Problems updating cPGreyList Common Mail Providers

[Spork Schivago]

Hello,

cron runs upcp and I get an e-mail just about every day. I can't remember not getting one every day so it might be every day I get an e-mail report. Anyway, lately, there's been a line that I've noticed and I don't think it should be there. This is the part I'm talking about:

[2016-07-04 01:01:39 -0400]    - Processing command `/usr/local/cpanel/scripts/detect_env_capabilities`
[2016-07-04 01:01:39 -0400]   Updating cPGreyList Common Mail Providers
[2016-07-04 01:01:39 -0400]    - Processing command `/usr/local/cpanel/scripts/manage_greylisting --init --update_common_mail_providers`
[2016-07-04 01:01:39 -0400]      [15953] [*] Initializing database for the cPanel Greylist service.
[2016-07-04 01:01:39 -0400]      [15953] [+] Initializing database successfully completed.
[2016-07-04 01:01:39 -0400]      [15953] [*] Updating Common Mail Providers List …
[2016-07-04 01:01:42 -0400]      [15953] [!] Failed to update Common Mail Providers list: Cpanel::Exception/(XID s4q7cp) Failed to download the latest common mail provider IP address data: Signature verification failed for URL 'http://httpupdate.cpanel.net/common_mail_providers/common_mail_provider_ips.json'. Invalid signature. Please see https://go.cpanel.net/sigerrors for further information about this error.
[2016-07-04 01:01:42 -0400]      [15953]
[2016-07-04 01:01:42 -0400]      [15953]  at /usr/local/cpanel/Cpanel/GreyList/CommonMailProviders.pm line 57.
[2016-07-04 01:01:42 -0400]      [15953]        Cpanel::GreyList::CommonMailProviders::__ANON__(__CPANEL_HIDDEN__...) called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 103
[2016-07-04 01:01:42 -0400]      [15953]        Try::Tiny::try(CODE(0x35a4878), Try::Tiny::Catch=REF(0x34d56b0)) called at /usr/local/cpanel/Cpanel/GreyList/CommonMailProviders.pm line 58
[2016-07-04 01:01:42 -0400]      [15953]        Cpanel::GreyList::CommonMailProviders::fetch_latest_data() called at /usr/local/cpanel/scripts/manage_greylisting line 152
[2016-07-04 01:01:42 -0400]      [15953]        scripts::manage_greylisting::__ANON__() called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 78
[2016-07-04 01:01:42 -0400]      [15953]        eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 71
[2016-07-04 01:01:42 -0400]      [15953]        Try::Tiny::try(CODE(0x2547a98), Try::Tiny::Catch=REF(0x34d54e8)) called at /usr/local/cpanel/scripts/manage_greylisting line 205
[2016-07-04 01:01:42 -0400]      [15953]        scripts::manage_greylisting::update_common_mail_providers(undef) called at /usr/local/cpanel/scripts/manage_greylisting line 70
[2016-07-04 01:01:42 -0400]      [15953]        scripts::manage_greylisting::run("--init", "--update_common_mail_providers") called at /usr/local/cpanel/scripts/manage_greylisting line 23
[2016-07-04 01:01:42 -0400]      [15953]
[2016-07-04 01:01:42 -0400]   76% complete

Is this a problem I should be worried about and is there a fix? I'd like to fix it if I can. Any idea as to why the signature verification is failing for URL? I'm running 56.0.24.

Thanks!

 

[rpvw]

Over the past month, I have seen so many problems with the Keyring servers not validating the services they are designed to protect, I ended up disabling the Signature validation in Tweak Settings.

I could see no pattern to the keyring server signature failures, it just looked like someone had forgotten to update them, as they all seemed to sort themselves out if one waited long enough (up to a week in one instance).

Either there is something seriously wrong with the keyring server synchronization, or whoever is in charge of them is not paying due care and attention (sorry guys - it's just the way it appears to be from my viewpoint)

 

[Spork Schivago]

Over the past month, I have seen so many problems with the Keyring servers not validating the services they are designed to protect, I ended up disabling the Signature validation in Tweak Settings.

