ISPConfig 3 + update SSL cert via StartSSL

Discussion in 'Installation/Configuration' started by timontomi, Jan 22, 2017.

  1. timontomi

    timontomi New Member

    i tried to input new SSL cert.
    Problem is, that after update, i can receive emails, but sending:
    - via pc (f.e. thunderbird) ask for confirm exception (when i press download cert is not possible),
    - via iOS - cannot be possible via 587 port with STARTTLS,
    Errors in log:
    TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown: SSL alert number 46
    hosting postfix/smtpd[21163]: timeout after STARTTLS from host
    What i can made wrong ? Before it works with old certs.
    thinhtk41 likes this.
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Apple has removed startssl from the list of valid SSL authorities, so you can not use startssl certs on apple devices anymore. Other web browser removed it as well as far as I know, so using startssl is not an option anymore. Better use letsencrypt if you want to use a free ssl cert.
    thinhtk41 likes this.
  3. timontomi

    timontomi New Member

    It's clear, to start with letsencrypt.
    But problem is, that with letsencrypt everything works with added domains
    certbot auth --text --agree-tos --standalone --email postmaster@`hostname -d` -d `hostname -f` -d mail.`hostname -f
    but doesn't work with add ssl cert to postfix from ispconfig.
    - ispconfig is located on
    - when i add new website f.e. and add certbot <- ssl is ok integrated, works,
    - postfix for (f.e. thunderbird) give error, even if i add into cerbot next subdomains,
    - www for ispconfig is without ssl cert.
    Do you have some tutorial or samples how to do this correctly ?
  4. timontomi

    timontomi New Member

    Ok, problem solved, on ubuntu 16.10
    cd /tmp/
    letsencrypt auth --text --agree-tos --authenticator webroot --server --rsa-key-size 4096 --email postmaster@`hostname -d` --domains `hostname -f` --webroot-path /usr/local/ispconfig/interface/acme
    dt=`date '+%Y%m%d%H%M%S'`
    cd /usr/local/ispconfig/interface/ssl/
    for ext in csr key crt; do if [ -f ispserver.$ext ]; then mv ispserver.$ext ispserver.$ext.old.$dt; fi; done
    ln -s /etc/letsencrypt/live/`hostname -f`/privkey.pem ispserver.key
    ln -s /etc/letsencrypt/live/`hostname -f`/fullchain.pem ispserver.crt
    service apache2 restart

Share This Page