Koozali.org: home of the SME Server

unable to refresh ssl certificate for Dovecot.

Offline julianop

  • *
  • 61
  • +0/-0
unable to refresh ssl certificate for Dovecot.
« on: June 04, 2023, 04:26:17 PM »
Hi friends.
Either by use of the ssl certificate manager, or by manual means (e.g. from ssls.com) I am unable to update my formal ssl certificate. It still shows as out of date using external testers (e.g. decoder.link./sslchecker and ssllabs.com)
When I use the certificate manager add-in, three things happen: 1) the entry into the "Intermediate" panel gets truncated to two sections rather than the entered three; 2) When I click "save" I get the apparently now infamous timeout message "Error: CSRF token is invalid or outdated."; and 3) my combined (crt + ca-bundle + private key) file imapd.pem gets overwritten with an old version of the file, but with the time/datestamp of the one I had created (How wude! as Jar Jar Binks would say!).
I am slightly uncertain of the correct process, as there are two sets of configuration files: a dovecot.conf in /etc/dovecot which asks for a single imapd.pem in /etc/dovecot/ssl, and a 10-ssl.conf in /etc/dovecot/conf.d  - which asks for what look like the same file (dovecot.pem) but which actually isn't - in /etc/pki/dovecot/certs and /etc/pki/dovecot/private.

Would somebody kindly point me at the correct process for refreshing an ssl certificate. "https://wiki.koozali.org/Certificate_ssl_management" does not work at all, giving me the timeout error mentioned above.

Thanks in advance for some help :-)


Offline julianop

  • *
  • 61
  • +0/-0
Re: unable to refresh ssl certificate for Dovecot.
« Reply #1 on: June 04, 2023, 04:45:38 PM »
Update.
Even if I so much as enter the "Email" configuration page in the browser-based configuration utility, without changing anything, then go to the "Manage SSL Certificates" page and click "Save" without changing anything their either, I don't get the timeout error. Nothing is fixed, behaviorally, but at least I don't get the timeout error, and instead get a much friendlier green "Operation status report Success - New Certificate details written" message. Does this offer any helpful clues?
Oh, and it's the third section of the ca-bundle file that is carved off in the "SSL Intermediate Chain Certificate" panel, if that helps. Something to do with CA-root? I'm REALLY overstepping my knowledge with that guess, but I'm trying hard to figure it out.

Lastly, here's what I get from decoder.link SSL checker:

Hostname:    Matches Common Name or/and SAN
Expired:    Yes (expired 3 days ago)
Public Key:    We were unable to find any issues in the public key of end-entity certificate
Trusted:    Yes, we were able to verify the certificate
Self-Signed:    No, the end-entity certificate is not self-signed
Chain Issues:    No, we were unable to detect any issues in the certificate chain sent by the server
Weak signatures:    No, certificates sent by the server were not signed utilizing a weak hash function

Thanks again.
« Last Edit: June 04, 2023, 04:53:00 PM by julianop »

Offline Jean-Philippe Pialasse

  • *
  • 2,747
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: unable to refresh ssl certificate for Dovecot.
« Reply #2 on: June 05, 2023, 07:34:28 AM »
if using an external provider you need to select a RSA based ssl certificate.  there is no support for elliptic based ssl certificates. 


Offline julianop

  • *
  • 61
  • +0/-0
Re: unable to refresh ssl certificate for Dovecot.
« Reply #3 on: June 20, 2023, 04:30:03 AM »
Yes, I have a RSA cert and bundle from Sectigo.

I had this working last year, but in trying to update my cert with this year's issue, I can't get it working: it holds on to last year's cert. I have managed to revert back to self-cert, and am trying to use the SSL certificate management plug-in to enter new files, but it won't accept them.

Essentially, there appear to be two methods for this task: placing the appropriate files in the right locations, and using the SSL cert manager plug-in.

Manually: I don't know where to put the files; there seem to be several configuration files & locations for Dovecot and SSL: /etc/pki/dovecot, /etc/pki/tls, /etc/dovecot.... but I don't know who's in charge.

Plug-in: It simply won't accept my new files, and keeps reverting what's in the three panels to the self-cert files.
Then there's the incomprehensible "Operation status report. Error: CSRF token is invalid or outdated." message, that I have no idea what to do with.

