Warning: No server certificate defined; TLS connections will fail.

[Bdzzld]

Hi,

Whenever the Advanced Editor of the Exim Configuration Editor within WHM is selected, the following is always added to the /var/log/exim_paniclog file:

XXX-XX-XX XX:XX:XX Warning: No server certificate defined; TLS connections will fail.
Suggested action: either install a certificate or change tls_advertise_hosts option

All SSL certifcates are working without problems though. Can you please explain?

Note: This occurs in versions .56 and .58 (I still have both running).

 

[Infopro]

I see that here as well:

2016-08-08 08:49:59 Warning: No server certificate defined; TLS connections will fail.
Suggested action: either install a certificate or change tls_advertise_hosts option
2016-08-08 08:50:32 Warning: No server certificate defined; TLS connections will fail.
Suggested action: either install a certificate or change tls_advertise_hosts option

There's a forum thread here about this as well:
Warning: No server certificate defined; TLS connections will fail

 

[Bdzzld]

@Infopro: Thanks for your reaction. I also noticed the other thread you're referring about, but I don't think it's entirely identical, although they share the same error(?) message.

JH/04 Certificate name checking on server certificates, when exim is a client,
  is now done by default.  The transport option tls_verify_cert_hostnames
  can be used to disable this per-host.  The build option
  EXPERIMENTAL_CERTNAMES is withdrawn.

JH/06 Verification of the server certificate for a TLS connection is now tried
  (but not required) by default.  The verification status is now logged by
  default, for both outbound TLS and client-certificate supplying inbound
  TLS connections.

Further more I don't understand why the error(?) is there in the first place; the installed SSL certificate is for servername.domainname.ext, and the server has an identical hostname.
Restarting exim won't cause the error(?). Only as previously explained.

 

[cPanelMichael]

Hello,

It's important to note the output is listed as "Warning" as opposed to an error. It shouldn't cause any issues with email usage or delivery. There's additional discussion about the purpose of this message on the Exim user's list at:

TLS changes in 4.87 | exim | users

Thank you.

 

[Bdzzld]

@cPanelMichael : You're right... it's a warning and not an error. But warnings about TLS connections that may fail more or less tend to an error in my personal opinion.

On the Exim user's list it's suggested to change tls_advertise_hosts to empty instead of "*", to avoid getting the warning. Do you agree or is it better to just neglect these warnings at all?

 

[cPanelMichael]

Hello,

The following Exim document explains this feature a little more:

Exim Specification - 38. Encrypted SMTP connections using TLS/SSL

When Exim has been built with TLS support, it advertises the availability of the STARTTLS command to client hosts that match tls_advertise_hosts, but not to any others. The default value of this option is unset, which means that STARTTLS is not advertised at all. This default is chosen because it is sensible for systems that wants to use TLS only as a client. To make it work as a server, you must set tls_advertise_hosts to match some hosts. You can, of course, set it to * to match all hosts. However, this is not all you need to do. TLS sessions to a server won't work without some further configuration at the server end (see below).

Here are the default entries on a cPanel server:

# grep tls_advertise_hosts /etc/exim.conf
tls_advertise_hosts = *

# grep tls_certificate /etc/exim.conf
tls_certificate = ${if exists {/etc/mail_sni_map} {${extract{crtfile}{${lookup {$tls_sni} lsearch {/etc/mail_sni_map} {$value}}}{$value}{/etc/exim.crt}}} {/etc/exim.crt}}

I don't recommend suppressing the warning messages by changing the "tls_advertise_hosts" entry to null, as it's a good way of encouraging the use of SSL.

Thank you.

 

[Bdzzld]

Thanks for the additional explanation.
I've decided to simply just neglect the warnings (They do not show up that much in the first place; only when the Exim Configuration Editor is being executed).

 

[cPanelMichael]

Hello,

I wanted to note the following change to the tls_certificate entry in /etc/exim.conf as of cPanel version 60:

tls_certificate = ${if and \
    { \
        {gt{$tls_in_sni}{}} \
        {!match{$tls_in_sni}{/}} \
    } \
    {${if exists {/var/cpanel/ssl/domain_tls/$tls_in_sni/combined} \
        {/var/cpanel/ssl/domain_tls/$tls_in_sni/combined} \
        {${if exists {${sg{/var/cpanel/ssl/domain_tls/$tls_in_sni/combined}{(.+/)[^.]+(.+/combined)}{\$1*\$2}}} \
            {${sg{/var/cpanel/ssl/domain_tls/$tls_in_sni/combined}{(.+/)[^.]+(.+/combined)}{\$1*\$2}}} \
            {/etc/exim.crt} \
        }} \
    }} \
    {/etc/exim.crt} \
}

This adds support for the Domain TLS functionality introduced in cPanel version 60 and documented at:

What is Domain TLS - cPanel Knowledge Base - cPanel Documentation

Thank you.