ssl cert not working

Discussion in 'ISPConfig 3 Priority Support' started by Tom John, Jan 10, 2021.

  1. Tom John

    Tom John Member HowtoForge Supporter

    Hi guys,
    i use ubuntu 20.04 and ISPConfig 3.2
    i used the ISPConfig migration tool to migrate all accounts to another server as a backup.
    Can it be possible, that the SSL certificates not renovate automatic after the migration?
    I have a domain and in ISPConfig i can see the SSL certificate is working.
    Under domain SSL and letsencript the box is checked and under SSL i can see the certificate, so i wonder why it does not work.
    How i can check if the certificate is working for that domain?
    thanks a lot for your kind help.
     
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Yes, this is true. The easy fix is to disable LE manually and re-enable it when the cert expires within 30 days. The renewal only works on the server that your DNS record points to.

    When there is also a cert shown in the SSL tab, this can conflict with the SSL cert. Disable LE, go to the SSL tab, select "Delete certificate" as SSL action and then save. When this is done, re-enable LE.
     
    ahrasis likes this.
  3. Tom John

    Tom John Member HowtoForge Supporter

    thanks a lot it is working.
    may i ask another question, i have SSL cert on the domain and it works well but on the email when i want to send i get a not secure warning, the domain and the server have a valid ssl certificate.
    do you have any idea where i can look to make email work without a secure warning?
    thanks a lot for your help
     
  4. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    For email, you check what certificates you have in use (postfix and dovecot), ensure those are correct, then have the client use a hostname that is in the certificate.
    Code:
    # postconf smtpd_tls_cert_file smtpd_tls_key_file
    smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    smtpd_tls_key_file = /etc/postfix/smtpd.key
    
    # grep -E '^ssl_(cert|key)' /etc/dovecot/dovecot.conf                                                                                     
    ssl_cert = </etc/postfix/smtpd.cert
    ssl_key = </etc/postfix/smtpd.key
    
    # ls -l /etc/postfix/smtpd.{cert,key}
    lrwxrwxrwx 1 root root 48 Sep 22 14:59 /etc/postfix/smtpd.cert -> /usr/local/ispconfig/interface/ssl/ispserver.crt
    lrwxrwxrwx 1 root root 48 Sep 22 14:59 /etc/postfix/smtpd.key -> /usr/local/ispconfig/interface/ssl/ispserver.key
    
    # ls -l /usr/local/ispconfig/interface/ssl/ispserver.{crt,key}
    lrwxrwxrwx 1 root root 49 Jan  5 08:20 /usr/local/ispconfig/interface/ssl/ispserver.crt -> /root/.acme.sh/server.hostname.fqdn/fullchain.cer
    lrwxrwxrwx 1 root root 52 Jan  5 08:19 /usr/local/ispconfig/interface/ssl/ispserver.key -> /root/.acme.sh/server.hostname.fqdn/server.hostname.fqdn.key
    
    In my example, using the server's name "server.hostname.fqdn" should work without error, whereas using "mail.clientdomain.tld" would give a certificate error.
     

Share This Page