Results 1 to 8 of 8
  1. #1
    Join Date
    Aug 2001
    Location
    Missouri
    Posts
    143

    Question Problem Replacing Expired SSL Cert in EXIM (via WHM)

    I usually buy SSL certificates for my server with a 1 year term and, thus, each year faithfully go into the WHM Service SSL Manager and replace the certificate for the different services on the system. This year when I did that, everything appeared to go just fine (cPanel, EXIM, Dovecot and FTP all show the new expiration date) but ever since then, I've been having problems with the server continuing to serve up the expired SSL certificates for EXIM and Dovecot.

    Today, I finally fixed the Dovecot issue by going into /var/cpanel/ssl/dovecot and deleting everything inside the folder, regenerating a self-signed SSL certificate and then reinstalling the new, valid RapidSSL certificate. However, the same procedure has not helped with EXIM -- it continues to serve up the old, expired certificate.

    Is there some other nook or cranny I need to dig into on my server to delete the old certificate once and for all?

    Thanks!

    Tim
    Universal Networks
    Web Design, Online Publishing and ServerForest Web Hosting

  2. #2
    Join Date
    May 2012
    Location
    Linux World
    Posts
    1,137
    Did you try replacing the SSLs from 'Manage Service SSL Certificates'?, normally a change there and a restart of Exim should fix it.
    Kevin Cheri : Senior Server Administrator / Freelancer : 13+ years Exp, reach me out for any help
    Server Optimization Expert / Mysql Guru / Migration Specialist
    Skype : lynxmaestro
    Gmail : cheri.kevin@gmail.com

  3. #3
    Join Date
    Aug 2001
    Location
    Missouri
    Posts
    143
    Quote Originally Posted by kevincheri View Post
    Did you try replacing the SSLs from 'Manage Service SSL Certificates'?, normally a change there and a restart of Exim should fix it.
    Thanks, Kevin. I did indeed try that. I've also tried restarting Exim from both WHM and the terminal. The SSL listing for Exim looks identical in "Manage Service SSL Certificates" as to the other services that are now working. I even tried deleting the certificate data, having WHM regenerate a self-signed certificate and then reinstalling the SSL from the aforementioned page. It is rather bizarre.

    Thanks for your help!

    Tim
    Universal Networks
    Web Design, Online Publishing and ServerForest Web Hosting

  4. #4
    Join Date
    Oct 2010
    Posts
    5,079
    I'd open a ticket with cPanel
    Not as active on WHT as I used to be, but still drop in and receive email notifications from here.
    My personal blog site: https://www.oakleys.org.uk/blog

  5. #5
    Join Date
    Nov 2002
    Location
    Portland, Oregon
    Posts
    2,992
    Hi @uninet:

    I've had this occur before and it royally p*ss*s me off. Unfortunately, I completely spaced on recording the exact procedures. Think I can still help out as I just got this working for a client a few hours ago.

    I'm awfully tired/wired from maintenance last night. If any of this is unclear, ask before changing anything. I'll reply ASAP or another member will help. Always make a copy of any files you plan to change.

    Anyhow -- here's the deal. Something seems to have changed after 11.36 which made this process far more difficult (though likely more secure) than originally. Seems this occurs with any non-user scenario (e.g., DNS zones created and assigned to "system" / root.

    I also figured out that the dedicated server name zonefile can also cause the "Install SSL Cert on a Domain" to throw errors such as "system: no such username" during installation, which prevents full creation of the SSL under Apache -- however, this is based on your method of obtaining/installing SSL certs. Some examples:

    PHP Code:
    [2013-11-09 10:04:16 -0700info [apache_conf_distillerMissing owner for domain server.domain.comforce lookup to root 
    PHP Code:
    [2013-11-17 03:02:14 -0800info [xml-apiThe user system does not exist. [installsslversion [1]. 
    Wildcard SSL's which have been attempted can also throw errors:

    PHP Code:
    [apache_conf_distillerUnable to determine domain _wildcard_.domain.com ownershipAttempting lookup on domain domain.com (manually added domain). at /usr/local/cpanel/bin/apache_conf_distiller line 1305 
    Finally, some troubleshooting:

    PHP Code:
    # tail -f /usr/local/cpanel/logs/error_log 
    for good measure.

    - First, wipe out any instances of old SSLs from the SSL Storage Manager in WHM.

    - Second, examine /var/cpanel/ssl/installed/ssl.db and /var/cpanel/ssl/installed/certs -- report back if you find duplicates.

    - Then ensure the correct domain and I.P. are in /etc/ssldomains.

