I broke ssl

Discussion in 'Installation/Configuration' started by Marcin79pl, Feb 11, 2022.

  1. Marcin79pl

    Marcin79pl New Member

    Hi, my first post so hello all :)
    I have little server with few domains, and now want to use mail cause google cancel google apps free accounts
    I configure all with tutorial for debian 10, now is upgraded to debian 11 qnd almost all works perfect but have some problems with ssl
    Ssl working for all domains what im using, but not working for serwer hostname.
    Myhost name is server.domain.pl, few months ago cert for server dont renew so i try do it manually, and acccidently deleted all files from /etc/letsencrypt/archive/server.domain.pl so it broke renew totally :) but for domains for hosted sites renew certs still works.
    Im install acme.sh too so probably have some duplicated certs
    Now when i try to run mail server i cant send any mail with tls bacause error 220 authenticate error with roundcube and i think is cert issue

    Question is how safe renew/make new cert for server?
     
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Yes, if you deleted the old certificate, you can just issue a new one. Note that /etc/letsencrypt/ files are from certbot, and you say you are now using acme.sh, so you may want to find out the path name your services (mta and imap/php servers) are using, or set them up again to point to the new certificate location if you wish to (or inadvertently do) change it.
     
  3. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    One last mention, you posted in a non-ISPConfig forum so I assume you are not using ISPConfig, where there are other considerations.
     
  4. Marcin79pl

    Marcin79pl New Member

    Ohh, im sory i was sure im posted at ispconfig forum o_O
    Now i just update ispconfig with generate new cert, but archive directory still empty, so i copy files from backup previous updates ispconfig, i hope it helps, but now im worry to restart services :)
     
  5. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    No problem, I moved your thread.

    Do you have acme.sh installed, or certbot, or both? The installer probably tells you which it is using when you update, but you need to use one or the other, not both, and it would be good to completely uninstall the one you're not using to avoid further confusion.
     
  6. Marcin79pl

    Marcin79pl New Member

    I have both:(, which is preffered by ispconfig? Ispconfig says something about acme.sh, so i uninstall cerbot
    I dont remember why i have both, but cerbot installed from repository, and acme by some scripts :/
     
    Last edited: Feb 11, 2022
  7. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    This is not entirely correct but if your domain is not for education, then it won't be able to benefit from the Google Workspace fundamentals which is still available for free up to 100TB jointly. My educational organization is still using it for free.
    You shouldn't have both but one. If you start from scratch, acme.sh is the preferred ISPConfig LE client, on the other hand, if this server has already been operating with certbot, the best is to maintain certbot and remove acme.sh fully which I think is your case.
    Please note that the new way to install certbot properly on Debian, Ubuntu and most other OS'es is now using snap and you can check this in its instructions page. You may or may not have to upgrade your certbot by removing the current certbot via apt-get remove certbot, then install snap and use snap to install the latest certbot but I advise that you should.

    About running ISPConfig email server, just ensure your server have full access to port 25. You already has @Jesse Norell here to help you with it, so you are in a good hand.
     
  8. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I forgot to mention one thing which is quite crucial (at least to me) due to my recent experience, that is @Jesse Norell has made an important fix @https://git.ispconfig.org/ispconfig/ispconfig3/-/merge_requests/1541/diffs which modified installer_base.lib.php as follows:
    Code:
                           // certbot returns with 0 on issue for already existing certificate
    
                           $acme_cert_dir = '/etc/letsencrypt/live/' . $hostname;
                           foreach (array( $ssl_crt_file, $ssl_key_file) as $f) {
                               if (file_exists($f) && ! is_link($f)) {
                                   unlink($f);
                               }
                           }
                           symlink($acme_cert_dir . '/fullchain.pem', $ssl_crt_file);
                           symlink($acme_cert_dir . '/privkey.pem', $ssl_key_file);
    
    Without the unlink command being run first, the symlink will fail and the older LE certs will be used instead of the latest and will cause security warning / access failure at least at ISPConfig UI / control panel page; and since other services rely on the LE certs inside ISPConfig SSL folder, that is via symlink to them, they will most probably fail too.

    Thus wise, when one want to create LE certs for one's server or fix it, one should use ISPConfig development package or fix that file in ISPConfig 3.2.7p1 extracted package before running php -q update.php as ISPConfig 3.2.7p1 doesn't include this fix.

    The known error is mentioned in this post: https://www.howtoforge.com/community/threads/certificat-problems-yet-again.88143/#post-430329
     
    Last edited: Feb 12, 2022

Share This Page