Koozali.org: home of the SME Server
Contribs.org Forums => Koozali SME Server 10.x Contribs => Topic started by: toothandnail on February 04, 2022, 10:30:23 AM
-
I've got three SME 10 systems running. All seem to have the same problem. Using Letsencrypt certificates, all are using it for any https connections, but not for email ports. Testing with openssl, ports 465, 587 and 993 are all using a self-signed certificate, not the letsencrypt one.
By comparison, the one remaining SME 9.2 system I have access to uses the letsencrypt certificate on those ports as well as 443.
Using the self-signed cert for mail is causing some problems with the latest versions of Thunderbird, which no longer seem to be able to permanently store an exception. I would also prefer to use the Letsencrypt certificate for all open ports.
Have I missed something in the setup, given that SME 9.2 is using the letsencrypt cert? I don't remember having to do anything special to get the coverage, nor can I find any notes on the subject, but it seems odd that the other ports are not covered.
-
Have I missed something in the setup, given that SME 9.2 is using the letsencrypt cert? I don't remember having to do anything special to get the coverage, nor can I find any notes on the subject, but it seems odd that the other ports are not covered.
Almost certainly ;-)
Remember a lot changed under the hood between v9 and v10, though not much with Letsencrypt. The biggest thing was actually Letsencrypt deprecating the v1 API.
Trying to make comparisons between v9 and v10 is not easy. Just because X worked on 9 does not always mean it will work exactly the same way on 10.
Let the wiki be your font of knowledge.....
https://wiki.koozali.org/Letsencrypt
Some things to check:
What are 'configure' and 'API' set to?
config show letsencrypt
What do we have set here?
config show modSSL
Do any of these have 'letsencryptSSLcert=enabled' ?
db domains show
db hosts show
What does these show?
cat /etc/dehydrated/configcat /etc/dehydrated/domains
What happens when you force a check with
dehydrated -c -x
If needs be then follow the wiki, reset letsencrypt certs and start again.
-
is your server and all contribs up to date?
yum update
yum update —enablerepo=smecontribs
then check again
-
Sorry for the slow reply - something urgent came up and I've only just had time to go back and have another look at the problem systems.
Almost certainly ;-)
:)
Remember a lot changed under the hood between v9 and v10, though not much with Letsencrypt. The biggest thing was actually Letsencrypt deprecating the v1 API.
All the systems (including the remaining 9.2 systems) have been using the v2 API for quite a while.
Let the wiki be your font of knowledge.....
https://wiki.koozali.org/Letsencrypt
:) I've read the letsencrypt entries multiple times. Not that there is any guarantee I've not missed something.
config show letsencrypt
What do we have set here?
[root@deneb ~]# config show letsencrypt
letsencrypt=service
ACCEPT_TERMS=yes
configure=domains
email=admin@mail.xxxxxxxx.co.uk
hookScript=disabled
status=enabled
Two of the systems are identical here other than the domain name. The third one (the only one which hasn't had mail problems so far) shows nothing there at all, jut returns to the prompt. I may
have done that system by manual configuration of dehydrated, but that was long before the upgrade to 10, and I'm not sure.
config show modSSL
Do any of these have 'letsencryptSSLcert=enabled' ?
All three do...
[root@cygnus ~]# config show modSSL
modSSL=service
CertificateChainFile=/etc/dehydrated/certs/mail.xxxxxxx.co.uk/chain.pem
TCPPort=443
access=public
crt=/etc/dehydrated/certs/mail.xxxxxxx.co.uk/cert.pem
key=/etc/dehydrated/certs/mail.xxxxxx.co.uk/privkey.pem
status=enabled
All three systems are identical other than the domain name here.
db domains show
db hosts show
What does these show?
Two of the systems show as below:
xxxxxxxco.uk=domain
Content=Primary
Description=Primary domain
Nameservers=localhost
Removable=no
SystemPrimaryDomain=yes
mail.xxxxxxxxco.uk=domain
Content=Primary
Description=mail domain
Nameservers=localhost
lestsencryptSSLcert=enabled
The third one (also the one that doesn't show anything in response to config show letsencrypt does not list letsencryptSSLcert as enabled.
cat /etc/dehydrated/configcat /etc/dehydrated/domains
#!/bin/bash
WELLKNOWN="/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge"
CA="https://acme-v02.api.letsencrypt.org/directory"
BASEDIR="/etc/dehydrated"
CONTACT_EMAIL=admin@xxxxxxx.co.uk
HOOK="/usr/bin/hook-script.sh"
API="2"
PARAM_ACCEPT_TERMS="yes"
The only difference in any of them is the domain name. /etc/dehydrated/domains.txt is set to a single item on each of the - mail.<domain name>
What happens when you force a check with
dehydrated -c -x
All three have successfully renewed their certificates. I forced a renewal after the initial install/restore was done, and have tried again since then.
If needs be then follow the wiki, reset letsencrypt certs and start again.
I was intending to revert them completely, then try a fresh install, haven't had time yet. I was hoping I was missing something obvious, but other than the fact that one system shows nothing in response to config show letsencrypt, I've not seen anything that I can identify.
-
is your server and all contribs up to date?
yum update
yum update —enablerepo=smecontribs
then check again
Yes, all three systems are fully updated. One strange thing is that none of them were showing problems until a couple of weeks ago. I thought at first it was due to an upgrade to Thunderbird (which users on all three systems are using), but similar problems are shown when installing an older version of Thunderbird.
-
.
you could check whatnis the content of your pem file in home/e-smith/ssl.pem/ , this is the one used for all services except httpd and ftp
and here is the template
/etc/e-smith/templates/home/e-smith/ssl.pem/
you can then sneak in the perl module used for validation and you could see that it does not support a anything else than rsa.
please check your certificate was not issued with anything else than rsa. if so this explain the situation and you need to change this
this could particilarly happen if you have overriden dehydrated templates with custom templates.
see changelog:
https://wiki.koozali.org/Letsencrypt#Changelog
-
#!/bin/bash
WELLKNOWN="/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge"
CA="https://acme-v02.api.letsencrypt.org/directory"
BASEDIR="/etc/dehydrated"
CONTACT_EMAIL=admin@xxxxxxx.co.uk
HOOK="/usr/bin/hook-script.sh"
API="2"
PARAM_ACCEPT_TERMS="yes"
I think you'll find if you insert:
KEY_ALGO=rsa
at the bottom of your config file & run
dehydrated -c -x
all will magically start working again.
-
if your contrib is up to date you do not have to edit and add this.
also remember that this file is templated and your changes will be removed on next expansion and default will erase your certificate with non rsa one.
best approach is to simply explor your certificate using your web browser most of them allow to see some informations avout the cert or use a third website to check your certificate.
-
all will magically start working again.
As JP said, that is extremely unlikely if you use the contrib.
We do try and take care the contrib is up to date so you are unlikely to get issues normally. Items such key_algo have defaults so there is no need to modify that without very good reason and you understand it what you are doing.
Any problems are usually down to either manual installs or upgrades with old hacked templates left lying around.
In this instance there is more than one issue. See this for reference:
https://forums.koozali.org/index.php/topic,54770.0.html