Followed StartSSL guide. Email no longer works

Discussion in 'ISPConfig 3 Priority Support' started by dontbanme, Feb 16, 2016.

  1. dontbanme

    dontbanme New Member

    Hello,
    I followed the guide https://www.howtoforge.com/securing...h-a-free-class1-ssl-certificate-from-startssl

    I got the Certificate for them primary domain. Https on the domain works, https://domain.com:8080. I do not get an alert for un-trusted site any longer. PureFTP also seems to be working. It does prompt me on the connection to verify it is a safe connection, but the information listed for the cert appears to be correct.

    Email does not work. I cannot connect via email clients. I have only tested Thunderbird. Webmail no longer works either. It works in the sense that I can reach the site. Logins do not work however. I will list the error below.

    Perhaps this is just a permissions issue or something I'm not sure. I have looked around a bit and cannot find anything like this exactly since the certs appear to work with the other services. I have seen a few errors for postfix TLS, but a ton for dovecot. I should be able to revert easily enough if need be, but it would be nice to get this working with the mail. Any help would be appreciated and if I missed seeing something about this readily available, apologies in advance.

    Here is some info and a link to a paste of a chunk of mail log from the ISPConfig interface
    http://pastebin.com/FsAFBrDT

    Here is the relevant section from /etc/dovecot/dovecot.conf
    Code:
    dovecot --version
    1.2.15
    
    ssl_cert_file = /etc/postfix/smtpd.cert
    ssl_key_file = /etc/postfix/smtpd.key
    ## must be re-added after an ISPConfig update!!!
    ssl_ca_file = /usr/local/ispconfig/interface/ssl/startssl.chain.class1.server.crt
    Here is the relevant section of the /etc/postfix/main.cf and master.cf
    I have tried changing this to /usr/local/ispconfig/interface/ssl/startssl.sub.class1.server.ca.crt as suggested in a comment for the guide, but it didn't seem to change anything.
    Code:
    main.cf
    smtpd_tls_CAfile = /usr/local/ispconfig/interface/ssl/startssl.chain.class1.server.crt
    master.cf
    smtp      inet  n       -       -       -       -       smtpd
    submission inet n       -       -       -       -       smtpd
      -o smtpd_tls_security_level=encrypt
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    #  -o milter_macro_daemon_name=ORIGINATING
    smtps     inet  n       -       -       -       -       smtpd
      -o smtpd_tls_wrappermode=yes
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    #  -o milter_macro_daemon_name=ORIGINATING
    
    Code:
    ls -la /etc/postfix/
    
    total 152
    drwxr-xr-x   3 root root     4096 Feb 15 16:53 .
    drwxr-xr-x 101 root root     4096 Feb 13 20:46 ..
    -rw-r--r--   1 root root        0 Jan 22 20:42 body_checks
    -rw-r--r--   1 root root      373 Jan 22 20:27 dynamicmaps.cf
    -rw-r--r--   1 root root        0 Jan 22 20:42 header_checks
    -rw-r--r--   1 root root     3725 Feb 15 17:19 main.cf
    -rw-r--r--   1 root root     3638 Jan 23 15:23 main.cf~
    -rw-r--r--   1 root root     3526 Jan 22 20:42 main.cf~2
    -rw-r--r--   1 root root     3430 Jan 22 20:42 main.cf~3
    -rw-r--r--   1 root root     6111 Feb  5 22:48 master.cf
    -r--------   1 root root     5504 Jan 22 20:42 master.cf~
    -rw-r--r--   1 root root        0 Jan 22 20:42 mime_header_checks
    -rw-r-----   1 root postfix   231 Jan 22 20:42 mysql-virtual_client.cf
    -rw-r-----   1 root postfix   221 Jan 22 20:42 mysql-virtual_domains.cf
    -rw-r-----   1 root postfix   218 Jan 22 20:42 mysql-virtual_email2email.cf
    -rw-r-----   1 root postfix   317 Jan 22 20:42 mysql-virtual_forwardings.cf
    -rw-r-----   1 root postfix   288 Jan 22 20:42 mysql-virtual_mailboxes.cf
    -rw-r-----   1 root postfix   252 Jan 22 20:42 mysql-virtual_recipient.cf
    -rw-r-----   1 root postfix   224 Jan 22 20:42 mysql-virtual_relaydomains.cf
    -rw-r-----   1 root postfix   230 Jan 22 20:42 mysql-virtual_relayrecipientmaps.cf
    -rw-r-----   1 root postfix   249 Jan 22 20:42 mysql-virtual_sender.cf
    -rw-r-----   1 root postfix   227 Jan 22 20:42 mysql-virtual_transports.cf
    -rw-r--r--   1 root root        0 Jan 22 20:42 nested_header_checks
    -rw-r--r--   1 root root    18992 May  4  2011 postfix-files
    -rwxr-xr-x   1 root root     8729 May  4  2011 postfix-script
    -rwxr-xr-x   1 root root    24256 May  4  2011 post-install
    drwxr-xr-x   2 root root     4096 May  4  2011 sasl
    lrwxrwxrwx   1 root root       48 Feb 13 12:02 smtpd.cert -> /usr/local/ispconfig/interface/ssl/ispserver.crt
    -rw-r--r--   1 root root     2394 Jan 22 20:42 smtpd.cert_bak
    lrwxrwxrwx   1 root root       48 Feb 13 12:03 smtpd.key -> /usr/local/ispconfig/interface/ssl/ispserver.key
    -rw-r-----   1 root root     3243 Jan 22 20:42 smtpd.key_bak
    
