The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Warning: No server certificate defined; TLS connections will fail.

Discussion in 'E-mail Discussions' started by Bdzzld, Aug 8, 2016.

  1. Bdzzld

    Bdzzld Well-Known Member

    Joined:
    Apr 3, 2004
    Messages:
    356
    Likes Received:
    1
    Trophy Points:
    18
    Hi,

    Whenever the Advanced Editor of the Exim Configuration Editor within WHM is selected, the following is always added to the /var/log/exim_paniclog file:

    All SSL certifcates are working without problems though. Can you please explain?

    Note: This occurs in versions .56 and .58 (I still have both running).
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,449
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I see that here as well:
    Code:
    2016-08-08 08:49:59 Warning: No server certificate defined; TLS connections will fail.
    Suggested action: either install a certificate or change tls_advertise_hosts option
    2016-08-08 08:50:32 Warning: No server certificate defined; TLS connections will fail.
    Suggested action: either install a certificate or change tls_advertise_hosts option
    There's a forum thread here about this as well:
    Warning: No server certificate defined; TLS connections will fail
     
  3. Bdzzld

    Bdzzld Well-Known Member

    Joined:
    Apr 3, 2004
    Messages:
    356
    Likes Received:
    1
    Trophy Points:
    18
    @Infopro: Thanks for your reaction. I also noticed the other thread you're referring about, but I don't think it's entirely identical, although they share the same error(?) message.

    Code:
    JH/04 Certificate name checking on server certificates, when exim is a client,
      is now done by default.  The transport option tls_verify_cert_hostnames
      can be used to disable this per-host.  The build option
      EXPERIMENTAL_CERTNAMES is withdrawn.
    
    JH/06 Verification of the server certificate for a TLS connection is now tried
      (but not required) by default.  The verification status is now logged by
      default, for both outbound TLS and client-certificate supplying inbound
      TLS connections.
    
    Further more I don't understand why the error(?) is there in the first place; the installed SSL certificate is for servername.domainname.ext, and the server has an identical hostname.
    Restarting exim won't cause the error(?). Only as previously explained.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    It's important to note the output is listed as "Warning" as opposed to an error. It shouldn't cause any issues with email usage or delivery. There's additional discussion about the purpose of this message on the Exim user's list at:

    TLS changes in 4.87 | exim | users

    Thank you.
     
  5. Bdzzld

    Bdzzld Well-Known Member

    Joined:
    Apr 3, 2004
    Messages:
    356
    Likes Received:
    1
    Trophy Points:
    18
    @cPanelMichael : You're right... it's a warning and not an error. But warnings about TLS connections that may fail more or less tend to an error in my personal opinion.

    On the Exim user's list it's suggested to change tls_advertise_hosts to empty instead of "*", to avoid getting the warning. Do you agree or is it better to just neglect these warnings at all?
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    The following Exim document explains this feature a little more:

    Exim Specification - 38. Encrypted SMTP connections using TLS/SSL

    Here are the default entries on a cPanel server:

    Code:
    # grep tls_advertise_hosts /etc/exim.conf
    tls_advertise_hosts = *
    
    # grep tls_certificate /etc/exim.conf
    tls_certificate = ${if exists {/etc/mail_sni_map} {${extract{crtfile}{${lookup {$tls_sni} lsearch {/etc/mail_sni_map} {$value}}}{$value}{/etc/exim.crt}}} {/etc/exim.crt}}
    
    I don't recommend suppressing the warning messages by changing the "tls_advertise_hosts" entry to null, as it's a good way of encouraging the use of SSL.

    Thank you.
     
  7. Bdzzld

    Bdzzld Well-Known Member

    Joined:
    Apr 3, 2004
    Messages:
    356
    Likes Received:
    1
    Trophy Points:
    18
    Thanks for the additional explanation.
    I've decided to simply just neglect the warnings (They do not show up that much in the first place; only when the Exim Configuration Editor is being executed).
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    I wanted to note the following change to the tls_certificate entry in /etc/exim.conf as of cPanel version 60:

    Code:
    tls_certificate = ${if and \
        { \
            {gt{$tls_in_sni}{}} \
            {!match{$tls_in_sni}{/}} \
        } \
        {${if exists {/var/cpanel/ssl/domain_tls/$tls_in_sni/combined} \
            {/var/cpanel/ssl/domain_tls/$tls_in_sni/combined} \
            {${if exists {${sg{/var/cpanel/ssl/domain_tls/$tls_in_sni/combined}{(.+/)[^.]+(.+/combined)}{\$1*\$2}}} \
                {${sg{/var/cpanel/ssl/domain_tls/$tls_in_sni/combined}{(.+/)[^.]+(.+/combined)}{\$1*\$2}}} \
                {/etc/exim.crt} \
            }} \
        }} \
        {/etc/exim.crt} \
    }
    This adds support for the Domain TLS functionality introduced in cPanel version 60 and documented at:

    What is Domain TLS - cPanel Knowledge Base - cPanel Documentation

    Thank you.
     
Loading...

Share This Page