Topic: Problem with self-signed certificate on one SME 10 machine

[toothandnail]

I've been having problems with LetsEncrypt not being presented on anything other than port 443. While trying to solve that problem, I've hit another on one SME 10 system. This one has been in service for quite a while - started life as an SME 7.2 system and has been migrated through several hardware changes as well as upgraded through different SME versions.

I was about to remove the LetsEncrypt setup completely, then reinstall it it see if I could solve the ongoing certificate problem when I discovered that the self-signed certificate what being renewed every 24 hours. No changes have been made to the templates in that area (I had a look at the Wiki item on changing the expiry date), and in each instance, the certificate was being renewed for a full year. The time stamp on the certificate was around 03:40 each night.

Since I wasn't sure whether this was connected to the problems I'm having with the LetsEncrypt certificates (see https://forums.koozali.org/index.php/topic,54761.0.html), I removed LetsEncrypt and regenerated the self-signed certificate. After doing so, I found that the newly generated certificate was also being renewed every 24 hours. I then moved the

Code: [Select]

conf-mod_ssl script out of /etc/cron.daily, which stopped the constant renewal, at least until there was an upgrade and I did a

Code: [Select]

signal-event post-upgrade; signal-event reboot, which caused the certificate to be renewed again.

I've currently no idea what is causing this renewal, and I can't leave the daily check of the certificate disabled indefinately. I'm hoping somone may know what I need to look at to find the source of the problem.

[ReetP]

At a wild guess I'd say these are all related but nowhere near enough info to really know. Most likely a hangover/hack from v9.

Go back to basics. Fix one box first.

Bug report from server manager and then the output from:

/sbin/e-smith/audittools/
newrpms
templates
repositories

JP might have some more suggestions.

[Jean-Philippe Pialasse]

for both your original issue with let’s encrypt and there an issue with templates-custom is highly probable. 

also self signed certificate is now including all domains and main server ip. 

so every time you change a host or a domain of the server , the certificate will be renewed. 
everytime the ip is updated on interface where it is configured as static,  it will be renewed. 

again if the template / script is changing the certificate this is because something changed or is not set right (eg custom template).  please rather than trying to workaround things by randomly removing things, help us to help you and this time give the information John is requesting. 

[toothandnail]

Thanks for the replies.

Here is the output from the server-manger bug report:

Code: [Select]

Configuration report created Fri 18 Feb 2022 07:51:06 AM GMT

==================
Base configuration
==================

SME server version:   10.0
SME server mode:      servergateway
SME server previous mode: servergateway
Running Kernel:        3.10.0-1160.53.1.el7.x86_64



===========================
New RPMs not in base system
===========================
       
