Lets encrypt is activated on domains and works on websites but not email

Discussion in 'ISPConfig 3 Priority Support' started by Paul Hill, Aug 2, 2018.

  1. Paul Hill

    Paul Hill Member HowtoForge Supporter

    Hi There
    As the title sayes , we have enabled ssl with lets encrypt using built in ispconfig 3.1 ability and it works with https websites hosted , but the email clients do not work . The mail client reports that the cert is from internet widgets .

    Is there a seperate place to enable ssl for email services ?
    thanks

    Paul
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  3. Paul Hill

    Paul Hill Member HowtoForge Supporter

    Thanks Taleman but that refers to ispconfig 3.0 using nginx , ispconfig 3.1 has the setup integrated into it so im looking for a more specific reason or guide to get it working .
    I don't want to experiment as it is a live server and I'm not particulary conversant with Linux ...it does run on a vm so ill create a bookmark before I do it so that if I totally screw it up can revert it back .
     
  4. Paul Hill

    Paul Hill Member HowtoForge Supporter

    Just wondering if Till or Falko have any words of wisdom here ?
    THanks
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    The thread that @Taleman posted the link to installs an LE cert for the ISPConfig UI (Apache and Nginx), for SMTP, POP3, IMAP, and FTP. So that's the right guide to activate LE for email.
     
  6. Paul Hill

    Paul Hill Member HowtoForge Supporter

    SO if my hunch is correct , the utility in the ISPCF3.1 has probably setup the LE cert for web only as it seems to work for websites . HTTPS sites work well for each domain hosted .
    I'm also going to assume at this stage that ISPCF3.1 auto renews these certs with lets encrypt when they expire ?
    So if I follow the guide to copy the certs to postfix etc for email will that automatically renew still ? also , do I have to copy the certs for each individual domain ?
    Thanks ..
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    The email system does not use the certs of the individual sites, it just uses the cert of the site that matches the server hostname, see linked post. the simple reason is that Postfix does not support SNI, so you can not have name based ssl certs on the mail system, but this is not a problem at all as mail clients should connect to your server hostname anyway and not use the client domain.

    And yes, LE certs get auto renewed.
     
  8. Paul Hill

    Paul Hill Member HowtoForge Supporter

    SO if I have clients use their own domain name as their mail server address ( mail.individualcompanydomain.com) as opposed to (mail.ourserverdomain.com ) it will create problems ?
    Thanks ..
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, they will get an SSL error. Using their own domain name would only work if each client has it's own IP address.
     
  10. Paul Hill

    Paul Hill Member HowtoForge Supporter

    Hi Guys
    I have followed the guide for creating the links to the certs for postfix and dovecot etc .
    when I test this using outlook on a clients machine I get this warning ..

    The server you are connecting to is using a security certificate that connot be verified.

    The target principle name is incorrect …

    How do I correct this ? is it an issue with the way the servers SSL cert from lets encrypt is viewed ? or is it an issue with the config of the mail client .
    the outgoing smtp port used is 465 with ssl .

    we don't use 25 (only 465 and 587) because we have a Proxmox spam device filtering all incoming mail to the server on 25 ..

    Thanks
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    Did you use the server hostname in the smtp and pop3/imap server settings in outlook?
     
  12. Paul Hill

    Paul Hill Member HowtoForge Supporter

    Hi Till
    when I analyze the domain for SSL ability I get this from digicert.com test :-
    DNS resolves ibcbrantford.com to 72.139.27.78
    HTTP Server Header: Apache/2.4.18 (Ubuntu)

    SSL certificate
    Common Name = www.ibcbrantford.com

    Subject Alternative Names = ibcbrantford.com, www.ibcbrantford.com

    Issuer = Let's Encrypt Authority X3

    Serial Number = 032A585EC508F8E91CB5A1FD908DA43B468F

    SHA1 Thumbprint = 8376672FBA839EA63F4427291902E92742BDBE17

    Key Length = 4096

    Signature algorithm = SHA256 + RSA (excellent)

    Secure Renegotiation: Supported

    SSL Certificate has not been revoked
    OCSP Staple: Good
    OCSP Origin: Good
    CRL Status: Not Enabled

    SSL Certificate expiration
    The certificate expires October 24, 2018 (81 days from today)

    Certificate Name matches ibcbrantford.com
    [​IMG]
    Subject www.ibcbrantford.com
    Valid from 26/Jul/2018 to 24/Oct/2018
    Issuer Let's Encrypt Authority X3
    [​IMG]
    [​IMG]
    Subject Let's Encrypt Authority X3
    Valid from 17/Mar/2016 to 17/Mar/2021
    Issuer DST Root CA X3
    SSL Certificate is correctly installed

    website works with https with no problems other than some insecure items which I know about …

    if I look at the cert that outlook now complains about it says the issuer is "my email address" , my domain
    valid from may 07 2018 to may 04 , 2028