    
    Code:
    ls -la /usr/local/ispconfig/interface/ssl
    
    total 56
    drwxr-s--- 2 root      root      4096 Feb 13 11:57 .
    drwxr-s--- 8 ispconfig ispconfig 4096 Jan 22 20:44 ..
    -rwxr-x--- 1 root      root        45 Jan 22 20:44 empty.dir
    -rw-r--r-- 1 root      root      2145 Feb 13 11:54 ispserver.crt
    -rwxr-x--- 1 root      root      2394 Jan 22 20:44 ispserver.crt_bak
    -rwxr-x--- 1 root      root      1838 Jan 22 20:44 ispserver.csr
    -rwxr-x--- 1 root      root      3243 Jan 22 20:44 ispserver.key
    -rwxr-x--- 1 root      root      3311 Jan 22 20:43 ispserver.key.secure
    -rw------- 1 root      root      8193 Feb 13 11:57 ispserver.pem
    -rw-r--r-- 1 root      root      2760 Dec  1 21:26 startssl.ca.crt
    -rw-r--r-- 1 root      root      2805 Feb 13 11:56 startssl.chain.class1.server.crt
    -rw-r--r-- 1 root      root        45 Dec  1 21:26 startssl.sub.class1.server.ca.crt
    
    When I try to login to webmail at domain.com/webmail I get this error after a while.
    "ERROR: Connection dropped by IMAP server."
     
    Last edited: Feb 16, 2016
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    The CA file /usr/local/ispconfig/interface/ssl/startssl.chain.class1.server.crt is missing. Please create that file and add the startssl ssl bundle / chain certificate in this file. Then restart dovecot.
     
  3. dontbanme

    dontbanme New Member

    The file is in that direto
    The file is in that directory. It is in the last code snippet on my post. I'll link the contents minus the important bits. Note everything in the code snippet is in the file /usr/local/ispconfig/interface/ssl/startssl.chain.class1.server.crt
    Code:
    class1/sha2/pem/sub.class1.server.sha2.ca.pem-----BEGIN CERTIFICATE-----
    MIIHyTCCBbGgAwIXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.............
    .........................................XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXqmMGqz9Ig
    cgA38corog14=
    -----END CERTIFICATE-----
    ry
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    The error in your log clearly states that there is a problem with that file /usr/local/ispconfig/interface/ssl/startssl.chain.class1.server.crt

    The content of the file does not look right, seems as if you copied a path "class1/sha2/pem/sub.class1.server.sha2.ca.pem" into that file. Remove everything before "-----BEGIN CERTIFICATE-----" and restart dovecot.
     
  5. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    The syntax differs between Dovecot 1 (your version) and Dovecot 2.
    With 1 it`s:
    ssl = yes
    ssl_cert = < CERT
    ssl_key = < KEY
     
  6. dontbanme

    dontbanme New Member

    I removed the errant line at the beginning of starssl.chain.class1.server.crt and no more errors from dovecot. I am able to connect again via clients and webmail. I knew it was going to probably be something simple. I just don't have much experience with ssl certs so I wasn't totally sure what it should look like in there.

    I'm not sure how that line got there I'm going to dig through the bash history and see what I did that could have put that in there. I'm certain I followed the guide pretty closely.
     
  7. dontbanme

    dontbanme New Member

    I looked through the history and I followed the guide exactly. There are only a few commands that reference that file one of which being
    Code:
    cat startssl.sub.class1.server.ca.crt startssl.ca.crt > startssl.chain.class1.server.crt
    
    and
    Code:
    cat ispserver.{key,crt} startssl.chain.class1.server.crt > ispserver.pem
    
     

Share This Page