postfix cert not created

Discussion in 'Installation/Configuration' started by kmchen, Oct 11, 2018.

  1. kmchen

    kmchen Member

    Really can't get nothing workin on my fresh debian9/ispconfig install. Until when I try to access the webmail (roudcube), dovecot throwing :
    I did a completely fresh install Debain9/ispconfig3.0 then ispconfig update to 3.1.13:
    Code:
    cd /tmp
    wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
    tar xvfz ISPConfig-3-stable.tar.gz
    cd ispconfig3_install/install
    php -q update.php
    Reconfigured all services.
    At whitch step should have that cert created ?
     
  2. ahrasis

    ahrasis Active Member

    I think this is normally handled during your ISPConfig installation where it will create the required self-signed certs for postfix.

    You can also create that manually if you want to use the self-signed certs but if you want to use Let's Encrypt, you can use LE4ISPC script or follow its thread in here.
     
    Last edited: Oct 13, 2018
  3. kmchen

    kmchen Member

    I had followed that tutorial but your script worked. Thanks a lot.

    Now my webmail seems to work but I still get "Your connection is not secure" messages on both ispconfig website myserver:8080 and when I try to connect on imap mail account.
     
    Last edited: Oct 11, 2018
  4. Taleman

    Taleman Active Member HowtoForge Supporter

    The web browser can show which certificate the website uses, check that. Is it the self signed or the LE cert?
     
  5. ahrasis

    ahrasis Active Member

    I followed the link in your signature which gives me your domain name and when I try viewing https://yourdomain.tld:8080 it shows the error that you mentioned.

    The certs clearly belong to your subdomain ns1.yourdomain.tld and not yourdomain.tld, but you must have setup it wrongly because you may view https://yourdomain.tld:8080 with error but totally cannot view https://ns1.yourdomain.tld:8080.

    Either you secure your ISPConfig control panel manually or using the LE4ISPC script, you must use your server hostname FQDN which the subdomain and definitely not the main domain.

    So, retrack and redo where it went wrong, then fix it so that you may access your ISPConfig control panel and its service(s) without any unnecessary warning.
     
  6. kmchen

    kmchen Member

    Thanks a lot for your helps.
    I think I have a real problem with names.
    Originaly that server's FQDN is ks392200.kimsufi.com
    At server's re-install I was asked to give a personalized name. I gave "ns1" thinking it's FQDN would be ns1.webologix.com.
    But at DNS definitions time the domain name webologix.com was not defined anymore so I used ks392200.kimsufi.com to define everything and at certificates generation time I used ns1.webologix.com...

    So. Now, as I prefer to not touch to DNS anymore, could I redefine that server's FQDN with something like:
    and generate certificates based on that name ?
    I would access ispconfig as ks392200.kimsufi.com:8080 instead of ns1.webologix.com:8080
    That way, would everything come in order, certificates, mail helo and others I probably missed ?

    Or is there another name strategy to solve all the problems I encountered with that re-install ?
     
    Last edited: Oct 11, 2018
  7. kmchen

    kmchen Member

    Well, without answer to my preceding post I assume the question was silly and DNS definitions are OK as is with the ks392200 name. So I retry the tutorial from start.
    I created a server website ns1.webologix.com with ispconfig. OK. But when I click SSL and Let's Encrypt check buttons and save, apache logs shows this:
    Code:
    ...
    [Fri Oct 12 11:39:16.154129 2018] [:error] [pid 813] python_init: Python version mismatch, expected '2.7.5+', found '2.7.13'.
    [Fri Oct 12 11:39:16.154489 2018] [:error] [pid 813] python_init: Python executable found '/usr/bin/python'.
    [Fri Oct 12 11:39:16.154536 2018] [:error] [pid 813] python_init: Python path being used '/usr/lib/python2.7:/usr/lib/python2.7/plat-x86_64-linux-gnu:/usr/lib/python2.7/lib-tk:/usr/lib/python2.7/lib-old:/usr/lib/python2.7/lib-dynload'.
    [Fri Oct 12 11:39:16.154628 2018] [:notice] [pid 813] mod_python: Creating 8 session mutexes based on 150 max processes and 0 max threads.
    [Fri Oct 12 11:39:16.154659 2018] [:notice] [pid 813] mod_python: using mutex_directory /tmp
    [Fri Oct 12 11:39:16.200082 2018] [ssl:warn] [pid 813] AH01906: ns1.webologix.com:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
    [Fri Oct 12 11:39:16.207230 2018] [ssl:warn] [pid 813] AH01906: ns1.webologix.com:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
    [Fri Oct 12 11:39:16.207306 2018] [ssl:warn] [pid 813] AH01909: ns1.webologix.com:8080:0 server certificate does NOT include an ID which matches the server name
    
    ...
    