    Cert information: This CA root certificate is not trusted. To enable trust install this certificate in the trusted root certification authorities store

    When I setup the LE cert I then executed the following code as per the instructions further back in this thread :-
    Code:-
    cd /etc/postfix/
    mv smtpd.cert smtpd.cert-$(date +"%y%m%d%H%M%S").bak
    mv smtpd.key smtpd.key-$(date +"%y%m%d%H%M%S").bak
    ln -s /usr/local/ispconfig/interface/ssl/ispserver.crt smtpd.cert
    ln -s /usr/local/ispconfig/interface/ssl/ispserver.key smtpd.key
    service postfix restart
    service dovecot restart
    --------------------------------------------------------------------------------------------------------------------------------------------------------------------
    update certs for dovecot :
    Check if it is set to use the postfix SSL files (see below) via "nano /etc/dovecot/dovecot.conf".
    [...]
    ssl_cert = </etc/postfix/smtpd.cert
    ssl_key = </etc/postfix/smtpd.key
    [...]
    Leave it, if it is rightly set. Otherwise, fix it. In any event, running "service dovecot restart" is already covered earlier.
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------
    I didn't execute the code for the ISPconfig interface as I didn't want to lock myself out if I messed it up .
     
  13. Paul Hill

    Paul Hill Member HowtoForge Supporter

    I just realized that it copies the certs to the interface folder , then it creates links to those certs for postfix .
    So essentially my postfix links aren't working because I didn't complete the interface part .
    I just ran the code to copy the certs for the interface , this part didn't work properly
    if [ -f "ispserver.pem" ]; then
    mv ispserver.pem ispserver.pem-$(date +"%y%m%d%H%M%S").bak
    fi
    ln -s /etc/letsencrypt/live/$(hostname -f)/fullchain.pem ispserver.crt
    ln -s /etc/letsencrypt/live/$(hostname -f)/privkey.pem ispserver.key
    cat ispserver.{key,crt} > ispserver.pem
    chmod 600 ispserver.pem

    probably because I don't have a .PEM file in the interface folder .
    it copied the .crt and .key files across which show up as red in nano now .
    restarting the server ends in a error not able to start dovecot because there is an issue with smtp.cert
     
  14. Paul Hill

    Paul Hill Member HowtoForge Supporter

    So what would you recommend to get Links to the cert files into my mail folder so that the mail clients can access the SSL files properly ( Sorry for my complete ignorance :( )
     
  15. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    It looks to me dovecot is not using the LE certificate you made.
    I use the script @ahrasis made to see what file goes where when setting up Dovecot certificate. It is in the long post by ahrasis about setting up LE for ISPConfig panel.
     
  16. till

    till Super Moderator Staff Member ISPConfig Developer

    No, it does not copies the certs, it replaces th certs withs ymlinks to the files in the interface ssl folder which are the LE certs at that time if you followed the guide from @ahrarsis. And the .pem file is created by the commands from the guide, so if it's not there, then you must have ledft a step out from the tutorial.

    Just follow the guide from @ahrasis from the beginning to the end and do not leave something out. I used the steps on many servers and it always worked.
     
  17. Paul Hill

    Paul Hill Member HowtoForge Supporter

    so I am running
    (Ubuntu 16.04.4 LTS (Xenial Xerus)) ISPConfig 3.1.11
    SSL is already functioning for secure website .. HTTPS works .

    So as per Taleman's referral above I should execute the following changes logged in a root ?

    to get SSL working for the ispconfig interface :

    cd /usr/local/ispconfig/interface/ssl/
    mv ispserver.crt ispserver.crt-$(date +"%y%m%d%H%M%S").bak
    mv ispserver.key ispserver.key-$(date +"%y%m%d%H%M%S").bak
    if [ -f "ispserver.pem" ]; then
    mv ispserver.pem ispserver.pem-$(date +"%y%m%d%H%M%S").bak
    fi
    ln -s /etc/letsencrypt/live/$(hostname -f)/fullchain.pem ispserver.crt
    ln -s /etc/letsencrypt/live/$(hostname -f)/privkey.pem ispserver.key
    cat ispserver.{key,crt} > ispserver.pem
    chmod 600 ispserver.pem


    followed by :-

    to get SSL working for the email services :

    cd /etc/postfix/
    mv smtpd.cert smtpd.cert-$(date +"%y%m%d%H%M%S").bak
    mv smtpd.key smtpd.key-$(date +"%y%m%d%H%M%S").bak
    ln -s /usr/local/ispconfig/interface/ssl/ispserver.crt smtpd.cert
    ln -s /usr/local/ispconfig/interface/ssl/ispserver.key smtpd.key
    service postfix restart
    service dovecot restart

    I don't care about the other modules for SSL at the moment I just want SSL for HTTPS and mail …
    If I'm missing something please let me know ..
    I'm trying to clarify "EXACTLY" what I need to execute to get it to work. I don't have a good working knowledge of Linux so anything vague tends to throw me and mistakes happen very easily because of my ignorance . ( although I am slowly picking things up over time ).
     
