SSL Problems after install

Discussion in 'Installation/Configuration' started by Jaym, Sep 27, 2020.

Tags:
  1. Jaym

    Jaym New Member

    Hello,
    I followed the directions located at: https://www.howtoforge.com/tutorial...l-pureftpd-bind-postfix-doveot-and-ispconfig/

    Everything seems to work except when I send email. In thunderbird I get the error "The certificate is not trusted because it is self-signed." I try in webmail and I get SMTP ERROR (250): Authentication Failed.

    I am seeing alot of these messages in /var/log/mail.log: Sep 27 18:28:28 localhost postfix/submission/smtpd[7656]: warning: TLS library problem: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:../ssl/record/rec_layer_s3.c:1543:SSL alert number 42:

    I cannot seem to figure it out. Can someone please give me some advice?

    I should note that this is on Ubuntu 20.04 LTS

    Thank you in advance.
     
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Which hostname are you using? Are you sure it's correct? And that you use the correct credentials?
     
  3. Jaym

    Jaym New Member

    I used srv1.jayhosts.ca whenever asked during the install process.
    When I type hostname -f it outputs srv1.hostname.ca
     
  4. Jaym

    Jaym New Member

    I have done a complete re-install and I am still getting similar issues.

    I am still using srv1.jayhosts.ca as the hostname. I have added 1 client, 1 website and 1 email address.

    This is the output of the last bunch of lines from letsencrypt.log
    Code:
    Domain: attackofthegamer.com
    Type:   dns
    Detail: During secondary validation: DNS problem: query timed out looking up A for attackofthegamer.com
    
    Domain: www.attackofthegamer.com
    Type:   dns
    Detail: During secondary validation: DNS problem: query timed out looking up CAA for attackofthegamer.com
    2020-09-28 01:05:44,192:DEBUG:certbot.error_handler:Encountered exception:
    Traceback (most recent call last):
      File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 91, in handle_authorizations
        self._poll_authorizations(authzrs, max_retries, best_effort)
      File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 180, in _poll_authorizations
        raise errors.AuthorizationError('Some challenges have failed.')
    certbot.errors.AuthorizationError: Some challenges have failed.
    
    2020-09-28 01:05:44,193:DEBUG:certbot.error_handler:Calling registered functions
    2020-09-28 01:05:44,193:INFO:certbot.auth_handler:Cleaning up challenges
    2020-09-28 01:05:44,193:DEBUG:certbot.plugins.webroot:Removing /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/TTJIrTO32ZWnWDp1FoGizkHwhgZQv5Ki8UjmIxpzyHw
    2020-09-28 01:05:44,193:DEBUG:certbot.plugins.webroot:Removing /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/0LD4azOEa3GllQKRmKARmt6gtZ4tN4yEYiIK0nmga0g
    2020-09-28 01:05:44,193:DEBUG:certbot.plugins.webroot:All challenges cleaned up
    2020-09-28 01:05:44,193:DEBUG:certbot.log:Exiting abnormally:
    Traceback (most recent call last):
      File "/bin/letsencrypt", line 11, in <module>
        load_entry_point('certbot==0.40.0', 'console_scripts', 'certbot')()
      File "/usr/lib/python3/dist-packages/certbot/main.py", line 1382, in main
        return config.func(config, plugins)
      File "/usr/lib/python3/dist-packages/certbot/main.py", line 1265, in certonly
        lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
      File "/usr/lib/python3/dist-packages/certbot/main.py", line 121, in _get_and_save_cert
        lineage = le_client.obtain_and_enroll_certificate(domains, certname)
      File "/usr/lib/python3/dist-packages/certbot/client.py", line 417, in obtain_and_enroll_certificate
        cert, chain, key, _ = self.obtain_certificate(domains)
      File "/usr/lib/python3/dist-packages/certbot/client.py", line 348, in obtain_certificate
        orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
      File "/usr/lib/python3/dist-packages/certbot/client.py", line 396, in _get_order_and_authorizations
        authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
      File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 91, in handle_authorizations
        self._poll_authorizations(authzrs, max_retries, best_effort)
      File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 180, in _poll_authorizations
        raise errors.AuthorizationError('Some challenges have failed.')
    certbot.errors.AuthorizationError: Some challenges have failed.
    2020-09-28 01:05:44,669:DEBUG:certbot.main:certbot version: 0.40.0
    2020-09-28 01:05:44,670:DEBUG:certbot.main:Arguments: ['--domains', 'attackofthegamer.com', '--domains', 'www.attackofthegamer.com']
    2020-09-28 01:05:44,670:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
    2020-09-28 01:05:44,680:DEBUG:certbot.log:Root logging level set at 20
    2020-09-28 01:05:44,680:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    
     
    Last edited: Sep 28, 2020
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Seems as if the DNS server that is authoritative for this domain is not working and therefore, let's encrypt failed to issue the SSL cert. So you don't have a problem with your server setup or ISPConfig, the actual problem is the DNS setup of that domain.
     
