Koozali.org: home of the SME Server

Letsencrypt cert not used on anything other than port 443

Offline toothandnail

  • ***
  • 133
  • +0/-0
Letsencrypt cert not used on anything other than port 443
« on: February 04, 2022, 10:30:23 AM »
I've got three SME 10 systems running. All seem to have the same problem. Using Letsencrypt certificates, all are using it for any https connections, but not for email ports. Testing with openssl, ports 465, 587 and 993 are all using a self-signed certificate, not the letsencrypt one.

By comparison, the one remaining SME 9.2 system I have access to uses the letsencrypt certificate on those ports as well as 443.

Using the self-signed cert for mail is causing some problems with the latest versions of Thunderbird, which no longer seem to be able to permanently store an exception. I would also prefer to use the Letsencrypt certificate for all open ports.

Have I missed something in the setup, given that SME 9.2 is using the letsencrypt cert? I don't remember having to do anything special to get the coverage, nor can I find any notes on the subject, but it seems odd that the other ports are not covered.
 

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Letsencrypt cert not used on anything other than port 443
« Reply #1 on: February 04, 2022, 11:40:17 AM »
Have I missed something in the setup, given that SME 9.2 is using the letsencrypt cert? I don't remember having to do anything special to get the coverage, nor can I find any notes on the subject, but it seems odd that the other ports are not covered.

Almost certainly ;-)

Remember a lot changed under the hood between v9 and v10, though not much with Letsencrypt. The biggest thing was actually Letsencrypt deprecating the v1 API.

Trying to make comparisons between v9 and v10 is not easy. Just because X worked on 9 does not always mean it will work exactly the same way on 10.

Let the wiki be your font of knowledge.....

https://wiki.koozali.org/Letsencrypt

Some things to check:

What are 'configure' and 'API' set to?

Code: [Select]
config show letsencrypt
What do we have set here?

Code: [Select]
config show modSSL
Do any of these have 'letsencryptSSLcert=enabled' ?

Code: [Select]
db domains show
Code: [Select]
db hosts show
What does these show?

Code: [Select]
cat /etc/dehydrated/config
Code: [Select]
cat /etc/dehydrated/domains
What happens when you force a check with

Code: [Select]
dehydrated -c -x
If needs be then follow the wiki, reset letsencrypt certs and start again.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Jean-Philippe Pialasse

  • *
  • 2,747
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Letsencrypt cert not used on anything other than port 443
« Reply #2 on: February 04, 2022, 06:18:46 PM »
is your server and all contribs up to date?

yum update

yum update —enablerepo=smecontribs


then check again


Offline toothandnail

  • ***
  • 133
  • +0/-0
Re: Letsencrypt cert not used on anything other than port 443
« Reply #3 on: February 06, 2022, 11:00:03 PM »
Sorry for the slow reply - something urgent came up and I've only just had time to go back and have another look at the problem systems.

Almost certainly ;-)

:)

Quote
Remember a lot changed under the hood between v9 and v10, though not much with Letsencrypt. The biggest thing was actually Letsencrypt deprecating the v1 API.

All the systems (including the remaining 9.2 systems) have been using the v2 API for quite a while.

Quote
Let the wiki be your font of knowledge.....

https://wiki.koozali.org/Letsencrypt

:) I've read the letsencrypt entries multiple times. Not that there is any guarantee I've not missed something.

Quote
Code: [Select]
config show letsencrypt
What do we have set here?

Code: [Select]
[root@deneb ~]# config show letsencrypt
letsencrypt=service
    ACCEPT_TERMS=yes
    configure=domains
    email=admin@mail.xxxxxxxx.co.uk
    hookScript=disabled
    status=enabled

Two of the systems are identical here other than the domain name. The third one (the only one which hasn't had mail problems so far) shows nothing there at all, jut returns to the prompt. I may
have done that system by manual configuration of dehydrated, but that was long before the upgrade to 10, and I'm not sure.

Quote
Code: [Select]
config show modSSL

Do any of these have 'letsencryptSSLcert=enabled' ?

All three do...

Code: [Select]
[root@cygnus ~]# config show modSSL
modSSL=service
    CertificateChainFile=/etc/dehydrated/certs/mail.xxxxxxx.co.uk/chain.pem
    TCPPort=443
    access=public
    crt=/etc/dehydrated/certs/mail.xxxxxxx.co.uk/cert.pem
    key=/etc/dehydrated/certs/mail.xxxxxx.co.uk/privkey.pem
    status=enabled

All three systems are identical other than the domain name here.


Quote
Code: [Select]
db domains show
Code: [Select]
db hosts show
What does these show?

