renew mail certificate?

Discussion in 'Installation/Configuration' started by willoriker, Mar 18, 2021.

  1. willoriker

    willoriker Member

    i updated ISPConfig 3.2.2 w/o problems 3 months ago, but today all mail client says invalid certificate ( expire) why?, how can i renew?? tx in advance
    certificate of panel control (8080) and mail server have diferent date , how is it posible?
     

    Attached Files:

    Last edited: Mar 18, 2021
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Did you set up the certificate through the installer?
    Have you tried restarting dovecot and postfix?
     
  3. willoriker

    willoriker Member

    sorry for delay. yes , i did it twice ( cert trought installer, first with update, second force), and i restart several time, i did the update 2 month ago! why is the difference?. are there any trustable tool for check condition of certificate of mail server?, i use ssl checker, but it show me certificate for domain, not for email server
     
  4. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Yes.
    Find them using Internet Search Engines with
    Code:
    ssl testing mail server
     
    Last edited: Mar 25, 2021
  5. willoriker

    willoriker Member

    confirmed for mail server
    Certificates
    First seen at: 2021-01-21
    CN=mxxxr.dxxxxxxxa.es
    Certificate chain
    • mxxxxxxr.dixxxa.es
      • -23 days remaining
      • 4096 bit
      • sha256WithRSAEncryption
      • R3
        • 188 days remaining
        • 2048 bit
        • sha256WithRSAEncryption
        • DST Root CA X3 (Certificate is self-signed.)
          • 189 days remaining
          • 2048 bit
          • sha1WithRSAEncryption
    Subject
    Common Name (CN)
    • mxxxr.dxxxxxxa.es
    Alternative Names
    • mxxxxr.dxxxxxxa.es


    and for panel control ( same name server) 8080
    from Sun, 31 Jan 2021 06:45:08 GMT
    To Sat, 01 May 2021 06:45:08 GMT
    how is it posible?
     
  6. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Because you decide which cert to use in the configuration of your mail/web server. So the webserver on port 8080 can use a whole different certificate than the mailserver.

    Did you let the installer symlink the certificate for postfix?
     
  7. willoriker

    willoriker Member

    no, i use automatic generation of LE cert. for panel control, mail server and ftp server from ispconfig 3.2 update
     
  8. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Yes, and when doing so, you need to answer "y" for symlinking it.
     
  9. willoriker

    willoriker Member

    because i did it several months ago, i dont sure, but i think, yes, anyway, i going to do it again (/force)
     
  10. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Yes, let it generate a new cert and make sure you answer "y" (maybe the default?) when the installer asks wether to symlink it for Postfix (this will include Dovecot) and Pure-ftpd or not.
    You can do a force update to the stable release with
    Code:
    ispconfig_update.sh --force
     
  11. willoriker

    willoriker Member

    you are right, i dont use dns server, and in the midlle of script make question about ..., if i press no , script didnt complete LE sequence
    i never note thois detail. , now complete th sequence and everithing is ok. tx again
     
  12. willoriker

    willoriker Member

    Hi again , i update another server from 3.1.4 ( i think) to 3.2.4 w/o problems, but in the midlle of script it say:
    "Could not issue letsencrypt certificate, falling back to self-signed."

    the complete echo from script was:
    Operating System: Ubuntu 18.04.5 LTS (Bionic Beaver)

    This application will update ISPConfig 3 on your server.

    Shall the script create a ISPConfig backup in /var/backup/ now? (yes,no) [yes]: no

    Checking ISPConfig database .. OK
    Starting incremental database update.
    Loading SQL patch file: /tmp/update_runner.sh.qCsJy7SAr5/install/sql/incremental/upd_dev_collection.sql
    Reconfigure Permissions in master database? (yes,no) [no]:

    Service 'dns_server' has been detected (currently disabled) do you want to enable and configure it? (yes,no) [no]:

    Reconfigure Services? (yes,no,selected) [yes]:

    Configuring Postfix
    Configuring Dovecot
    Configuring Mailman
    Configuring Spamassassin
    Configuring Amavisd
    Configuring Getmail
    Configuring Pureftpd
    Configuring Apache
    Configuring vlogger
    Configuring Apps vhost
    Configuring Jailkit
    Configuring Ubuntu Firewall
    Configuring Database
    Updating ISPConfig
    ISPConfig Port [8080]:

    Create new ISPConfig SSL certificate (yes,no) [no]: yes

    Checking / creating certificate for server.tallerdelaamistad.org
    Using certificate path /etc/letsencrypt/live/server.tXXXXXXXXXXad.org
    Server's public ip(s) (xx.xx.xx.x0, xx.xx.xx0) not found in A/AAAA records for server.tallerdelaamistad.org: 127.0.0.1
    Ignore DNS check and continue to request certificate? (y,n) [n]:

    Could not issue letsencrypt certificate, falling back to self-signed.
    Generating RSA private key, 4096 bit long modulus (2 primes)
    .......................++++
    ............................++++
    e is 65537 (0x010001)
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:SP
    State or Province Name (full name) [Some-State]:Málaga
    Locality Name (eg, city) []:NErja
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:TallxxxXXXXd
    Organizational Unit Name (eg, section) []:TDLA
    Common Name (e.g. server FQDN or YOUR name) []:server.tXXXXXXXXXd.org
    Email Address []:dXXXXXXXXXil.com

    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    writing RSA key
    Symlink ISPConfig SSL certs to Postfix? (y,n) [y]:

    Symlink ISPConfig SSL certs to Pure-FTPd? Creating dhparam file may take some time. (y,n) [y]:

    Reconfigure Crontab? (yes,no) [yes]:

    Updating Crontab
    Restarting services ...
    Update finished.

    but LE if working properly (i creating site with ssl and LE w/o problems)
    whats up? i didit 3 times ( with --force). no diference
    before last try, i create a site with server name and LE, w success, but nothing change in script
    Tx for help me
     
  13. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Please put such output in code tags (In the editor: insert -> code)
    You have set up your /etc/hosts file incorrectly, or your DNS record was incorrect. Answer "y" when asked "Ignore DNS check and continue to request certificate?" and see what happens when running a force update.
     
  14. willoriker

    willoriker Member

    ok, i receive this output

    HTML:
    Operating System: Ubuntu 18.04.5 LTS (Bionic Beaver)
    
    This application will update ISPConfig 3 on your server.
    
    Shall the script create a ISPConfig backup in /var/backup/ now? (yes,no) [yes]: no
    
    Checking ISPConfig database .. OK
    Starting incremental database update.
    Loading SQL patch file: /tmp/update_runner.sh.DFyGz04vud/install/sql/incremental/upd_dev_collection.sql
    Reconfigure Permissions in master database? (yes,no) [no]:
    
    Service 'dns_server' has been detected (currently disabled) do you want to enable and configure it?  (yes,no) [no]:
    
    Reconfigure Services? (yes,no,selected) [yes]:
    
    Configuring Postfix
    Configuring Dovecot
    Configuring Mailman
    Configuring Spamassassin
    Configuring Amavisd
    Configuring Getmail
    Configuring Pureftpd
    Configuring Apache
    Configuring vlogger
    Configuring Apps vhost
    Configuring Jailkit
    Configuring Ubuntu Firewall
    Configuring Database
    Updating ISPConfig
    ISPConfig Port [8080]:
    
    Create new ISPConfig SSL certificate (yes,no) [no]: yes
    
    Checking / creating certificate for server.tallerdelaamistad.org
    Using certificate path /etc/letsencrypt/live/server.tallerdelaamistad.org
    Server's public ip(s) (80.59.7.130, 80.59.7.130) not found in A/AAAA records for server.tallerdelaamistad.org: 127.0.0.1
    Ignore DNS check and continue to request certificate? (y,n) [n]: y
    
    Using apache for certificate validation
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator webroot, Installer None
    Cert not yet due for renewal
    Keeping the existing certificate
    Issuing certificate seems to have succeeded but /etc/letsencrypt/live/server.tallerdelaamistad.org/cert.pem seems to be missing. Falling back to self-signed.
    genrsa: Can't open "/usr/local/ispconfig/interface/ssl/ispserver.key" for writing, No such file or directory
    Can't open /usr/local/ispconfig/interface/ssl/ispserver.key for reading, No such file or directory
    140391026889152:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:72:fopen('/usr/local/ispconfig/interface/ssl/ispserver.key','r')
    140391026889152:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:79:
    unable to load Private Key
    Can't open /usr/local/ispconfig/interface/ssl/ispserver.key for reading, No such file or directory
    140503651062208:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:72:fopen('/usr/local/ispconfig/interface/ssl/ispserver.key','r')
    140503651062208:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:79:
    unable to load Private Key
    Can't open /usr/local/ispconfig/interface/ssl/ispserver.key for reading, No such file or directory
    140139771433408:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:72:fopen('/usr/local/ispconfig/interface/ssl/ispserver.key','r')
    140139771433408:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:79:
    unable to load Private Key
    PHP Warning:  rename(/usr/local/ispconfig/interface/ssl/ispserver.key.insecure,/usr/local/ispconfig/interface/ssl/ispserver.key): No such file or directory in /tmp/update_runner.sh.DFyGz04vud/install/lib/installer_base.lib.php on line 3152
    Reconfigure Crontab? (yes,no) [yes]: no
    