  6. Jaym

    Jaym New Member

    I am not hosting my own DNS. I am using my hosting provider (linode) to manage my DNS. Is this a problem?
    I have re-installed everything multiple times. I finally changed distributions and moved to debian. Its been a couple years since I have installed / used ispconfig. This has me baffled. Ive followed the perfect server guides for both ubuntu (when installing on ubuntu) and now debian.

    Is there a way to make this work using my setup or should I investigate a new avenue of doing what I want?
     
  7. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    No, but the information in name service must be correct.
    That one error at least seems to be fixed now:
    Code:
    $ dig attackofthegamer.com -t A
    
    ; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> attackofthegamer.com -t A
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62105
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 11
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;attackofthegamer.com.        IN    A
    
    ;; ANSWER SECTION:
    attackofthegamer.com.    86292    IN    A    172.105.4.208
    . . .
    
     
  8. Jaym

    Jaym New Member

    Is the problem I am experiencing the untrusted issuer listed below? How do I fix this?

    Is it worth noting I am not having problems when I go to the https version of any of my urls I don't get any errors, and when i click the lock beside the url it says the certificate is valid and issued by Let's Encrypt Authority X3.

    Code:
    [email protected]:/var/log# posttls-finger mail.attackofthegamer.com
    posttls-finger: Connected to mail.attackofthegamer.com[172.105.4.208]:25
    posttls-finger: < 220 srv1.jayhosts.ca ESMTP Postfix (Debian/GNU)
    posttls-finger: > EHLO srv1.jayhosts.ca
    posttls-finger: < 250-srv1.jayhosts.ca
    posttls-finger: < 250-PIPELINING
    posttls-finger: < 250-SIZE 10240000
    posttls-finger: < 250-VRFY
    posttls-finger: < 250-ETRN
    posttls-finger: < 250-STARTTLS
    posttls-finger: < 250-AUTH PLAIN LOGIN
    posttls-finger: < 250-AUTH=PLAIN LOGIN
    posttls-finger: < 250-ENHANCEDSTATUSCODES
    posttls-finger: < 250-8BITMIME
    posttls-finger: < 250-DSN
    posttls-finger: < 250-SMTPUTF8
    posttls-finger: < 250 CHUNKING
    posttls-finger: > STARTTLS
    posttls-finger: < 220 2.0.0 Ready to start TLS
    posttls-finger: mail.attackofthegamer.com[172.105.4.208]:25: subjectAltName: srv1.jayhosts.ca
    posttls-finger: mail.attackofthegamer.com[172.105.4.208]:25 CommonName srv1.jayhosts.ca
    posttls-finger: certificate verification failed for mail.attackofthegamer.com[172.105.4.208]:25: untrusted issuer /O=Digital Signature Trust Co./CN=DST Root CA X3
    posttls-finger: mail.attackofthegamer.com[172.105.4.208]:25: subject_CN=srv1.jayhosts.ca, issuer_CN=Let's Encrypt Authority X3, fingerprint=03:85:98:38:15:BC:4C:38:63:D6:A4:5B:83:5C:BF:20:F3:A3:79:77, pkey_fingerprint=55:F1:5F:28:78:4B:0B:F6:70:AD:82:17:09:86:E4:7A:09:2E:F4:20
    posttls-finger: Untrusted TLS connection established to mail.attackofthegamer.com[172.105.4.208]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
    posttls-finger: > EHLO srv1.jayhosts.ca
    posttls-finger: < 250-srv1.jayhosts.ca
    posttls-finger: < 250-PIPELINING
    posttls-finger: < 250-SIZE 10240000
    posttls-finger: < 250-VRFY
    posttls-finger: < 250-ETRN
    posttls-finger: < 250-AUTH PLAIN LOGIN
    posttls-finger: < 250-AUTH=PLAIN LOGIN
    posttls-finger: < 250-ENHANCEDSTATUSCODES
    posttls-finger: < 250-8BITMIME
    posttls-finger: < 250-DSN
    posttls-finger: < 250-SMTPUTF8
    posttls-finger: < 250 CHUNKING
    posttls-finger: > QUIT
    posttls-finger: < 221 2.0.0 Bye
    
    I really appreciate the answers so far. Thank you very much.
     
  9. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    You can not test the certificate postfix and dovecot use by clicking address bar in browser. Browser shows the certificate website uses, which is not necessarily the same as postfix and dovecot.
    My signature has links to DNS setup, it includes instructions on how to test name service is working properly. Also signature has link to e-mail setup, that show how to test e-mail is set up properly.
    Tutorial by @ahrasis shows how to setup certificates for applications.
     
    ahrasis likes this.

Share This Page