Koozali.org: home of the SME Server
Contribs.org Forums => Koozali SME Server 10.x => Topic started by: ddougan on July 21, 2024, 12:59:16 AM
-
I run SME Server behind a proxy, from where I manage my LetsEncrypt wildcard certs. I've been running it this way for several years with no particular problems till today.
After I copied the *.pem files over and ran
signal-event console-save; signal-event reboot
the Web certs are fine, but mail clients are showing a self-signed cert. The server is up to date, so not sure why I'm seeing this for the mail server.
I'd appreciate any feedback or pointers from the experts here.
Thanks,
Des
-
Can you confirm this is SME v10?
After I copied the *.pem files over and ran
Why do this manually?
Why not use the contrib?
-
Ahhhh so your proxy gets the certs and you copy them to SME?
Any specific reason you don't do this on SME directly?
You should probably use a hook script on your proxy to copy the certificates and then set the correct path in modSSL like the Letsencrypt contrib does.
Doing it manually risks incorrect system configuration, as you have discovered.
-
Ahhhh so your proxy gets the certs and you copy them to SME?
Yes, via a script on the proxy. And SME is 10.x, yes.
Any specific reason you don't do this on SME directly?
I have other servers running here and managing via proxy seemed the most straightforward way.
You should probably use a hook script on your proxy to copy the certificates and then set the correct path in modSSL like the Letsencrypt contrib does.
I do have a script on the proxy that copies them over. But why would it stop working after such a long time? Where do I confirm/amend the modSSL path? And why would only the mail server be affected?
Thanks,
Des
-
Where do I confirm/amend the modSSL path?
From the config file:
modSSL=service|CertificateChainFile|/etc/dehydrated/certs/douganconsulting.com/chain.pem|TCPPort|443|access|public|crt|/etc/dehydrated/certs/douganconsulting.com/cert.pem|key|/etc/dehydrated/certs/douganconsulting.com/privkey.pem|status|enabled
This is the file location that the new certs are copied to, and the timestamps on all three are correct for yesterday.
I noticed the issuer now shows "Issued by: E5" rather than "R3" as previously. Does the mail server have an issue recognizing the change?
-
The issue is that the new certs were not RSA-keyed - clearly the Web server can deal with ECDSA certs but not the mail server.
ReetP, thank you for your help.
Des
-
Ok.
If you read here regularly you will see we have some upgrades to mail coming in Koozali v11.
Do please follow, and even better, come and help.
-
The issue is that the new certs were not RSA-keyed - clearly the Web server can deal with ECDSA certs but not the mail server.
https://bugs.koozali.org/show_bug.cgi?id=11772
-
https://bugs.koozali.org/show_bug.cgi?id=11772
Nice catch.
Is that in v11 bugs?
-
was initially a 10 one and was moved to SME 11 as it will simply be a no fix for SME10. It needs a lot of newer perl modules to handle part of this otherwise qpsmtpd can't deal with the elliptic curve cert.