  18. Paul Hill

    Paul Hill Member HowtoForge Supporter

    OK so i disabled the ssl and sessl check boxes for about 10 other domains , removed their ssl keys from the ssl tab
    Ran this :-
    cd /usr/local/ispconfig/interface/ssl/
    mv ispserver.crt ispserver.crt-$(date +"%y%m%d%H%M%S").bak
    mv ispserver.key ispserver.key-$(date +"%y%m%d%H%M%S").bak
    mv ispserver.pem ispserver.pem-$(date +"%y%m%d%H%M%S").bak
    ln -s /etc/letsencrypt/live/$(hostname -f)/fullchain.pem ispserver.crt
    ln -s /etc/letsencrypt/live/$(hostname -f)/privkey.pem ispserver.key
    cat ispserver.{key,crt} > ispserver.pem <------------------ fails at this line
    chmod 600 ispserver.pem
    it displays this message:
    cat: ispserver.key: no such file or directory
    cat: ispserver.crt: no such file or directory
    see below
    ---------------------------------------------------------------------------------------------------------------------------------------------
    [email protected]:/usr/local/ispconfig/interface/ssl# cat ispserver.{key,crt} > ispserver.pem
    cat: ispserver.key: No such file or directory
    cat: ispserver.crt: No such file or directory
    [email protected]:/usr/local/ispconfig/interface/ssl# ls -l
    total 20
    -rwxr-x--- 1 root root 45 May 8 02:50 empty.dir
    lrwxrwxrwx 1 root root 58 Aug 4 23:06 ispserver.crt -> /etc/letsencrypt/live/Mars2.ibcb rantford.com/fullchain.pem
    -rwxr-x--- 1 root root 2114 May 8 02:50 ispserver.crt-180804230554.bak
    -rwxr-x--- 1 root root 1813 May 8 02:50 ispserver.csr
    lrwxrwxrwx 1 root root 56 Aug 4 23:06 ispserver.key -> /etc/letsencrypt/live/Mars2.ibcb rantford.com/privkey.pem
    -rwxr-x--- 1 root root 3247 May 8 02:50 ispserver.key-180804230603.bak
    -rwxr-x--- 1 root root 3311 May 8 02:50 ispserver.key.secure
    -rw-r--r-- 1 root root 0 Aug 4 23:06 ispserver.pem
    [email protected]:/usr/local/ispconfig/interface/ssl#
    ---------------------------------------------------------------------------------------------------------------------------------------------

    So to me it looks like its failing at the part where it creates the ispserver.PEM file ?
    Where do I go from here ?

    Thanks for your patience guys
     
  19. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    The previous two lines fail. They create the .crt and .key files. Or should create. Is there error message from those? What does show
    Code:
    ls -lh ispserver.*
    Are the files these links point to missing?
    Is there a space character in the middle of the file name?
    I wish for code tags when listings are shown. Makes reading easier.
     
    Last edited: Aug 5, 2018
    till likes this.
  20. till

    till Super Moderator Staff Member ISPConfig Developer

    Hmm, if you did not changed the ls output from above, then there must be something wrong in the hostname setup of your server or there must have another kind of mistake that put a whitespace into the hostname:

    lrwxrwxrwx 1 root root 58 Aug 4 23:06 ispserver.crt -> /etc/letsencrypt/live/Mars2.ibcb rantford.com/fullchain.pem

    so the current hostname off your server seems to be 'Mars2.ibcb rantford.com' but a domain name can not contain a whitespace, so this SSL cert and hostname cannot exist.

    Check the server hostname with the commands:

    hostname

    and

    hostname -f

    hostname should return something like 'example1', the short version of the hostname. It may return the fqdn 'server1.example.com' as well, so don't worry if you get the full name.

    and the command 'hostname -f' must return the fully qualified domain name (long hostname) like 'server1.example.com'. This long hostname must exist in DNS, so when you enter 'server1.example.com' e.g. in a browser, you must end up at your server.
     

Share This Page