Two of the systems show as below:

Code: [Select]
xxxxxxxco.uk=domain
    Content=Primary
    Description=Primary domain
    Nameservers=localhost
    Removable=no
    SystemPrimaryDomain=yes
mail.xxxxxxxxco.uk=domain
    Content=Primary
    Description=mail domain
    Nameservers=localhost
    lestsencryptSSLcert=enabled

The third one (also the one that doesn't show anything in response to config show letsencrypt does not list letsencryptSSLcert as enabled.

Quote
Code: [Select]
cat /etc/dehydrated/config
Code: [Select]
cat /etc/dehydrated/domains

Code: [Select]
#!/bin/bash
WELLKNOWN="/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge"
CA="https://acme-v02.api.letsencrypt.org/directory"
BASEDIR="/etc/dehydrated"
CONTACT_EMAIL=admin@xxxxxxx.co.uk
HOOK="/usr/bin/hook-script.sh"
API="2"
PARAM_ACCEPT_TERMS="yes"

The only difference in any of them is the domain name. /etc/dehydrated/domains.txt is set to a single item on each of the - mail.<domain name>

Quote
What happens when you force a check with

Code: [Select]
dehydrated -c -x

All three have successfully renewed their certificates. I forced a renewal after the initial install/restore was done, and have tried again since then.

Quote
If needs be then follow the wiki, reset letsencrypt certs and start again.

I was intending to revert them completely, then try a fresh install, haven't had time yet. I was hoping I was missing something obvious, but other than the fact that one system shows nothing in response to config show letsencrypt, I've not seen anything that I can identify.


Offline toothandnail

  • ***
  • 133
  • +0/-0
Re: Letsencrypt cert not used on anything other than port 443
« Reply #4 on: February 06, 2022, 11:03:40 PM »
is your server and all contribs up to date?

yum update

yum update —enablerepo=smecontribs


then check again

Yes, all three systems are fully updated. One strange thing is that none of them were showing problems until a couple of weeks ago. I thought at first it was due to an upgrade to Thunderbird (which users on all three systems are using), but similar problems are shown when installing an older version of Thunderbird.

Offline Jean-Philippe Pialasse

  • *
  • 2,747
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Letsencrypt cert not used on anything other than port 443
« Reply #5 on: February 07, 2022, 04:47:20 AM »
.


you could check whatnis the content of your pem file in home/e-smith/ssl.pem/  , this is the one used for all services except httpd and ftp


and here is the template

 /etc/e-smith/templates/home/e-smith/ssl.pem/

you can then sneak in the perl module used for validation and you could see that it does not support a anything else than rsa.

please check your certificate was not issued with anything else than rsa.  if so this explain the situation and you need to change this

this could particilarly happen if you have overriden dehydrated templates with custom templates.


see changelog:

https://wiki.koozali.org/Letsencrypt#Changelog



Offline WCS

  • 1
  • +0/-0
Re: Letsencrypt cert not used on anything other than port 443
« Reply #6 on: February 19, 2022, 12:17:00 AM »

Code: [Select]
#!/bin/bash
WELLKNOWN="/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge"
CA="https://acme-v02.api.letsencrypt.org/directory"
BASEDIR="/etc/dehydrated"
CONTACT_EMAIL=admin@xxxxxxx.co.uk
HOOK="/usr/bin/hook-script.sh"
API="2"
PARAM_ACCEPT_TERMS="yes"


I think you'll find if you insert:

Code: [Select]
KEY_ALGO=rsa

at the bottom of your config file & run

dehydrated -c -x

all will magically start working again.

Offline Jean-Philippe Pialasse

  • *
  • 2,747
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Letsencrypt cert not used on anything other than port 443
« Reply #7 on: February 19, 2022, 01:42:44 AM »
if your contrib is up to date you do not have to edit and add this.

also remember that this file is templated and your changes will be removed on next expansion and default will erase your certificate with non rsa one.

best approach is to simply explor your certificate using your web browser most of them allow to see some informations avout the cert or use a third website to check your certificate. 


Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Letsencrypt cert not used on anything other than port 443
« Reply #8 on: February 19, 2022, 02:13:57 AM »
all will magically start working again.

As JP said, that is extremely unlikely if you use the contrib.

We do try and take care the contrib is up to date so you are unlikely to get issues normally. Items such key_algo have defaults so there is no need to modify that without very good reason and you understand it what you are doing.

Any problems are usually down to either manual installs or upgrades with old hacked templates left lying around.

In this instance there is more than one issue. See this for reference:

https://forums.koozali.org/index.php/topic,54770.0.html
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation