ISPConfig Dovecot

Discussion in 'Server Operation' started by 30uke, Oct 3, 2019.

  1. 30uke

    30uke New Member

    Hello,
    I am running into an issue with Dovecot. I think this has to do with the dh.pem file. But I am unable to find the problem at the moment. I am hoping some can help. Thanks.
    Error:
    Code:
    Oct  3 16:41:29 s1 dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=77.248.76.56, lip=136.144.206.44, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<OhO3lAKUqWFN+Ew4>
    Oct  3 16:41:29 s1 dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=77.248.76.56, lip=136.144.206.44, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<0SS5lAKUWdNN+Ew4>
    Config [/etc/dovecot/dovecot.conf]:
    Code:
    listen = *,[::]
    protocols = imap pop3
    auth_mechanisms = plain login
    disable_plaintext_auth = no
    log_timestamp = "%Y-%m-%d %H:%M:%S "
    mail_privileged_group = vmail
    ssl_cert = </etc/postfix/smtpd.cert
    ssl_key = </etc/postfix/smtpd.key
    #test 2019-10-03
    #ssl_protocols = !SSLv3
    #added 2019-09-08
    ssl_dh =</usr/share/dovecot/dh.pem
    ssl_min_protocol = TLSv1.2
    #
    mail_max_userip_connections = 100
    mail_plugins = $mail_plugins zlib
    passdb {
      args = /etc/dovecot/dovecot-sql.conf
      driver = sql
    }
    userdb {
      driver = prefetch
    }
    userdb {
      args = /etc/dovecot/dovecot-sql.conf
      driver = sql
    }
    plugin {
      quota = dict:user::file:/var/vmail/%d/%n/.quotausage
      sieve=/var/vmail/%d/%n/.sieve
      sieve_max_redirects = 25
      zlib_save_level = 9 # 1..9; default is 6
      zlib_save = gz # or bz2, xz or lz4
    }
    service auth {
      unix_listener /var/spool/postfix/private/auth {
      unix_listener /var/spool/postfix/private/auth {
        group = postfix
        mode = 0660
        user = postfix
      }
      unix_listener auth-userdb {
        group = vmail
        mode = 0600
        user = vmail
      }
      user = root
    }
    service lmtp {
      unix_listener /var/spool/postfix/private/dovecot-lmtp {
       group = postfix
       mode = 0600
       user = postfix
       # For higher volume sites, it may be desirable to increase the number of active listener processes.
       # A range of 5 to 20 is probably good for most sites
    #   process_min_avail = 5
      }
    }
    service imap-login {
      client_limit = 1000
      process_limit = 512
    }
    protocol imap {
      mail_plugins = quota imap_quota zlib
    }
    protocol pop3 {
      pop3_uidl_format = %08Xu%08Xv
      mail_plugins = quota
    }
    protocol lda {
    postmaster_address = [email protected]
      mail_plugins = sieve quota zlib
    }
    protocol lmtp {
    postmaster_address = [email protected]
      mail_plugins = quota sieve
    }
    
    service stats {
        unix_listener stats-reader {
            user = vmail
            group = vmail
            mode = 0660
        }
    
        unix_listener stats-writer {
            user = vmail
            group = vmail
            mode = 0660
        }
    }
    
     
  2. 30uke

    30uke New Member

    Update: I think this has to do with Let's encrypt not working after the ISPConfig some time ago.
     
  3. 30uke

    30uke New Member

    Unable to rerun the update per https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/
    Code:
    Please choose the update method. For production systems select 'stable'.
    WARNING: The update from GIT is only for development systems and may break your current setup. Do not use the GIT version on servers that host any live websites!
    Note: Update all slave server, before you update master server.
    
    Select update method (stable,git-stable,git-master) [stable]:
    
    There are no updates available for ISPConfig 3.1.15
    [email protected]:/#
    
    Unable to re-install Let's Encrypt per https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/
    Code:
    [email protected]:/opt/certbot# ./certbot-auto --install-only
    Error: couldn't get currently installed version for /opt/eff.org/certbot/venv/bin/letsencrypt:
    Traceback (most recent call last):
      File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 7, in <module>
        from certbot.main import main
      File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 5, in <module>
        import logging.handlers
      File "/usr/lib/python2.7/logging/__init__.py", line 26, in <module>
        import sys, os, time, cStringIO, traceback, warnings, weakref, collections
      File "/usr/lib/python2.7/weakref.py", line 14, in <module>
        from _weakref import (
    ImportError: cannot import name _remove_dead_weakref
    [email protected]:/opt/certbot#
    Help. I am stuck.
     
