Koozali.org: home of the SME Server

Mail server cert incorrect

Offline ddougan

  • *
  • 155
  • +0/-0
    • http://www.DouganConsulting.com
Mail server cert incorrect
« on: July 21, 2024, 12:59:16 AM »
I run SME Server behind a proxy, from where I manage my LetsEncrypt wildcard certs. I've been running it this way for several years with no particular problems till today.

After I copied the *.pem files over and ran

Code: [Select]
signal-event console-save; signal-event reboot

the Web certs are fine, but mail clients are showing a self-signed cert. The server is up to date, so not sure why I'm seeing this for the mail server.

I'd appreciate any feedback or pointers from the experts here.


Thanks,

Des
Des Dougan

Offline ReetP

  • *
  • 3,845
  • +5/-0
Re: Mail server cert incorrect
« Reply #1 on: July 21, 2024, 12:08:49 PM »
Can you confirm this is SME v10?

After I copied the *.pem files over and ran

Why do this manually?

Why not use the contrib?

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 3,845
  • +5/-0
Re: Mail server cert incorrect
« Reply #2 on: July 21, 2024, 12:14:04 PM »
Ahhhh so your proxy gets the certs and you copy them to SME?

Any specific reason you don't do this on SME directly?

You should probably use a hook script on your proxy to copy the certificates and then set the correct path in modSSL like the Letsencrypt contrib does.

Doing it manually risks incorrect system configuration, as you have discovered.

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ddougan

  • *
  • 155
  • +0/-0
    • http://www.DouganConsulting.com
Re: Mail server cert incorrect
« Reply #3 on: July 21, 2024, 05:03:24 PM »
Ahhhh so your proxy gets the certs and you copy them to SME?
Yes, via a script on the proxy. And SME is 10.x, yes.

Any specific reason you don't do this on SME directly?
I have other servers running here and managing via proxy seemed the most straightforward way.
You should probably use a hook script on your proxy to copy the certificates and then set the correct path in modSSL like the Letsencrypt contrib does.
I do have a script on the proxy that copies them over. But why would it stop working after such a long time? Where do I confirm/amend the modSSL path? And why would only the mail server be affected?

Thanks,

Des
Des Dougan

Offline ddougan

  • *
  • 155
  • +0/-0
    • http://www.DouganConsulting.com
Re: Mail server cert incorrect
« Reply #4 on: July 21, 2024, 06:51:58 PM »
Where do I confirm/amend the modSSL path?

From the config file:

Code: [Select]
modSSL=service|CertificateChainFile|/etc/dehydrated/certs/douganconsulting.com/chain.pem|TCPPort|443|access|public|crt|/etc/dehydrated/certs/douganconsulting.com/cert.pem|key|/etc/dehydrated/certs/douganconsulting.com/privkey.pem|status|enabled
This is the file location that the new certs are copied to, and the timestamps on all three are correct for yesterday.

I noticed the issuer now shows "Issued by: E5" rather than "R3" as previously. Does the mail server have an issue recognizing the change?
Des Dougan

Offline ddougan

  • *
  • 155
  • +0/-0
    • http://www.DouganConsulting.com
Re: Mail server cert incorrect
« Reply #5 on: July 21, 2024, 08:19:42 PM »
The issue is that the new certs were not RSA-keyed - clearly the Web server can deal with ECDSA certs but not the mail server.

ReetP, thank you for your help.


Des
Des Dougan

Offline ReetP

  • *
  • 3,845
  • +5/-0
Re: Mail server cert incorrect
« Reply #6 on: July 22, 2024, 09:38:10 PM »
Ok.

If you read here regularly you will see we have some upgrades to mail coming in Koozali v11.

Do please follow, and even better, come and help.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline bunkobugsy

  • *
  • 286
  • +4/-0
Re: Mail server cert incorrect
« Reply #7 on: July 22, 2024, 11:26:14 PM »
The issue is that the new certs were not RSA-keyed - clearly the Web server can deal with ECDSA certs but not the mail server.

https://bugs.koozali.org/show_bug.cgi?id=11772

Offline ReetP

  • *
  • 3,845
  • +5/-0
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Jean-Philippe Pialasse

  • *
  • 2,839
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Mail server cert incorrect
« Reply #9 on: July 30, 2024, 07:14:57 PM »
was initially a 10 one and was moved to SME 11 as it will simply be a no fix for SME10. It needs a lot of newer perl modules to handle part of this otherwise qpsmtpd can't deal with the elliptic curve cert.