is looked up in /var/cpanel/ssl/domain_tls/
If there should be a folder e.g. "mail.example.com" it should contain a file called "combined" containing the appropriate SSL certificate and chain.

As far as I can tell, AutoSSL doesn't update the certificate in /var/cpanel/ssl/domain_tls/. I'm not sure which cPanel component is supposed to do that. (And I haven't updated anything on the server recently, so this might be e.g. a side-effect of LetsEncrypt's old trust root expiring recently).

The quickest workaround I can think of is to manually create directory /var/cpanel/ssl/domain_tls/mail.example.com/ containing a file called "combined" containing the appropriate private key and certificates (whole trust chain). I don't want to do that by hand for 1000 domains though, so I will see if I can write some script for this...

 

[StevenC99]

... just so they can keep working until DV completes.

My Domain Validation with LetsEncrypt did complete. The problem is, the new certificates didn't get put into /var/cpanel/ssl/domain_tls/ for whatever reason.

 

[grindlay]

My Domain Validation with LetsEncrypt did complete. The problem is, the new certificates didn't get put into /var/cpanel/ssl/domain_tls/ for whatever reason.

Neither did mine, until I ran the cPanel patch script this morning.