I could see no pattern to the keyring server signature failures, it just looked like someone had forgotten to update them, as they all seemed to sort themselves out if one waited long enough (up to a week in one instance).

Either there is something seriously wrong with the keyring server synchronization, or whoever is in charge of them is not paying due care and attention (sorry guys - it's just the way it appears to be from my viewpoint)

Thank you for the reply. If this is in fact the case, it's a bit of a relief in a way, because it'd suggest there's no break-ins or anything on my server. It'd be nice to see the issue fixed, if that's what's happening here. It'd also be nice if there was away to test to see if that's the problem or not, so in the future, we know for certain what's going on.

I just wanted to make sure it wasn't like some man-in-the-middle attack or something weird like that, you know?

 

[rpvw]

We saw a number of similar keyring issues at Signature Roll Back Failed

 

[Spork Schivago]

We saw a number of similar keyring issues at Signature Roll Back Failed

Thank you rpvw! It seems cPanel has been dealing with this issue for a bit of time now and still might not have the problem fixed. At least they'll know that other people are still experiencing this problem and that it doesn't appeared to be fixed yet. Thanks!

 

[rpvw]

I absolutely agree with you that we need this issue sorting out.

If we have security related features, we need to have confidence in them working and not have to start from the position that the failure report is probably another false positive.

Security feature failures of this nature do more harm than good as users either switch them off (guilty), or ignore them because they have been desensitized by seeing all the false positives.

I am always predisposed to want to believe that the cPanel team have got this right, and are being let down by third party software/hardware - nevertheless, if it isn't going to work in its current format, let's look for some alternative solution

 

[Spork Schivago]

I absolutely agree with you that we need this issue sorting out.

If we have security related features, we need to have confidence in them working and not have to start from the position that the failure report is probably another false positive.

Security feature failures of this nature do more harm than good as users either switch them off (guilty), or ignore them because they have been desensitized by seeing all the false positives.

I am always predisposed to want to believe that the cPanel team have got this right, and are being let down by third party software/hardware - nevertheless, if it isn't going to work in its current format, let's look for some alternative solution

I'm guilty for the second option there and usually start assuming they're false positives. Right now would be the perfect time for someone to try and actually take advantage of some sort of exploit they discovered with the signatures. I don't know if a man-in-the-middle attack is a possibility, but I'd imagine there's some sort of vulnerability these signatures prevent. If someone was trying to take advantage of one of those vulnerabilities, we might not know. It might just be chalked up to this known issue and someone might be told to ignore it because it's being worked on.

For me, I think I'm semi-okay. I ask, okay, what isn't happening? Something with the cPGreyList common mail providers isn't getting updated properly. I think that's okay for my server. I have greylisting turned off. I believe one of my add-on programs (like ldf or csf) handle this and instructed me to turn it off because of conflicts. If the error message was for some other updates, I'd be worrying a lot more.

 

[Spork Schivago]

I believe this problem is now fixed. I got an upgrade to 11.56.0.25 last night (or early this morning) and it seems like I'm no longer receiving the error message.

 

[Spork Schivago]

Sorry, I was wrong. The problem still exists.

 

[rpvw]

I confirm that the update Common Mail Providers worked for one day without error, but has now reverted to the Invalid signature error.

I have tried using the 'Release Keyring Only' AND the 'Release and Development Keyrings' - BOTH trigger the Invalid signature error.

 

[cPanelMichael]

I confirm that the update Common Mail Providers worked for one day without error, but has now reverted to the Invalid signature error.

I have tried using the 'Release Keyring Only' AND the 'Release and Development Keyrings' - BOTH trigger the Invalid signature error.

Hello,

I'm unable to reproduce this issue on a test server. Could you open a support ticket using the link in my signature if the issue persists? You can post the ticket number here so we can update this thread with the outcome.

Thank you.

 

[cPanelMichael]

Hello @rpvw,

I've not seen additional feedback to this thread or reference to a support ticket. I'm marking the thread as resolved, however feel free to let us know of any additional issues.

Thank you.