Results 1 to 8 of 8
-
11-16-2013, 05:57 PM #1WHT Addict
- Join Date
- Aug 2001
- Location
- Missouri
- Posts
- 143
Problem Replacing Expired SSL Cert in EXIM (via WHM)
I usually buy SSL certificates for my server with a 1 year term and, thus, each year faithfully go into the WHM Service SSL Manager and replace the certificate for the different services on the system. This year when I did that, everything appeared to go just fine (cPanel, EXIM, Dovecot and FTP all show the new expiration date) but ever since then, I've been having problems with the server continuing to serve up the expired SSL certificates for EXIM and Dovecot.
Today, I finally fixed the Dovecot issue by going into /var/cpanel/ssl/dovecot and deleting everything inside the folder, regenerating a self-signed SSL certificate and then reinstalling the new, valid RapidSSL certificate. However, the same procedure has not helped with EXIM -- it continues to serve up the old, expired certificate.
Is there some other nook or cranny I need to dig into on my server to delete the old certificate once and for all?
Thanks!
TimUniversal Networks
Web Design, Online Publishing and ServerForest Web Hosting
-
11-16-2013, 07:41 PM #2Web Hosting Master
- Join Date
- May 2012
- Location
- Linux World
- Posts
- 1,137
Did you try replacing the SSLs from 'Manage Service SSL Certificates'?, normally a change there and a restart of Exim should fix it.
Kevin Cheri : Senior Server Administrator / Freelancer : 13+ years Exp, reach me out for any help
Server Optimization Expert / Mysql Guru / Migration Specialist
Skype : lynxmaestro
Gmail : cheri.kevin@gmail.com
-
11-16-2013, 10:43 PM #3WHT Addict
- Join Date
- Aug 2001
- Location
- Missouri
- Posts
- 143
Thanks, Kevin. I did indeed try that. I've also tried restarting Exim from both WHM and the terminal. The SSL listing for Exim looks identical in "Manage Service SSL Certificates" as to the other services that are now working. I even tried deleting the certificate data, having WHM regenerate a self-signed certificate and then reinstalling the SSL from the aforementioned page. It is rather bizarre.
Thanks for your help!
TimUniversal Networks
Web Design, Online Publishing and ServerForest Web Hosting
-
11-17-2013, 03:14 AM #4Retired Moderator
- Join Date
- Oct 2010
- Posts
- 5,079
I'd open a ticket with cPanel
Not as active on WHT as I used to be, but still drop in and receive email notifications from here.
My personal blog site: https://www.oakleys.org.uk/blog
-
11-17-2013, 10:14 AM #5Mostly Retired!
- Join Date
- Nov 2002
- Location
- Portland, Oregon
- Posts
- 2,992
Hi @uninet:
I've had this occur before and it royally p*ss*s me off. Unfortunately, I completely spaced on recording the exact procedures. Think I can still help out as I just got this working for a client a few hours ago.
I'm awfully tired/wired from maintenance last night. If any of this is unclear, ask before changing anything. I'll reply ASAP or another member will help. Always make a copy of any files you plan to change.
Anyhow -- here's the deal. Something seems to have changed after 11.36 which made this process far more difficult (though likely more secure) than originally. Seems this occurs with any non-user scenario (e.g., DNS zones created and assigned to "system" / root.
I also figured out that the dedicated server name zonefile can also cause the "Install SSL Cert on a Domain" to throw errors such as "system: no such username" during installation, which prevents full creation of the SSL under Apache -- however, this is based on your method of obtaining/installing SSL certs. Some examples:
PHP Code:[2013-11-09 10:04:16 -0700] info [apache_conf_distiller] Missing owner for domain server.domain.com, force lookup to root
PHP Code:[2013-11-17 03:02:14 -0800] info [xml-api] The user system does not exist. [installssl] version [1].
PHP Code:[apache_conf_distiller] Unable to determine domain _wildcard_.domain.com ownership. Attempting lookup on domain domain.com (manually added domain). at /usr/local/cpanel/bin/apache_conf_distiller line 1305
PHP Code:# tail -f /usr/local/cpanel/logs/error_log
- First, wipe out any instances of old SSLs from the SSL Storage Manager in WHM.
- Second, examine /var/cpanel/ssl/installed/ssl.db and /var/cpanel/ssl/installed/certs -- report back if you find duplicates.
- Then ensure the correct domain and I.P. are in /etc/ssldomains.
- After that, ensure your hostname "A" record is listed only in the master domain's zone, rather than residing in a separate zone. (this was the fix for a GlobalSign OneClickSSL plugin problem under 11.36)
- Then, check the contents of /var/cpanel/ssl/exim-DOMAINS to ensure accuracy.
- Finally, check /var/cpanel/ssl/exim-CRTINFO and /var/cpanel/ssl/exim-CN -- verify these are reporting correct server names and certs. If not, report back to the thread.
Assuming you've wiped out all instances of your self-signed SSL and newly installed CA-signed SSL, start the process from scratch:
I used /usr/local/cpanel/scripts/gencrt2 to rebuild the self-signed cert. Then reinstall your CA-Signed SSL the same way you did previously.
Everything related to your SSL should appear in the "Manage SSL Hosts" area now, if it hadn't before.
Home stretch...
11.40 has a reworked "Manage Service SSL Certs" area. Assuming the above worked, and you're running 11.40, click "Exim" - then Browse Certificates, you should see a "Browse Apache" radio button where you should see RapidSSL cert. Try reapplying the new CA signed SSL to all cPanel services now.
PHP Code:# /etc/init.d/cpanel stop
PHP Code:# /etc/init.d/cpanel start
In the end, if none of the above should work, one of my temp. fixes over the summer was to bring another I.P. into the mix, assign it to another domain, give it an SSL, and then program the cPanel services through WHM using it instead. That worked fine but uses up a perfectly good I.P.
I'm sorry if it seems garbled or unclear - as I mentioned, I didn't save the steps that fixed this last time, and I'm starting to get blurred vision, which means it's time for a power nap.
However, the above steps worked for me, just now, on a client's VM which was installed with the 11.36.0.x base and had the same problem with cPanel service SSLs.
If you need clarification/walk-through procedures, let me know here & I'll do my best to help.Last edited by Johnny Cache; 11-17-2013 at 10:17 AM. Reason: Path correction
-
11-23-2013, 05:54 PM #6WHT Addict
- Join Date
- Aug 2001
- Location
- Missouri
- Posts
- 143
Thank you so much for the detailed instructions! Alas, even after walking through them, my SMTP server is still using the old certificate (everything else seems fine). Perhaps I'll try your suggestion of switching to a different IP address... This is really puzzling. I'm glad to hear I'm not the only one, at least.
Thank you again!Universal Networks
Web Design, Online Publishing and ServerForest Web Hosting
-
05-28-2014, 09:19 PM #7Junior Guru Wannabe
- Join Date
- Mar 2005
- Posts
- 31
Hi @jetfirenetworks: Awesome, thank you so much for the details. With your help, we were able to figure it out. Somewhere along the way, cPanel changed the cert name with exim. Once we cleaned things up per your notes, we noticed some things.
CRT located /var/cpanel/ssl/exim/exim.crt did not update with the Commando SSL. Instead something called myexim.crt was create or updated..
And /var/cpanel/ssl/exim/exim.crt did NOT equal ./etc/exim.crt
So we simply copied the key data from ./etc/exim.crt to ./var/cpanel/ssl/exim/exim.crt
and it worked
If you're reading this with the same problem, start with this and see if it works.
-
05-29-2014, 10:20 AM #8Web Hosting Master
- Join Date
- Oct 2004
- Location
- Kerala, India
- Posts
- 4,771
The exim certificate is called in exim.conf at /etc/exim.crt which is actually a symlink to /var/cpanel/ssl/exim/myexim.crt. That means we dont need to copy it.
Code:# grep exim.crt /etc/exim.conf tls_certificate = /etc/exim.crt
David | www.cliffsupport.com
Affordable Server Management Solutions sales AT cliffsupport DOT com
CliffWebManager | Access WHM from iPhone and Android
Similar Threads
-
manage2 fails with an expired SSL cert
By gearheadhost in forum Dedicated ServerReplies: 6Last Post: 08-09-2009, 04:00 AM -
Problem installing SSL cert with APACHE 2
By Bazuuka in forum Dedicated ServerReplies: 1Last Post: 03-14-2007, 11:25 PM -
SSL Cert problem
By EpicServers in forum Hosting Security and TechnologyReplies: 5Last Post: 01-28-2004, 08:57 PM -
SSL Cert Problem
By Ash in forum Hosting Security and TechnologyReplies: 2Last Post: 01-15-2004, 05:05 AM -
Comodo SSL Cert -- Problem
By SimonMc in forum Hosting Security and TechnologyReplies: 12Last Post: 07-08-2003, 07:58 AM