    And the SSL and Let's Encrypt check buttons are unchecked back
    Whitch files should have been created exactly that I could vertify ?
     
    Last edited: Oct 12, 2018
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    Take a look into the letsencrypt.log file to see why let's encrypt was not able to issue that cert. You might also see let's encrypt FAQ here at howtoforge for more details.

    And a server name like ks392200.kimsufi.com will probably not work as LE will not issue a cert for that name as probably too many le certs have been issued for kimsufi.com subdomains already. That's why it's wise to use a subdomain of your own domain name as server hostname instead of using the default one from your hosting provider.
     
  9. kmchen

    kmchen Member

    Thanks for your reply.

    Absolutely nothing in letsencrypt logs!; have to enable it somewhere perhaps ?
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    Try to disable the letsencrypt check in ispconfig under system > server config > web and then enable let's encrypt again for the website. If the checkbox gets unchecked again, then take a look into the letsencrypt log again.
     
  11. kmchen

    kmchen Member

    Thanks for replying. Absolutely nothing new in /var/log/letsencrypt/letsencrypt.log when I save
    .
    I suspect something nasty with my DNS. I can access ns1.webologix.com but don't see it in ispconfig dns A definitions (I probably removed it earlier). So I add it and when I save configuration I get this in syslog:
    I uncheck DNSSEC to see if related and I get this:
    But the file exists:
    Code:
    [email protected]:~# locate Kwebologix.com.+007+13847.key
    /etc/bind/Kwebologix.com.+007+13847.key
    
    and serial still unchanged and not the one shown in log report !:
     
  12. Taleman

    Taleman Active Member HowtoForge Supporter

  13. kmchen

    kmchen Member

    You're right, zone doesn't load properly:

    What is that file Kwebologix.com.+007+30810.key and how to make ispconfig generate it properly ?
     
    Last edited: Oct 12, 2018
  14. kmchen

    kmchen Member

    checked Skip Lets Encrypt Check in ispconfig under system > server config > web and the checkbox gets unchecked again and still nothing in letsencrypt logs.
     
  15. till

    till Super Moderator Staff Member ISPConfig Developer

  16. kmchen

    kmchen Member

    Logs appear in debug mode:
     
  17. ahrasis

    ahrasis Active Member

    I believe since you used LE4ISPC script, it might have created a standalone Let's Encrypt SSL certificates for your ns1.domain.tld on your first trial, thus the certificates may still exist (and valid) therefore causing the error.

    The script no longer require you to setup a website for your server so you can delete the website and continue to secure your server control panel and services by running the script.

    You do not have to follow the tutorial if you are using the script.
     
  18. kmchen

    kmchen Member

    Now I deleted the ns1 and use the script:
    Code:
    [email protected]:/etc/ssl# ./le4ispc.sh
    Enter passphrase for SSL/TLS keys for ns1.webologix.com:8080 (RSA): ***********
    Job for apache2.service failed because the control process exited with error code.
    See "systemctl status apache2.service" and "journalctl -xe" for details.
    
    Seems I need to remove encryption from the apache private key file but don't even know where it is !
    A headake
    Now I launched an ispconfig update to recover apache and no more passphrase asked. But the problem is still there
     
    Last edited: Oct 13, 2018
  19. kmchen

    kmchen Member

    Tried to remove passphrase like that:
    Code:
    [email protected]:/etc/letsencrypt/archive/ns1.webologix.com# umask 077
    [email protected]:/etc/letsencrypt/archive/ns1.webologix.com# mv privkey1.pem privkey1.pem.old
    [email protected]:/etc/letsencrypt/archive/ns1.webologix.com# openssl rsa -in privkey1.pem.old -o privkey1.pem
    rsa: Unknown cipher o
    rsa: Use -help for summary.
    [email protected]:/etc/letsencrypt/archive/ns1.webologix.com# openssl rsa -in privkey1.pem.old -out privkey1.pem
    Enter pass phrase for privkey1.pem.old:
    140003398714624:error:28069065:UI routines:UI_set_result:result too small:../crypto/ui/ui_lib.c:778:You must type in 4 to 1023 characters
    Enter pass phrase for privkey1.pem.old:
    140003398714624:error:2807106B:UI routines:UI_process:processing error:../crypto/ui/ui_lib.c:493:while reading strings
    
    Don't know what to do
     
  20. ahrasis

    ahrasis Active Member

    Simply run "rm -rf /etc/letsencrypt/*/ns1.webologix.com*" to delete all ssl and renewal files. Then choose either you want to follow the tutorial or use the LE4ISPC script. Do not use both unless you understand what you are doing.
     

Share This Page