  4. 30uke

    30uke New Member

    Moved "venv" folder in /opt/eff.org/certbot/ to a backup directory and re-ran ./certbot-auto --install-only which results in re-install of Let's Encrypt.
    Just removed a certificate and got a new one. I see the last working cert. That seems to work.
    The problem with Dovecot is still there.
     
    Last edited: Oct 3, 2019
  5. 30uke

    30uke New Member

    I did look a bit further. I did notice the files "ispserver.crt" and "ispserver.key" are containing expired certificates.
    When I navigate to https://s1.gigabitjes.nl it will use a valid cert. But when I navigate to https://s1.gigabitjes.nl:8080 the certificate has been expired today.
    Guess what: the certs used by Dovecot are the same:
    Code:
    [email protected]:/etc/dovecot# ls -lah /etc/postfix/smtpd.cert
    lrwxrwxrwx 1 root root 48 Oct  3 16:04 /etc/postfix/smtpd.cert -> /usr/local/ispconfig/interface/ssl/ispserver.crt
    [email protected]:/etc/dovecot# ls -lah /etc/postfix/smtpd.key
    lrwxrwxrwx 1 root root 48 Oct  3 16:04 /etc/postfix/smtpd.key -> /usr/local/ispconfig/interface/ssl/ispserver.key
    
    So, for some reason the certs for ISPConfig itself aren't being updated? Isn't that odd? What am I doing wrong?
     
  6. 30uke

    30uke New Member

    After updating and manually executing LE4ISPC the certificates in /usr/local/ispconfig/interface/ssl were overwritten.
    But the certificate still seems expired. There must be something odd going on. So, removed the certificate for s1.gigabitjes.nl through ISPConfig. Next unticked Let's Encrypt. Ticked Let's encrypt again. Created new certificate - note: changed the state from "Friesland" to "Fryslan". Checked Let's encrypt log...

    Code:
    [email protected]:/usr/local/ispconfig/interface/ssl# cat /var/log/letsencrypt/letsencrypt.log
    2019-10-03 20:52:18,960:DEBUG:certbot.main:certbot version: 0.39.0
    2019-10-03 20:52:18,960:DEBUG:certbot.main:Arguments: ['--domains', 's1.gigabitjes.nl']
    2019-10-03 20:52:18,960:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
    2019-10-03 20:52:18,970:WARNING:certbot.cli:You are running with an old copy of letsencrypt-auto that does not receive updates, and is less reliable than more recent versions. The letsencrypt client has also been renamed to Certbot. We recommend upgrading to the latest certbot-auto script, or using native OS packages.
    2019-10-03 20:52:18,970:DEBUG:certbot.cli:Deprecation warning circumstances: /opt/eff.org/certbot/venv/bin/certbot / {'LANG': 'en_US.UTF-8', 'SHELL': '/bin/sh', 'LANGUAGE': 'en_US:en', 'SHLVL': '1', 'OLDPWD': '/root', 'PWD': '/usr/local/ispconfig/server', 'LOGNAME': 'root', 'PATH': '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', 'HOME': '/root', '_': '/opt/eff.org/certbot/venv/bin/certbot'}
    2019-10-03 20:52:18,984:DEBUG:certbot.log:Root logging level set at 20
    2019-10-03 20:52:18,985:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2019-10-03 20:52:19,006:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): ocsp.int-x3.letsencrypt.org:80
    2019-10-03 20:52:19,155:DEBUG:urllib3.connectionpool:http://ocsp.int-x3.letsencrypt.org:80 "POST / HTTP/1.1" 200 527
    2019-10-03 20:52:19,157:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/live/s1.gigabitjes.nl/cert.pem is signed by the certificate's issuer.
    2019-10-03 20:52:19,164:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/live/s1.gigabitjes.nl/cert.pem is: OCSPCertStatus.GOOD
     
  7. 30uke

    30uke New Member

    Problem solved. Looks like expired certificate are a real pain.
     
  8. Taleman

    Taleman Well-Known Member HowtoForge Supporter

Share This Page