IMAP/POP SSL Failed SNI

ispweb

Member
PartnerNOC
Aug 22, 2014
9
2
53
cPanel Access Level
DataCenter Provider
We have a cpanel for mail only with let's encrypt installed, everything worked fine until today. We get certificate warnings when connecting to POP or IMAP, we are getting the default SSL from the server.

All our clients connect on mail.[domainname.extension] and the SSL is created but not visible in the directory /var/cpanel/ssl/domain_tls/

Also not in the file /etc/dovecot/sni.conf

Rebuild with : /scripts/build_mail_sni --rebuild_dovecot_sni_conf , doesn't do anything because i think it looks for the files in /var/cpanel/ssl/domain_tls/

I removed an SSL from a website, and did a new request, SSL is generated succesfull but not placed in /var/cpanel/ssl/domain_tls/

When i get the CRT from Manage SSL Host and install it again with : Install an SSL Certificate on a Domain the files are created in /var/cpanel/ssl/domain_tls/

And after /scripts/build_mail_sni --rebuild_dovecot_sni_conf that domain works again, but i dont want to do this manualy for all the domains.

Help needed !
 
  • Like
Reactions: fiznarp

grindlay

Well-Known Member
Dec 8, 2004
55
3
158
Edinburgh, Scotland
cPanel Access Level
Root Administrator

ispweb

Member
PartnerNOC
Aug 22, 2014
9
2
53
cPanel Access Level
DataCenter Provider

Raymond Hayes

Member
May 6, 2019
14
5
3
United States
cPanel Access Level
Root Administrator
This is not working for me. All mail connections are identifying as the main server SSL, and SNI is not working. I have tried to rebuild after switching to Comodo...I even removed and let autossl regenerate, and still getting errors for mail connections.
 

grindlay

Well-Known Member
Dec 8, 2004
55
3
158
Edinburgh, Scotland
cPanel Access Level
Root Administrator
As @ispweb mentions, you can also workaround by adding domains manually to your
Code:
/etc/dovecot/sni.conf
file and restart Dovecot.
Keep a backup cos atm, running the
Code:
 /scripts/build_mail_sni --rebuild_dovecot_sni_conf
script will remove them.
 

LoadFactor

Well-Known Member
Jul 12, 2013
61
8
133
cPanel Access Level
Root Administrator
Switched to the cPanel certs for the moment but more often than not cPanel is responding with

The “cPanel (powered by Sectigo)” provider cannot currently accept incoming requests. The system will try again later.

So not exactly a fix.
 

grindlay

Well-Known Member
Dec 8, 2004
55
3
158
Edinburgh, Scotland
cPanel Access Level
Root Administrator
Looks like the patch released this morning adds all your domains to /etc/dovecot/sni.conf
This works okay, assuming you have valid certs for each of the domains.
 

grindlay

Well-Known Member
Dec 8, 2004
55
3
158
Edinburgh, Scotland
cPanel Access Level
Root Administrator
An additional problem is that LetsEncrypt is rate-limited to 50 certificate validations per domain per week. So if you have been running AutoSSL a lot, in an attempt to get your certs to validate, you may well hit the limit. I'm stuck with a number of invalid certs which I can't renew because "MASTER DCV: A rate limit prevents DCV."
 

Misiek

Well-Known Member
Feb 23, 2004
128
3
168
cPanel Access Level
Root Administrator
Yes same problem for me and new problem is client using mail.domain.com ssl connection to send email now revcieve error that domain certificate do not fit to server certificate, any ideas ??
 

grindlay

Well-Known Member
Dec 8, 2004
55
3
158
Edinburgh, Scotland
cPanel Access Level
Root Administrator
A temporary workaround, if your certificate is waiting to revalidate, is to get the mail client to connect to the FQDN of the server.
I have one domain that is firmly stuck because of rate limiting, so I got them to connect to ds.myserver.com (insert your FQDN). Because Dovecot is presenting the server cert, the mail client accepts it. Of course you'd need to change it back when your domain cert validates. Probably easier just to create an exception in the mail client for the server's cert. That way, when the domain cert validates, the client should automatically switch over.
 

Misiek

Well-Known Member
Feb 23, 2004
128
3
168
cPanel Access Level
Root Administrator
That is not a solution, try to explain hundreds of clients to change their SMTP configuration and this is also not the issue. The problem is not with dovecot only with smtp.
 

grindlay

Well-Known Member
Dec 8, 2004
55
3
158
Edinburgh, Scotland
cPanel Access Level
Root Administrator
Indeed. Perhaps explaining that if their mail client raises an exception, they can click through and accept it, just so they can keep working until DV completes. They shouldn't notice when the exception is no longer required, at least that's my understanding of how mail clients work.
 

StevenC99

Member
Oct 1, 2020
10
5
3
Planet Earth
cPanel Access Level
Root Administrator
When making an SMTP connection to Exim, the client specifies via SNI which certificate they are expecting.
According to the /etc/exim.conf setting "tls_certificate =" the SMTP server hostname (from SNI) is looked up in /var/cpanel/ssl/domain_tls/
If there should be a folder e.g. "mail.example.com" it should contain a file called "combined" containing the appropriate SSL certificate and chain.

As far as I can tell, AutoSSL doesn't update the certificate in /var/cpanel/ssl/domain_tls/. I'm not sure which cPanel component is supposed to do that. (And I haven't updated anything on the server recently, so this might be e.g. a side-effect of LetsEncrypt's old trust root expiring recently).

The quickest workaround I can think of is to manually create directory /var/cpanel/ssl/domain_tls/mail.example.com/ containing a file called "combined" containing the appropriate private key and certificates (whole trust chain). I don't want to do that by hand for 1000 domains though, so I will see if I can write some script for this...