    Restarting services ...
    Job for apache2.service failed because the control process exited with error code.
    See "systemctl status apache2.service" and "journalctl -xe" for details.
    Update finished.
    can you guide me?
     
  15. till

    till Super Moderator Staff Member ISPConfig Developer

    Check the /etc/hosts file on your server as @Th0m mentined above, seems as if you have server.tallerdelaamistad.org in there with a wrong IP. IP
    127.0.0.1 is localhost only, don't use it for your server name.
     
  16. willoriker

    willoriker Member

    yes, Till , you right, host was uncorrect, i fix it ( i have 3 servers, and i used a healthy server for reference with right ip), but i still receive errors

    HTML:
     server.tallerdelaamistad.org: 192.168.0.8
    Ignore DNS check and continue to request certificate? (y,n) [n]: y
    
    Using apache for certificate validation
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator webroot, Installer None
    Cert not yet due for renewal
    Keeping the existing certificate
    Issuing certificate seems to have succeeded but /etc/letsencrypt/live/server.tal                                                       lerdelaamistad.org/cert.pem seems to be missing. Falling back to self-signed.
    genrsa: Can't open "/usr/local/ispconfig/interface/ssl/ispserver.key" for writin                                                       g, No such file or directory
    Can't open /usr/local/ispconfig/interface/ssl/ispserver.key for reading, No such                                                        file or directory
    140522793349568:error:02001002:system library:fopen:No such file or directory:..                                                       /crypto/bio/bss_file.c:72:fopen('/usr/local/ispconfig/interface/ssl/ispserver.ke                                                       y','r')
    140522793349568:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/                                                       bio/bss_file.c:79:
    unable to load Private Key
    Can't open /usr/local/ispconfig/interface/ssl/ispserver.key for reading, No such                                                        file or directory
    140310734647744:error:02001002:system library:fopen:No such file or directory:..                                                       /crypto/bio/bss_file.c:72:fopen('/usr/local/ispconfig/interface/ssl/ispserver.ke                                                       y','r')
    140310734647744:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/                                                       bio/bss_file.c:79:
    unable to load Private Key
    Can't open /usr/local/ispconfig/interface/ssl/ispserver.key for reading, No such                                                        file or directory
    140120376701376:error:02001002:system library:fopen:No such file or directory:..                                                       /crypto/bio/bss_file.c:72:fopen('/usr/local/ispconfig/interface/ssl/ispserver.ke                                                       y','r')
    140120376701376:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/                                                       bio/bss_file.c:79:
    unable to load Private Key
    PHP Warning:  rename(/usr/local/ispconfig/interface/ssl/ispserver.key.insecure,/                                                       usr/local/ispconfig/interface/ssl/ispserver.key): No such file or directory in /                                                       tmp/update_runner.sh.Y20Cz9Yx0O/install/lib/installer_base.lib.php on line 3152
    Reconfigure Crontab? (yes,no) [yes]: no
    
    Restarting services ...
    
     
  17. willoriker

    willoriker Member

    some files from cert seems to be misssing, can i delete/restore/reset/remove these cerrtificate for re-start?
     
  18. till

    till Super Moderator Staff Member ISPConfig Developer

    Use:

    Code:
    certbot delete --cert-name server.tallerdelaamistad.org
     
  19. willoriker

    willoriker Member

    didit, but
    HTML:
    [email protected]:/etc/letsencrypt/live# certbot delete --cert-name server.tallerdelaamistad.org
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    No certificate found with name server.tallerdelaamistad.org (expected /etc/letsencrypt/renewal/server.tallerdelaamistad.org.conf).
     
  20. willoriker

    willoriker Member

    what happend if i delete
    /usr/local/ispconfig/interface/ssl/ispserver.*?
     

Share This Page