Self-signed SSL certificates replaced by maintenance script

J

Jason Tyde

Member
Sep 18, 2015
12
0
1
Greater Seattle Area
cPanel Access Level
Root Administrator
Hello Community,

I'm currently using self-signed certificates to encrypt both mail and ftp communications. They were created within cPanel and applied to the FTP, SMTP, and Dovecot mail server within the 'Manage Service SSL Certificates' function. These certificates were created matching the FQDNs I have assigned to these services, ftp.domain.com and mail.domain.com (for SMTP, IMAP, and POP).

Unfortunately the nightly maintenance script is replacing these self-signed certificates with new certificates that match the hostname of my server, <hostname>.domain.com, and reporting the following in the maintenance log:

Code: 
[2015-11-19 01:46:30 -0800]  [21848] Self Signed SSL Certificate for ftp does not match current hostname! ([ftp.domain.com] != <hostname>.domain.com).
[2015-11-19 01:46:30 -0800]  [21848] Creating new Certificate and Key for ftp....Done
[2015-11-19 01:46:30 -0800]  [21848] Self Signed SSL Certificate for exim does not match current hostname! ([mail.domain.com] != <hostname>.domain.com).
[2015-11-19 01:46:31 -0800]  [21848] Creating new Certificate and Key for exim....Done
[2015-11-19 01:46:31 -0800]  [21848] Self Signed SSL Certificate for dovecot does not match current hostname! ([mail.domain.com] != <hostname>.domain.com).
[2015-11-19 01:46:31 -0800]  [21848] Creating new Certificate and Key for dovecot....Done
I can return to the stored certificates I want to use by using the 'Manage Service SSL Certificates' function, however I'd really like to stop the maintenance script from making these changes. (As a side note, I just learned that changing the hostname of the server also makes these certificate substitutions.)

What is the best practice for modifying the nightly maintenance script so that these self-signed certificates for (ftp|mail).domain.com are preserved?

Thanks for any and all advice.

Cheers, Jason
 
Last edited by a moderator:
J

Jason Tyde

Member
Sep 18, 2015
12
0
1
Greater Seattle Area
cPanel Access Level
Root Administrator
cPanelMichael said:
Hello :)

This is currently by design. There's an open feature request to change this behavior at:

Make automatic reset of Service SSL Certificates Configurable

Please vote and add your feedback to this request.

Thank you.
Click to expand...
I added my vote and added some feedback.

I could use a little advice on the best mechanism to work around this issue for now. I note from Mary's feature request that a postupcp script can be used to restore the self-signed certificates to my services. Since I'm new to cPanel can someone point me in the right direction for learning more about modifying the upcp process?
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
E SSL gone "self-signed" on main WHM installation breaking email clients Security 1
P Auto SSL Generating Self Signed Certificates for New Domain Security 7
S SSL for WHM (panel not domains) is self-signed Security 4
D Auto SSL issuing self signed certificates even through Let's Encrypt is on Security 5
S SSL Certificate Cannot Be Trusted, SSL Certificate with Wrong Hostname and SSL Self-Signed Certificate Security 1
Similar threads
SSL gone "self-signed" on main WHM installation breaking email clients
Auto SSL Generating Self Signed Certificates for New Domain
SSL for WHM (panel not domains) is self-signed
Auto SSL issuing self signed certificates even through Let's Encrypt is on
SSL Certificate Cannot Be Trusted, SSL Certificate with Wrong Hostname and SSL Self-Signed Certificate
Top Bottom