Debian 9 ispconfig3.1.11- ios mail app doesn't recognize a valid Let's Encrypt Cetfificate

Discussion in 'ISPConfig 3 Priority Support' started by nmazza, May 1, 2018.

  1. nmazza

    nmazza Member

    Another distribution, now Debian 9, exactly the same problem in CentOS 7
    I followed, tutorial
    cat ispserver.{key,crt} > ispserver.pem
    after that create an empty ipserver.pem
    Error create, because key and crt now are with other names .bak

    Then ..
    ln -s /etc/letsencrypt/live/ ispserver.crt
    ln -s /etc/letsencrypt/live/ ispserver.key

    but theare no in /etc/letsencrypt/live
    and finally Not working for me.
    Dovecot not working, never restart.

    smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    smtpd_tls_key_file = /etc/postfix/smtpd.key

    ssl_cert = </etc/postfix/smtpd.cert
    ssl_key = </etc/postfix/smtpd.key

    Thanks for any help
    Nestor Mazza
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    The guide does work, I have used it a few times. If a step fails, the previous step was not done correctly. Try doing it again carefully. There is lots of discussions about that guide, perhaps the errors you see are explained already.
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    I used the guide myself and it works fine, so no reason to blame the guide here and the problem is nowhere related to the creation of the .bak files that you mentioned, the .bak files are the backup of the old notn letsencrypt ssl certs. When you do not receive an SSL cert from let's encrypt, then the services like dovecot must fail when you reconfigure them to use a non-existing ssl cert. So the reason for your problem is neither the tutorial nor the used Linux distribution, the reason for the problem is that let's encrypt did not issue and SSL cert for your mail subdomain. So that's what you have to fix, does this subdomain exist in dns and does it point to your server?
  4. nmazza

    nmazza Member

    So that's what you have to fix, does this subdomain exist in dns and does it point to your server?
    Yes, the three domains exists in dns and they are pointed to my server.
    My dns systems are in dns linode, not in ISPConfig.
    Let me show you zone
    DNS Manager » » Zone dump
    ; [1063700]
    $TTL 86400
    @ IN SOA 2018042732 14400 14400 1209600 86400
    @ NS
    @ NS
    @ NS
    @ NS
    @ NS
    @ MX 10
    @ TXT "v=spf1 ip4: a mx ptr ~all"
    _dmarc TXT "v=DMARC1\059 p=none\059 adkim=s\059 aspf=s\059 pct=100\059 rua=mailto:[email protected]"
    @ A
    mail A
    www A
    @ AAAA 2600:3c00::f03c:91ff:fe70:19fd
    mail AAAA 2600:3c00::f03c:91ff:fe70:19fd
    www AAAA 2600:3c00::f03c:91ff:fe70:19fd
    direct CNAME
    server1 CNAME

    IPv6, without selection in ISPConfig -> Sites

    And if I use ping from my computer

    Haciendo ping a [] con 32 bytes de datos:
    Respuesta desde bytes=32 tiempo=171ms TTL=50
    Respuesta desde bytes=32 tiempo=172ms TTL=50
    Respuesta desde bytes=32 tiempo=171ms TTL=50
    Respuesta desde bytes=32 tiempo=173ms TTL=50

    Estadísticas de ping para
    Paquetes: enviados = 4, recibidos = 4, perdidos = 0
    (0% perdidos),
    Tiempos aproximados de ida y vuelta en milisegundos:
    Mínimo = 171ms, Máximo = 173ms, Media = 171ms

    I had checked, from the first step some times, but I don't now what's wrong
    Nestor Mazza
    Last edited: May 2, 2018
  5. nmazza

    nmazza Member

    Thanks, let me offer you the following..
    Step by step the results,

    hostname -f

    cd /usr/local/ispconfig/interface/ssl/ (ok)
    mv ispserver.crt ispserver.crt-$(date +"%y%m%d%H%M%S").bak (ok)
    mv ispserver.key ispserver.key-$(date +"%y%m%d%H%M%S").bak (ok)
    mv ispserver.pem ispserver.pem-$(date +"%y%m%d%H%M%S").bak ( ignored, I don't have ipserver.pem)

    ln -s /etc/letsencrypt/live/$(hostname -f)/fullchain.pem ispserver.crt, replaced $(hostname -f)
    ln -s /etc/letsencrypt/live/ ispserver.crt (??, not exist, only exist
    ln -s /etc/letsencrypt/live/$(hostname -f)/privkey.pem ispserver.key, replaced $(hostname -f)
    ln -s /etc/letsencrypt/live/ ispserver.key (??, not exist, only exist
    cat ispserver.{key,crt} > ispserver.pem ( create an empty ipserver.pem)

    chmod 600 ispserver.pem (ok, but over an empty ipserver.pem)

    cd /etc/postfix/ (ok)
    mv smtpd.cert smtpd.cert-$(date +"%y%m%d%H%M%S").bak (ok)
    mv smtpd.key smtpd.key-$(date +"%y%m%d%H%M%S").bak (ok)
    ln -s /usr/local/ispconfig/interface/ssl/ispserver.crt smtpd.cert (ok)
    ln -s /usr/local/ispconfig/interface/ssl/ispserver.key smtpd.key (ok)
    service postfix restart (ok)
    service dovecot restart (never restart)

    What's wrong in my steps, I don't have any idea?
    Do you think, I do again and offer you what's dovecot says after reset
    in service dovecot status ?
    Thanks for help me
    Nestor Mazza
    Last edited: May 2, 2018
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    The error is before the first command you posted. You don't have an SSL cert for and that's why you cannot configure services to use it. Are you sure that you created a website in ISPConfig, that you enabled SSL and letsencrypt for this website and that you are able to reach this website in a browser with https? Because that's the prerequisite (and described in the tutorial) before you even start configuring the other services for SSL.
  7. nmazza

    nmazza Member

    Hello, Till

    I added services for and now is working fine

    Thanks for help me
    Nestor Mazza

Share This Page