Loaded plugins: fastestmirror, post-transaction-actions, priorities, smeserver
Loading mirror speeds from cached hostfile
 * base: uk.mirrors.clouvider.net
 * smeaddons: mirror.pialasse.com
 * smeos: mirror.pialasse.com
 * smeupdates: mirror.pialasse.com
 * updates: mirror.sov.uk.goscomb.net
Extra Packages
GeoIP.x86_64                           1.6.12-9.el7.sme             @smecontribs
GeoIP-GeoLite-data.noarch              2018.06-7.el7.sme            @smecontribs
GeoIP-GeoLite-data-extra.noarch        2018.06-7.el7.sme            @smecontribs
fail2ban-sendmail.noarch               0.11.2-3.el7                 @smecontribs
fail2ban-server.noarch                 0.11.2-3.el7                 @smecontribs
libicu69.x86_64                        69.1-2.el7.remi              @remi-safe 
mc.x86_64                              1:4.8.23-1.1                 installed   
ncdu.x86_64                            1.16-1.el7                   @epel       
perl-Data-Validate-IP.noarch           0.27-13.el7                  @smecontribs
php74-php.x86_64                       7.4.28-1.el7.remi            @remi-safe 
php74-php-bcmath.x86_64                7.4.28-1.el7.remi            @remi-safe 
php74-php-cli.x86_64                   7.4.28-1.el7.remi            @remi-safe 
php74-php-common.x86_64                7.4.28-1.el7.remi            @remi-safe 
php74-php-enchant.x86_64               7.4.28-1.el7.remi            @remi-safe 
php74-php-fpm.x86_64                   7.4.28-1.el7.remi            @remi-safe 
php74-php-gd.x86_64                    7.4.28-1.el7.remi            @remi-safe 
php74-php-imap.x86_64                  7.4.28-1.el7.remi            @remi-safe 
php74-php-intl.x86_64                  7.4.28-1.el7.remi            @remi-safe 
php74-php-json.x86_64                  7.4.28-1.el7.remi            @remi-safe 
php74-php-ldap.x86_64                  7.4.28-1.el7.remi            @remi-safe 
php74-php-mbstring.x86_64              7.4.28-1.el7.remi            @remi-safe 
php74-php-mysqlnd.x86_64               7.4.28-1.el7.remi            @remi-safe 
php74-php-opcache.x86_64               7.4.28-1.el7.remi            @remi-safe 
php74-php-pdo.x86_64                   7.4.28-1.el7.remi            @remi-safe 
php74-php-process.x86_64               7.4.28-1.el7.remi            @remi-safe 
php74-php-snmp.x86_64                  7.4.28-1.el7.remi            @remi-safe 
php74-php-soap.x86_64                  7.4.28-1.el7.remi            @remi-safe 
php74-php-sodium.x86_64                7.4.28-1.el7.remi            @remi-safe 
php74-php-tidy.x86_64                  7.4.28-1.el7.remi            @remi-safe 
php74-php-xml.x86_64                   7.4.28-1.el7.remi            @remi-safe 
php74-php-xmlrpc.x86_64                7.4.28-1.el7.remi            @remi-safe 
php80-php.x86_64                       8.0.16-1.el7.remi            @remi-safe 
php80-php-bcmath.x86_64                8.0.16-1.el7.remi            @remi-safe 
php80-php-cli.x86_64                   8.0.16-1.el7.remi            @remi-safe 
php80-php-common.x86_64                8.0.16-1.el7.remi            @remi-safe 
php80-php-enchant.x86_64               8.0.16-1.el7.remi            @remi-safe 
php80-php-fpm.x86_64                   8.0.16-1.el7.remi            @remi-safe 
php80-php-gd.x86_64                    8.0.16-1.el7.remi            @remi-safe 
php80-php-imap.x86_64                  8.0.16-1.el7.remi            @remi-safe 
php80-php-intl.x86_64                  8.0.16-1.el7.remi            @remi-safe 
php80-php-ldap.x86_64                  8.0.16-1.el7.remi            @remi-safe 
php80-php-mbstring.x86_64              8.0.16-1.el7.remi            @remi-safe 
php80-php-mysqlnd.x86_64               8.0.16-1.el7.remi            @remi-safe 
php80-php-opcache.x86_64               8.0.16-1.el7.remi            @remi-safe 
php80-php-pdo.x86_64                   8.0.16-1.el7.remi            @remi-safe 
php80-php-process.x86_64               8.0.16-1.el7.remi            @remi-safe 
php80-php-snmp.x86_64                  8.0.16-1.el7.remi            @remi-safe 
php80-php-soap.x86_64                  8.0.16-1.el7.remi            @remi-safe 
php80-php-sodium.x86_64                8.0.16-1.el7.remi            @remi-safe 
php80-php-tidy.x86_64                  8.0.16-1.el7.remi            @remi-safe 
php80-php-xml.x86_64                   8.0.16-1.el7.remi            @remi-safe 
php81-php.x86_64                       8.1.3-1.el7.remi             @remi-safe 
php81-php-bcmath.x86_64                8.1.3-1.el7.remi             @remi-safe 
php81-php-cli.x86_64                   8.1.3-1.el7.remi             @remi-safe 
php81-php-common.x86_64                8.1.3-1.el7.remi             @remi-safe 
php81-php-enchant.x86_64               8.1.3-1.el7.remi             @remi-safe 
php81-php-fpm.x86_64                   8.1.3-1.el7.remi             @remi-safe 
php81-php-gd.x86_64                    8.1.3-1.el7.remi             @remi-safe 
php81-php-imap.x86_64                  8.1.3-1.el7.remi             @remi-safe 
php81-php-intl.x86_64                  8.1.3-1.el7.remi             @remi-safe 
php81-php-ldap.x86_64                  8.1.3-1.el7.remi             @remi-safe 
php81-php-mbstring.x86_64              8.1.3-1.el7.remi             @remi-safe 
php81-php-mysqlnd.x86_64               8.1.3-1.el7.remi             @remi-safe 
php81-php-opcache.x86_64               8.1.3-1.el7.remi             @remi-safe 
php81-php-pdo.x86_64                   8.1.3-1.el7.remi             @remi-safe 
php81-php-pear.noarch                  1:1.10.13-1.el7.remi         @remi-safe 
php81-php-pecl-xmlrpc.x86_64           1.0.0~rc3-1.el7.remi         @remi-safe 
php81-php-pecl-zip.x86_64              1.20.0-1.el7.remi            @remi-safe 
php81-php-process.x86_64               8.1.3-1.el7.remi             @remi-safe 
php81-php-snmp.x86_64                  8.1.3-1.el7.remi             @remi-safe 
php81-php-soap.x86_64                  8.1.3-1.el7.remi             @remi-safe 
php81-php-sodium.x86_64                8.1.3-1.el7.remi             @remi-safe 
php81-php-tidy.x86_64                  8.1.3-1.el7.remi             @remi-safe 
php81-php-xml.x86_64                   8.1.3-1.el7.remi             @remi-safe 
php81-runtime.x86_64                   8.1-1.el7.remi               @remi-safe 
smeserver-dhcp-dns.noarch              1.2.0-5.el7.sme              @smecontribs
smeserver-dhcpmanager.noarch           2.0.4-12.el7.sme             @smecontribs
smeserver-fail2ban.noarch              9:0.1.18-25.el7.sme          @smecontribs
smeserver-qmHandle.noarch              1.4-16.el7.sme               @smecontribs
smeserver-userpanel.noarch             1.4-3.el7.sme                @smecontribs
smeserver-vacation.noarch              1.1-33.el7.sme               @smecontribs
smeserver-wsdd.noarch                  0.2-5.el7.sme                @smecontribs
synbak.noarch                          3.6-1                        installed   
wsdd.noarch                            0.7.0-1.el7                  @smecontribs
 



