Debian 9 ispconfig3.1.11- ios mail app doesn't recognize a valid Let's Encrypt Cetfificate

Discussion in 'ISPConfig 3 Priority Support' started by nmazza, May 1, 2018.

  1. nmazza

    nmazza Member HowtoForge Supporter

    Hello,
    Another distribution, now Debian 9, exactly the same problem in CentOS 7
    I followed, tutorial
    https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/
    cat ispserver.{key,crt} > ispserver.pem
    after that create an empty ipserver.pem
    Error create, because key and crt now are with other names .bak

    Then ..
    ln -s /etc/letsencrypt/live/mail.sofihacloud.com.ar/fullchain.pem ispserver.crt
    ln -s /etc/letsencrypt/live/mail.sofihacloud.com.ar/privkey.pem ispserver.key

    but theare no mail.sofihacloud.com.ar in /etc/letsencrypt/live
    /etc/letsencrypt/live
    sofihacloud.com.ar
    sofiha.com.ar
    tesauro.com.ar
    and finally Not working for me.
    Dovecot not working, never restart.
    /etc/postfix/main.cf

    smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    smtpd_tls_key_file = /etc/postfix/smtpd.key

    /etc/dovecot/dovecot.conf
    ssl_cert = </etc/postfix/smtpd.cert
    ssl_key = </etc/postfix/smtpd.key

    Thanks for any help
    Nestor Mazza
     
  2. Taleman

    Taleman Active Member HowtoForge Supporter

    The guide does work, I have used it a few times. If a step fails, the previous step was not done correctly. Try doing it again carefully. There is lots of discussions about that guide, perhaps the errors you see are explained already.
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    I used the guide myself and it works fine, so no reason to blame the guide here and the problem is nowhere related to the creation of the .bak files that you mentioned, the .bak files are the backup of the old notn letsencrypt ssl certs. When you do not receive an SSL cert from let's encrypt, then the services like dovecot must fail when you reconfigure them to use a non-existing ssl cert. So the reason for your problem is neither the tutorial nor the used Linux distribution, the reason for the problem is that let's encrypt did not issue and SSL cert for your mail subdomain. So that's what you have to fix, does this subdomain exist in dns and does it point to your server?
     
  4. nmazza

    nmazza Member HowtoForge Supporter

    Hello,
    So that's what you have to fix, does this subdomain exist in dns and does it point to your server?
    Yes, the three domains exists in dns and they are pointed to my server.
    My dns systems are in dns linode, not in ISPConfig.
    Let me show you sofihacloud.com.ar zone
    DNS Manager » sofihacloud.com.ar » Zone dump
    ; sofihacloud.com.ar [1063700]
    $TTL 86400
    @ IN SOA ns1.linode.com. dominios.sofiha.com.ar. 2018042732 14400 14400 1209600 86400
    @ NS ns1.linode.com.
    @ NS ns2.linode.com.
    @ NS ns3.linode.com.
    @ NS ns4.linode.com.
    @ NS ns5.linode.com.
    @ MX 10 mail.sofihacloud.com.ar.
    @ TXT "v=spf1 ip4:96.126.115.158 a mx ptr ~all"
    _dmarc TXT "v=DMARC1\059 p=none\059 adkim=s\059 aspf=s\059 pct=100\059 rua=mailto:[email protected]"
    @ A 96.126.115.158
    mail A 96.126.115.158
    www A 96.126.115.158
    @ AAAA 2600:3c00::f03c:91ff:fe70:19fd
    mail AAAA 2600:3c00::f03c:91ff:fe70:19fd
    www AAAA 2600:3c00::f03c:91ff:fe70:19fd
    direct CNAME sofihacloud.com.ar.
    server1 CNAME sofihacloud.com.ar.

    IPv6, without selection in ISPConfig -> Sites

    And if I use ping from my computer

    C:\Users\nrmazza>ping sofihacloud.com.ar
    Haciendo ping a sofihacloud.com.ar [96.126.115.158] con 32 bytes de datos:
    Respuesta desde 96.126.115.158: bytes=32 tiempo=171ms TTL=50
    Respuesta desde 96.126.115.158: bytes=32 tiempo=172ms TTL=50
    Respuesta desde 96.126.115.158: bytes=32 tiempo=171ms TTL=50
    Respuesta desde 96.126.115.158: bytes=32 tiempo=173ms TTL=50

    Estadísticas de ping para 96.126.115.158:
    Paquetes: enviados = 4, recibidos = 4, perdidos = 0
    (0% perdidos),
    Tiempos aproximados de ida y vuelta en milisegundos:
    Mínimo = 171ms, Máximo = 173ms, Media = 171ms

    I had checked, from the first step some times, but I don't now what's wrong
    Thanks
    Nestor Mazza
     
    Last edited: May 2, 2018
  5. nmazza

    nmazza Member HowtoForge Supporter

    Thanks, let me offer you the following..
    Step by step the results,

    hostname -f

    mail.sofihacloud.com.ar

    cd /usr/local/ispconfig/interface/ssl/ (ok)
    mv ispserver.crt ispserver.crt-$(date +"%y%m%d%H%M%S").bak (ok)
    mv ispserver.key ispserver.key-$(date +"%y%m%d%H%M%S").bak (ok)
    mv ispserver.pem ispserver.pem-$(date +"%y%m%d%H%M%S").bak ( ignored, I don't have ipserver.pem)

    ln -s /etc/letsencrypt/live/$(hostname -f)/fullchain.pem ispserver.crt, replaced $(hostname -f)
    ln -s /etc/letsencrypt/live/mail.sofihacloud.com.ar/fullchain.pem ispserver.crt (??, not exist mail.sofihacloud.com.ar, only exist sofihacloud.com.ar)
    ln -s /etc/letsencrypt/live/$(hostname -f)/privkey.pem ispserver.key, replaced $(hostname -f)
    ln -s /etc/letsencrypt/live/mail.sofihacloud.com.ar/privkey.pem ispserver.key (??, not exist mail.sofihacloud.com.ar, only exist sofihacloud.com.ar)
    cat ispserver.{key,crt} > ispserver.pem ( create an empty ipserver.pem)

    chmod 600 ispserver.pem (ok, but over an empty ipserver.pem)

    cd /etc/postfix/ (ok)
    mv smtpd.cert smtpd.cert-$(date +"%y%m%d%H%M%S").bak (ok)
    mv smtpd.key smtpd.key-$(date +"%y%m%d%H%M%S").bak (ok)
    ln -s /usr/local/ispconfig/interface/ssl/ispserver.crt smtpd.cert (ok)
    ln -s /usr/local/ispconfig/interface/ssl/ispserver.key smtpd.key (ok)
    service postfix restart (ok)
    service dovecot restart (never restart)

    What's wrong in my steps, I don't have any idea?
    Do you think, I do again and offer you what's dovecot says after reset
    in service dovecot status ?
    Thanks for help me
    Nestor Mazza
     
    Last edited: May 2, 2018
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    The error is before the first command you posted. You don't have an SSL cert for mail.sofihacloud.com.ar and that's why you cannot configure services to use it. Are you sure that you created a website mail.sofihacloud.com.ar in ISPConfig, that you enabled SSL and letsencrypt for this website and that you are able to reach this website in a browser with https? Because that's the prerequisite (and described in the tutorial) before you even start configuring the other services for SSL.
     
  7. nmazza

    nmazza Member HowtoForge Supporter

    Hello, Till

    I added services for mail.sofihacloud.com.ar and now is working fine

    Thanks for help me
    Nestor Mazza
     

Share This Page