In Progress pop3 email on port 995 certificate error - wrong hostname

[morrow95]

Not long ago I migrated from one vm to another so I could update the OS of the vm. I had lots of hostname and ip issues after the migration along with lots of times spent correcting files all over the place.

I just noticed today that pop email over port 995 is using the wrong certificate - it shows the wrong hostname.

I did some digging and our /etc/dovecot/sni.conf has the wrong hostname listed in it :

# DO NOT MODIFY THE NEXT LINE:
# This version of dovecot supports: wildcards, multi local_name, explict maincert local_name.

# Main cert for SNI

local_name "server2.example.com" {
ssl_cert = </etc/dovecot/ssl/dovecot.crt
ssl_key = </etc/dovecot/ssl/dovecot.key
}

# END - Main cert for SNI

I imagine the above is at least part of the problem if not the entirety of it.

That should be server.example.com. server2.example.com was the temporary hostname used on the vm before we migrated everything over from the original vm. I didn't realize it until today because I had added an exception in my email client to ignore the cert error so I was able to retrieve email. I figured it was just a dns issue at the time which would correct itself.

Yes, I am using the hostname server.example.com as my mailserver to connect to port 995 for email.

I double checked in WHM and the services ssl cert is correct so I do not understand why it is wrong for dovecot. Any advice on where I go from here to correct this?

 

[morrow95]

I also came across the folder /var/cpanel/ssl/ earlier.

Here is what I have done so far trying to fix this :

- I deleted the cert and key used for services at SSL Storage Manager
- reset the cert at Manage SSL Certificates to create a self signed key - applied it to Calendar, cPanel, WebDisk, Webmail, and WHM Services AND Exim
- ran /usr/local/cpanel/bin/checkallsslcerts to replace the self signed key

After this was done... in /var/cpanel/ssl/ I see the dovecot, ftp, and mail_apns folders and their files in this folder have not changed at all, but cpanel and exim have updated with this new key that was just created.

Why are some being updated with the new services ssl and some aren't? The ones that aren't are using an old key with the old hostname which is causing this problem?

 

[morrow95]

I figured out the problem after some more playing around.

In 'Service Configuration > Mailserver Configuration' I have IMAP unchecked in 'Protocols Enabled'. We do not use webmail. I only had POP3 checked. Because that was unchecked in 'Service Configuration > Manage Service SSL Certificates' dovecot was not an option (I just assumed it was included with the exim option). After checking IMAP, restarting, then going back to my service ssl page I saw dovecot was an option that I could apply a cert to. I applied the same cert as my others and it updated the cert in the appropriate files on the system.

With all that said... I think this is a bug. Just because I had IMAP unchecked doesn't mean I don't use dovecot or don't need a cert applied to its service. So, my next question is... if I uncheck IMAP again... when this cert renews in a year (because I just created a new one today) will it apply to dovecot or not? I am guessing it will not. If someone at cPanel... maybe Lauren since she seems to be the most active on here and has helped me a lot in the past... sees this... perhaps this should be passed onto the team as a possible bug?

 

[cPanelLauren]

@morrow95

I'll look into this further and see if I can determine if it is indeed a bug. I am glad to see you were able to resolve the issue for your purposes.