===========================
Custom and modified templates
===========================
/etc/e-smith/templates-custom/etc/ups/upsd.users/admin: MANUALLY_ADDED, ADDITION
/etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts40ACME: MANUALLY_ADDED, ADDITION
/etc/e-smith/templates-custom/etc/crontab/synbak: MANUALLY_ADDED, ADDITION




===========================
Modified events
===========================




=======================
Additional repositories
=======================

base: enabled
centosplus: disabled
epel: disabled
extras: disabled
fasttrack: disabled
fws: disabled
nethsme: disabled
remi-safe: enabled
sme7contribs: disabled
smeaddons: enabled
smecontribs: disabled
smedev: disabled
smeextras: enabled
smeos: enabled
smetest: disabled
smeupdates: enabled
smeupdates-testing: disabled
sogo: disabled
stephdl: disabled
updates: enabled
   

DONE!
I've not added the output from newrpms, templates or repositories since the server-manager bug report seems to include everything they produce. I can if needed.

There haven't been any recent changes made to a host or a domain on the server. They've remained static since well before the upgrade to SME 10. No changes to IPs on any of the interfaces set as static either. The upgrade was done using the migratehelper script, but with both files and mail rsynced in as a separate operation.

[ReetP]

OK, you are in server gateway. Bearing in mind JPs comments, how is the IP set on the WAN interface? DHCP or Static?

Check your logs to see what occurs at the time the certificates are generated - you will see a trigger. What is it?

Next I would rid yourself of these as you are not using them so save confusion:

fws: disabled
sme7contribs: disabled
nethsme: disabled
sogo: disabled
stephdl: disabled

Then remove this and any other dehydrated detritus:

/etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts40ACME: MANUALLY_ADDED, ADDITION

Then install smeserver-dehydrated, run it in test mode and get your certificates right.

You are far less likely to have mistakes with a contrib.