Self Signed Cert problem

Discussion in 'Installation/Configuration' started by Bradley Hamilton, Nov 10, 2016.

  1. Bradley Hamilton

    Bradley Hamilton New Member HowtoForge Supporter

    I love ispconfig so far and most things I have had problems with are problems I created. For instance.
    In my apache error.log I get this:

    [ssl:warn] [pid 9721] AH01906: mail.linuxnuts.com:6969:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
    [Thu Nov 10 05:21:14.566338 2016] [ssl:warn] [pid 9721] AH01909: mail.linuxnuts.com:6969:0 server certificate does NOT include an ID which matches the server name
    [Thu Nov 10 05:21:14.566428 2016] [ssl:error] [pid 9721] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: CN=Bradley Hamilton,OU=IS,O=Linux Nuts,ST=CA,C=US / issuer: CN=Bradley Hamilton,OU=IS,O=Linux Nuts,ST=CA,C=US / serial: 92890BD0F712179A / notbefore: Nov 9 10:59:43 2016 GMT / notafter: Nov 7 10:59:43 2026 GMT]
    [Thu Nov 10 05:21:14.566434 2016] [ssl:error] [pid 9721] AH02604: Unable to configure certificate mail.linuxnuts.com:6969:0 for stapling

    And it is a result of blowing through this section of the install script:

    Configure Mail (y,n) [y]: <-- Hit Enter Configuring Postgrey Configuring Postfix Generating a 4096 bit RSA private key ........................................................................++ ....................++ writing new private key to 'smtpd.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: <-- Enter 2 letter country code State or Province Name (full name) [Some-State]: <-- Enter the name of the state Locality Name (eg, city) []: <-- Enter your city Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter company name or press enter Organizational Unit Name (eg, section) []: <-- Hit Enter Common Name (e.g. server FQDN or YOUR name) []: <-- Enter the server hostname, in my case: server2.example.com Email Address []:

    What will blow up in my face if I rerun creation of a self signed cert? Is there a snippet of code in the install.php I can run to create and recopy the cert to the email configuration?
     
  2. sjau

    sjau Local Meanie Moderator

    if you use ISPConfig 3.1, you can get real SSL certs for free by checking a checkbox.
     
  3. Bradley Hamilton

    Bradley Hamilton New Member HowtoForge Supporter

    Doesn't work for postfix. Never been supported never will be according to the developers. Web sites are throwing this as I have reached my limit for the week at lets encrypt so I don't have them yet. This error is from postfix. I have roundcube installed.
     
    Last edited: Nov 10, 2016
  4. Jesse Norell

    Jesse Norell Active Member

    If you are using a self-signed certificate for the ISPConfig control panel interface now, you'll have no problem re-generating it by answering yes to that question during install/update. All it will do is generate a new certificate/key; your browser will then prompt you for a warning about that, you accept it (just like you did the old one), and are on your way.

    However, unless my memory is off (certainly possible), I don't think there is any certificate creation or configuration for postfix as part of the ISPConfig installation. You can manually point postfix to the control panel certificates, or symlink the one to the other (see https://www.howtoforge.com/securing...ss1-ssl-certificate-from-startssl-p2#-postfix), but nothing is done out of the box. If you do have postfix pointing to the control panel certificates, then regenerating them will affect postfix as well, of course, and with about the same effects as the control panel, ie. mail clients might now warn about your new certificate, which you will need to accept.

    Once your letsencrypt certificate request limits allow: https://www.howtoforge.com/community/threads/letsencrypt-on-mail-server.73695/
     
  5. sjau

    sjau Local Meanie Moderator

    or you could use Let's Encrypt (official client or other) to get a SAN cert (containing your ISPC hostname and vanity smtp/pop/imap server hostnames) and use that. I do that using acme.sh.
     
  6. Bradley Hamilton

    Bradley Hamilton New Member HowtoForge Supporter

    That's exactly what I was trying to do over there with the let's encrypt guys to no avail. Can you elaborate?
    Brad
     
  7. Bradley Hamilton

    Bradley Hamilton New Member HowtoForge Supporter

    Brilliant Link Exactly what I needed. Thank you very much. Can I ping you with a question or two when I get to doing this? After a week of dealing with virtualmin and let's encrypt folks I am up and mailing from all domains and migrated most of my sites to the new vps. I need to go jump in the ocean and get some sun!
     
  8. sjau

    sjau Local Meanie Moderator

  9. Bradley Hamilton

    Bradley Hamilton New Member HowtoForge Supporter

    Love your repo builder .........
     
  10. sjau

    sjau Local Meanie Moderator

    Thx :)
     

Share This Page