According to Sectigo tech support, I should be able to use their bundle file in place of the "intermediate chain" the plug-in is asking for. That would make sense, as the manual method as I understand it wants the bundle and cert combined.

Help, please?

« Last Edit: June 20, 2023, 04:32:09 AM by julianop »

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: unable to refresh ssl certificate for Dovecot.
« Reply #4 on: June 20, 2023, 10:58:05 AM »
Can you give us some detail please.

From History down. Info about your server, and log errors.

https://wiki.koozali.org/How_to_report_a_problem
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: unable to refresh ssl certificate for Dovecot.
« Reply #5 on: June 20, 2023, 01:30:25 PM »
I've been using a non-standard "getssl" script for cert updates since 2016 or so.

I followed a complicated and convoluted procedure when updating certs until I realized that SME 10 respects the certificate settings under modSSL in the configuration database.

As long as config show modSSL points to the correct cert file locations my cert updates work flawlessly when I execute signal-event ssl-update.

Code: [Select]
# config show modSSL
modSSL=service
    CertificateChainFile=/root/.getssl/my.smeserver.tld/cert.pem
    TCPPort=443
    access=public
    crt=/root/.getssl/my.smeserver.tld/my.smeserver.tld.crt
    key=/root/.getssl/my.smeserver.tld/my.smeserver.tld.key
    status=enabled

Offline julianop

  • *
  • 61
  • +0/-0
Re: unable to refresh ssl certificate for Dovecot.
« Reply #6 on: June 20, 2023, 03:20:10 PM »
ReetP: Thank you for your response: I shall do that today, as I'm still no further ahead...I managed this successfully last year, and don't know what's going wrong.

mmccarn: thanks for that too.  Yes, the report from "config show modSSL" shows correct. It was only last night that I discovered and followed "topic37634.0.html" ("Transplanting an existing ssl cert to SME7.x") and "topic30320.0" ("SME 6 Jan06 Updates and SSL Certs reset").
I moved my cert, chain  (bundle)* and key files to the suggested directories ("/home/e-files/ssl.crt", etc.).
Unfortunately, the system continues to hang on to last year's certificate (domain name changed to protect the fool at the keyboard):
Code: [Select]
[root@dejavu ~]# config show modSSL
modSSL=service
    CertificateChainFile=/home/e-smith/ssl.chainfile/mail.mydomain.com.ca-bundle
    CommonName=mail.mydomain.com
    TCPPort=443
    access=public
    crt=/home/e-smith/ssl.crt/mydomain.com.crt
    key=/home/e-smith/ssl.key/mydomain.com.key
    status=enabled
[root@dejavu ~]#
I'm sure the fact that even when changing the configuration back to self-cert and forward again to commercial cert resulting in a corrected but expired report from "decoder.link/sslchecker" is a clue - meaning that the old cert file is still lurking up somewhere - but I can't figure out where.

Thank you both; I'll keep at it...

*the tech at Sertigo told me that I could use the bundle file in place of an intermediate chain; I hope that's correct.
« Last Edit: June 20, 2023, 03:21:48 PM by julianop »

Offline julianop

  • *
  • 61
  • +0/-0
Re: unable to refresh ssl certificate for Dovecot.
« Reply #7 on: June 20, 2023, 06:44:13 PM »
OK, it's fixed. It was clear this morning, after a few hours of sleep, after returning back from the experimental self-signed configuration to paid cert, and finding my cert expired once again, that I simply MUST have inadvertently pointed "config setprop modSSL key..." to the wrong key file, which still MUST exist.

It turned out that I had done exactly that: this time around, following the instructions in the link below, I had used different filenames than the previous ones; then I had inadvertently permitted command line completion from my history (it must have been a script that wrote the commands into history last time: I surely didn't) to select the old file.

So the method, per "https://wiki.koozali.org/Certificates_Concepts", worked when correctly executed, of course:
After moving the crt, key and ca-bundle files to the proposed locations at /home/e-smith/ssl.crt, ....ssl.key and .../ssl.CertificateChainFile respectively,
Code: [Select]
config setprop modSSL crt /home/e-smith/ssl.crt/imported_{domain}.crt
config setprop modSSL key /home/e-smith/ssl.key/imported_{domain}.key
config setprop modSSL CertificateChainFile /home/e-smith/ssl.chainfile/imported_{domain}.crt
signal-event ssl-update

"/etc/dovecot/ssl/imapd.pem" was created automagically, as was /etc/openldap/ssl/slapd.pem.

And yes, of course the "ca-bundle" file from Sectigo worked perfectly well.

I will finish by saying that the "Manage SSL Certificates" add-in steadfastly refused to work for me, and even now continues to show the self-cert key, private key and chain files. Maybe between now and next year I'll see if I can find the author's write-up, and see how it's supposed to work... I thought I'd used it successfully last year, perhaps not.

Thanks for the help, guys.
« Last Edit: June 20, 2023, 08:05:51 PM by julianop »

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: unable to refresh ssl certificate for Dovecot.
« Reply #8 on: June 20, 2023, 07:52:14 PM »
Worth running up a test VM and trying with the panel which would help us enormously.

It might need a bug on it but we need more info as described previously.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline julianop

  • *
  • 61
  • +0/-0
Re: unable to refresh ssl certificate for Dovecot.
« Reply #9 on: June 20, 2023, 08:09:33 PM »
Is that something you'd like me to do?? I'd be happy to help, and have Oracle VM Virtualbox installed with a couple of images already; but I would need pointers...
Presumably I'd have to copy something from the permanent installation to the VM...

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: unable to refresh ssl certificate for Dovecot.
« Reply #10 on: June 20, 2023, 08:24:11 PM »
We'd LOVE you to do it!!

I'm busy with :beer: right now but will get back to you tomorrow on how you can help a bit.

In this particular instance a vanilla updated VM, install the cert manager and try.

See the wiki for logging which is vital.

I'll be about tomoz and do a bit more but my beer is getting warm....
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline julianop

  • *
  • 61
  • +0/-0
Re: unable to refresh ssl certificate for Dovecot.
« Reply #11 on: June 20, 2023, 08:58:51 PM »
Heavens, we can't allow warm beer... well, back in the UK we could, but over here in the 'States (sigh... it's been over 40 years...) that's a no-no.

I'll set it up, see what I get, and report back (Wiki... logging... will do)

I'll be back, but it'll take me a day... (I'm still trying to get around to capturing logs on my persistent "Warning: a reconfigure and reboot is required before proceeding! Failure to do so now may leave your system in an unknown state!" problem I spoke of in another post...)

But I'll do this one first...

Offline Jean-Philippe Pialasse

  • *
  • 2,747
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: unable to refresh ssl certificate for Dovecot.
« Reply #12 on: June 20, 2023, 10:31:34 PM »
There are few verification and limitations for the update to take place.   eg:
- all key and cert should match and be valid, and files should exist.
- path should not be the path of the self generated certificate as it will be overwritten.

Offline julianop

  • *
  • 61
  • +0/-0
Re: unable to refresh ssl certificate for Dovecot.
« Reply #13 on: June 20, 2023, 11:46:44 PM »
Yes, I did get those important constraints, thanks.
Once I discovered the SME/Koozali-specific update instructions it was actually very easy... or would have been, but for my last error, which was to inadvertently select the expired key. Once I corrected that error it all came together within seconds. I'll make a point of noting it down for next year, and have copied the instructions earlier in this thread so others experiencing the same problem can stumble across the method.



Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: unable to refresh ssl certificate for Dovecot.
« Reply #14 on: June 21, 2023, 12:05:52 PM »
Heavens, we can't allow warm beer... well, back in the UK we could, but over here in the 'States (sigh... it's been over 40 years...) that's a no-no.

LOLz ! Can't allow warm beer here in ES either. Had to settle for a ES Guinness which is translucent :-(

Quote
I'll set it up, see what I get, and report back (Wiki... logging... will do)

Perfect.

Quote
I'll be back, but it'll take me a day... (I'm still trying to get around to capturing logs on my persistent "Warning: a reconfigure and reboot is required before proceeding! Failure to do so now may leave your system in an unknown state!" problem I spoke of in another post...)

Ah OK - stay on there for that topic.

Quote
But I'll do this one first...

KK.

If you want to chat to us then DM me here or email me for a Rocket.Chat account. My email is on bugzilla.

We need people with test VMs - we are migrating our build system to git soon and then starting to build Koozali SME 11 which will need truck loads of testing.

We can help you with setups and guide you on how to test effectively etc etc. You don;t need to be a coder or a rocket scientist to help. And those who help tend to get more attention for their issues ;-)

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation