Koozali.org: home of the SME Server
Contribs.org Forums => Koozali SME Server 10.x => Topic started by: ReetP on November 24, 2021, 11:44:14 AM
-
This bug refers:
https://bugs.koozali.org/show_bug.cgi?id=11773
Essentially an upgrade to dehydrated 0.7.0, which is the program that generates letsencrypt SSL certificates, means that certificates generated by 0.7.0 are using a new key algorithm.
That is fine for httpd and ftp, but due to some older libraries it trips up the mail system.
The simple fix right now is to do the following:
yum --enablerepo=smetest install smeserver-letsencrypt
(This will move to the smecontribs repo soon)
This should install :
smeserver-letsencrypt.noarch 0:0.5-18
You can then check the config file
cat /etc/dehydrated/config
We need to see "KEY_ALGO=rsa" :
# SME Server does not support yet elliptic curve (qpsmtpd and perl-IO-SOcket-SSL < 1.95)
KEY_ALGO=rsa
Then run this to force new certificates:
dehydrated -c -x
signal-event ssl-update
You should now see RSA certificates if you test here:
https://www.ssllabs.com/ssltest/
Certificate #1: RSA 4096 bits (SHA256withRSA)
Apologies for any inconvenience. I had looked at the release and did not notice the change. I installed it on my test box and httpd checked out but did not check mail :-(
Of course it didn't change immediately until a new certificate was generated.....
[edited to set the correct package]
-
yum --enablerepo=smetest install smeserver-dehydrated
do you mean maybe
yum --enablerepo=smetest install smeserver-letsencrypt
?
-
yum --enablerepo=smetest install smeserver-dehydrated
do you mean maybe
yum --enablerepo=smetest install smeserver-letsencrypt
?
I do. Damn and blast! I'll edit the original. Thanks!