SSL error: Leaf certificate is expired

Greetings! I’ve been enjoying MXroute for about 6 months now, encountered my first snag.

Using Gmail as a POP/SMTP client for several email accounts on friday.mxroute.com has worked extremely well until about a week ago (December 25 2019) when all accounts hosted there return the error “SSL error: Leaf certificate is expired” when trying to retrieve messages. Since then, none of my accounts (or client accounts) hosted there have been able to pull from Gmail. None have any other clients to try.

I tried reconfiguring the POP at gmail using different ports (993, 995, 110) but always get the same error. The linked “help” is not helpful, just Generic Google how to setup remote email.

Google search tells me that if this is not an actual expired CA certificate, it may be Gmail not wanting to talk to self-signed servers (but that note was from 2012). https://www.digicert.com/ssl-support/gmail-pop3-troubleshooting.htm

Am I missing something obvious, or can someone assist? Thanks in advance and HAPPY NEW YEAR!

Apologies for the trouble. cPanel has acknowledged an issue that needs to be fixed in a future version, that is currently causing AutoSSL to fail to automatically renew custom hostname certificates on cPanel servers (mail.yourdomain.tld, webmail.yourdomain.tld). The temporary workaround for this is to log in to cPanel, click Custom SSL, and click Run AutoSSL.

Using the server hostname instead of your custom hostname would bypass this issue entirely, but that isn’t something you should have to do. As soon as the patch is out, I’ll apply it.

Ah, so that’s why I had to manually run AutoSSL a few days ago!

@Jarland thank you for the quick response. Auto SSL did the trick, and all gmail clients are able to fetch emails from friday.server once again.

Happy New Year!

Hi, I fell over this one 3 months ago and applied the ‘manual run’ fix.

Today certificates are expiring again, but what was previously the ‘Run AutoSSL’ button is perpetually stuck at ‘AutoSSL is in progress…’ and cannot be re-triggered now for my account.

Anything I can do my end? does it work for others?

Thanks that seems to have fixed it both certs renewed for next 3 months.

Should I assume the manual run will be necessary again in June? I’ll set a calendar reminder this time.

Indeed @cochon I see the same. All but one domain in my cPanel is green (expiring 31 March) and one which expired 5 Feb. “Auto SSL In Progress” is dimmed (not selectable).
. Not just you. Thanks for the heads-up or I wouldn’t have seen. That particular domain sends transactional emails, so I’m surprised I didn’t get a complaint. Let’s see what @Jarland comes up with.

I killed the autossl proc on the Friday server, does that help you and @Wynaco? It should no longer be showing as in progress.

@Jarland that was successful. I had errors with a couple of them (looking for TXT records _cpanel-dcv-test-record.[mydomain].org) but I will look into that separately. Thanks as usual for the quick response!

Sharing in case it can help someone else. I discovered why I got mentioned errors during AutoSSL for a couple of my domains. I do not manage DNS for those domains, and they had no CNAME records for “mail” and “webmail” pointing to my MXroute server (friday.mxroute.com). I’ve contacted my clients to fix that, then I will run AutoSSL again. I’m confident that will solve it…

@Alento good point.

Hi! If the clients are just using friday.mxlogin.com rather than the mail and webmail subdomains, just exclude them … no need to have the cert issued if the domain is not using the custom subdomains.