    - After that, ensure your hostname "A" record is listed only in the master domain's zone, rather than residing in a separate zone. (this was the fix for a GlobalSign OneClickSSL plugin problem under 11.36)

    - Then, check the contents of /var/cpanel/ssl/exim-DOMAINS to ensure accuracy.

    - Finally, check /var/cpanel/ssl/exim-CRTINFO and /var/cpanel/ssl/exim-CN -- verify these are reporting correct server names and certs. If not, report back to the thread.

    Assuming you've wiped out all instances of your self-signed SSL and newly installed CA-signed SSL, start the process from scratch:

    I used /usr/local/cpanel/scripts/gencrt2 to rebuild the self-signed cert. Then reinstall your CA-Signed SSL the same way you did previously.

    Everything related to your SSL should appear in the "Manage SSL Hosts" area now, if it hadn't before.

    Home stretch...

    11.40 has a reworked "Manage Service SSL Certs" area. Assuming the above worked, and you're running 11.40, click "Exim" - then Browse Certificates, you should see a "Browse Apache" radio button where you should see RapidSSL cert. Try reapplying the new CA signed SSL to all cPanel services now.

    PHP Code:
    # /etc/init.d/cpanel stop 
    PHP Code:
    # /etc/init.d/cpanel start 
    If this worked correctly you should receive an SSL warning when trying to access/send email via T-Bird our Outlook, requiring confirmation for the new SSL.

    In the end, if none of the above should work, one of my temp. fixes over the summer was to bring another I.P. into the mix, assign it to another domain, give it an SSL, and then program the cPanel services through WHM using it instead. That worked fine but uses up a perfectly good I.P.

    I'm sorry if it seems garbled or unclear - as I mentioned, I didn't save the steps that fixed this last time, and I'm starting to get blurred vision, which means it's time for a power nap.

    However, the above steps worked for me, just now, on a client's VM which was installed with the 11.36.0.x base and had the same problem with cPanel service SSLs.

    If you need clarification/walk-through procedures, let me know here & I'll do my best to help.
    Last edited by Johnny Cache; 11-17-2013 at 10:17 AM. Reason: Path correction

  6. #6
    Join Date
    Aug 2001
    Location
    Missouri
    Posts
    143
    Thank you so much for the detailed instructions! Alas, even after walking through them, my SMTP server is still using the old certificate (everything else seems fine). Perhaps I'll try your suggestion of switching to a different IP address... This is really puzzling. I'm glad to hear I'm not the only one, at least.

    Thank you again!
    Universal Networks
    Web Design, Online Publishing and ServerForest Web Hosting

  7. #7
    Join Date
    Mar 2005
    Posts
    31
    Hi @jetfirenetworks: Awesome, thank you so much for the details. With your help, we were able to figure it out. Somewhere along the way, cPanel changed the cert name with exim. Once we cleaned things up per your notes, we noticed some things.

    CRT located /var/cpanel/ssl/exim/exim.crt did not update with the Commando SSL. Instead something called myexim.crt was create or updated..

    And /var/cpanel/ssl/exim/exim.crt did NOT equal ./etc/exim.crt

    So we simply copied the key data from ./etc/exim.crt to ./var/cpanel/ssl/exim/exim.crt

    and it worked

    If you're reading this with the same problem, start with this and see if it works.

  8. #8
    Join Date
    Oct 2004
    Location
    Kerala, India
    Posts
    4,771
    The exim certificate is called in exim.conf at /etc/exim.crt which is actually a symlink to /var/cpanel/ssl/exim/myexim.crt. That means we dont need to copy it.

    Code:
    # grep exim.crt /etc/exim.conf
    tls_certificate = /etc/exim.crt
    David | www.cliffsupport.com
    Affordable Server Management Solutions sales AT cliffsupport DOT com
    CliffWebManager | Access WHM from iPhone and Android

Similar Threads

  1. manage2 fails with an expired SSL cert
    By gearheadhost in forum Dedicated Server
    Replies: 6
    Last Post: 08-09-2009, 04:00 AM
  2. Problem installing SSL cert with APACHE 2
    By Bazuuka in forum Dedicated Server
    Replies: 1
    Last Post: 03-14-2007, 11:25 PM
  3. SSL Cert problem
    By EpicServers in forum Hosting Security and Technology
    Replies: 5
    Last Post: 01-28-2004, 08:57 PM
  4. SSL Cert Problem
    By Ash in forum Hosting Security and Technology
    Replies: 2
    Last Post: 01-15-2004, 05:05 AM
  5. Comodo SSL Cert -- Problem
    By SimonMc in forum Hosting Security and Technology
    Replies: 12
    Last Post: 07-08-2003, 07:58 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •