IMAP/POP SSL Failed SNI

Misiek

Well-Known Member
Feb 23, 2004
128
3
168
cPanel Access Level
Root Administrator
[[email protected] mail.mydomain.pl]# ls -la
total 104
drw-r--r-- 2 root root 4096 Oct 1 08:33 .
drwx--x--x 1100 root root 69632 Oct 1 13:16 ..
-rw-r--r-- 1 root root 3793 Oct 1 08:33 certificates
-rw-r--r-- 2 root root 6325 Oct 1 08:33 certificates.cache
-rw-r----- 1 root mail 5468 Oct 1 08:33 combined
-rw-r--r-- 2 root root 6

There all there still thunderbird reports error when sending email
 

StevenC99

Member
Oct 1, 2020
10
5
3
Planet Earth
cPanel Access Level
Root Administrator
Thanks for the pointer to the autofixer script!
It seems the script ( http://httpupdate.cpanel.net/autofixer2/update_lets_encrypt_cabundles ) will just exit without making any change, if you have an older version of cPanel than 11.94. So I changed "94" to "86" in the script, ran it and now all is fine :)
Now I wonder if the change is permanent or if I will need to re-run this after every certificate renewal.
 
Last edited:

StevenC99

Member
Oct 1, 2020
10
5
3
Planet Earth
cPanel Access Level
Root Administrator
-rw-r----- 1 root mail 5468 Oct 1 08:33 combined
For clues, run "openssl s_client -connect localhost:smtps -servername mail.mydomain.pl -CAfile /etc/ssl/certs/ca-bundle.crt" and see which certificate was offered by Exim (subject=/CN=...), and exactly the validation error was. For me, it was "certificate is expired", not referring to my certificate though, but to the old LetsEncrypt root CA that expired recently.
 

StevenC99

Member
Oct 1, 2020
10
5
3
Planet Earth
cPanel Access Level
Root Administrator
Did it pointing to hostname.pl not to mail.domain.pl
That should be ok. You got the certificate for hostname.pl which should have a Subject Alternative Name for each subdomain including mail.domain.pl.

Important is, you should get "Verify return code: 0 (ok)" which means the certificate and chain are all correct. Then it should be OK for your clients too.
 

Misiek

Well-Known Member
Feb 23, 2004
128
3
168
cPanel Access Level
Root Administrator
Nope that do not work, i get 0 ok but client gets :
Sending of the message failed.
Unable to communicate securely with peer: requested domain name does not match the server’s certificate.
The configuration related to mail.domain.pl must be corrected.