Suddenly get from gmail: Server returned error: "SSL error: Leaf certificate is expired"

Discussion in 'General' started by markelino, Nov 8, 2020.

Tags:
  1. markelino

    markelino Member

    Hey folks,

    Anyone seen this recently "Server returned error: "SSL error: Leaf certificate is expired" (from nov 5th) from gmail, when POPing an email address hosted on ispconfig 3.1.15 apache? (not updated anything on server yet nor ispconfig)

    This was working fine, on 995
    SSL has not expired on host server e.g. ispconfig.server.com nor on server.com which I also checked against ssllabs.com too.

    Appreciate any feedback on this.

    Thanks.
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  3. markelino

    markelino Member

    Thanks Taleman for your reply.

    from browser no issues, and SSL: Expires: Monday, January 4, 2021
    ssllabs says no issues (nothing expired and gives a score of B) and could not check port 995 for ssl, so I tried: https://www.immuniweb.com/ssl/
    and indeed what I see is the following with a score of F:
    Valid ToNovember 5th 2020, 05:15 CET
    Root CADST Root CA X3 > Expires in326 days
    Intermediate CALet's Encrypt Authority X3 > Expires in129 days
    Server certificate Expired 3 days ago

    Guess I need to renew server certificate if I can recall how this was done, but was sure I had set cron upon installing Perfect server and some steps to have it renew SSL on its own.

    Can you explain this to me, why browser, and ssllabs will say not expired and immuniweb check would say expired?

    Thanks
     
  4. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Dovecot is not using the same certificate as http server.
    The tutorial by @ahrasis explains how to make all services use the same certificate, so when LE renews it all services start using the same certificate. If you have created the symbolic links to all services use the same files, then maybe you have not restarted dovecot so it would read in the renewed certificate files?
    https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/
     
  5. markelino

    markelino Member

    Mate, well tipped :)
    /etc/init.d/dovecot restart
    fixed the issue.

    So wonder what is best to implement now so this does not happen next time for dovecot to know when cert renewed since cert does auto-renew? Some cron for dovecot maybe or other way suggested?
     
  6. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    If you followed https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/, you created a renewal script. Make sure that the restart of dovecot and postfix is included in that script.
     
  7. markelino

    markelino Member

    Interesting, that I do not see a
    /etc/init.d/le_ispc_pem.sh
    nor the alt option file: /etc/ssl/le4ispc.sh
    so wondering if there was another option to renew ssl since it did auto renew so to find where to add the dovecot restart option,
    but baffled how it renewed when there is no cron AFAIK for SSL to renew
    Code:
    # crontab -l  (as root)
    * * * * * /usr/local/ispconfig/server/server.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done
    * * * * * /usr/local/ispconfig/server/cron.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done
    and /var/spool/cron/crontabs only has besides root only getmail
     
  8. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Can you share your incrontab?
    Code:
    incrontab -e
     
  9. markelino

    markelino Member

    found this though:

    Code:
    grep -r certbot /etc/cron*
    /etc/cron.d/certbot:# /etc/cron.d/certbot: crontab entries for the certbot package
    /etc/cron.d/certbot:0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew
    and for incrontab -e
    Command 'incrontab' not found
     
  10. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Then you have not followed the before mentioned tutorial (completely). Can you share your dovecot config?
     
  11. markelino

    markelino Member

    I am sure either this was an OVA image, or Perfect server

    I see this too if it helps:

    Code:
    # pwd
    /etc/dovecot/private
    # ls -lqa
    lrwxrwxrwx 1 root root   38 Apr 26  2018 dovecot.key -> /etc/ssl/private/ssl-cert-snakeoil.key
    lrwxrwxrwx 1 root root   36 Apr 26  2018 dovecot.pem -> /etc/ssl/certs/ssl-cert-snakeoil.pem
    and for /etc/dovecot/dovevot.conf

    Code:
    :/etc/dovecot# cat dovecot.conf
    listen = *,[::]
    protocols = imap pop3
    auth_mechanisms = plain login
    disable_plaintext_auth = no
    log_timestamp = "%Y-%m-%d %H:%M:%S "
    mail_privileged_group = vmail
    postmaster_address = [email protected]
    ssl_cert = </etc/postfix/smtpd.cert
    ssl_key = </etc/postfix/smtpd.key
    ssl_protocols =  !SSLv3
    mail_max_userip_connections = 100
    passdb {
      args = /etc/dovecot/dovecot-sql.conf
      driver = sql
    }
    userdb {
      driver = prefetch
    }
    userdb {
      args = /etc/dovecot/dovecot-sql.conf
      driver = sql
    }
    plugin {
      quota = dict:user::file:/var/vmail/%d/%n/.quotausage
      sieve=/var/vmail/%d/%n/.sieve
      sieve_max_redirects = 25
    }
    service auth {
      unix_listener /var/spool/postfix/private/auth {
        group = postfix
        mode = 0660
        user = postfix
      }
      unix_listener auth-userdb {
        group = vmail
        mode = 0600
        user = vmail
      }
      user = root
    }
    service lmtp {
      unix_listener /var/spool/postfix/private/dovecot-lmtp {
       group = postfix
       mode = 0600
       user = postfix
      }
    }
    service imap-login {
      client_limit = 1000
      process_limit = 512
    }
    protocol imap {
      mail_plugins = quota imap_quota
    }
    protocol pop3 {
      pop3_uidl_format = %08Xu%08Xv
      mail_plugins = quota
    }
    protocol lda {
    postmaster_address = [email protected]
      mail_plugins = sieve quota
    }
    protocol lmtp {
    postmaster_address = [email protected]
      mail_plugins = quota sieve
    }
    
    mail_plugins = $mail_plugins quota
    
    #2.3+ service stats {
    #2.3+     unix_listener stats-reader {
    #2.3+         user = vmail
    #2.3+         group = vmail
    #2.3+         mode = 0660
    #2.3+     }
    #2.3+
    #2.3+     unix_listener stats-writer {
    #2.3+         user = vmail
    #2.3+         group = vmail
    #2.3+         mode = 0660
    #2.3+     }
    #2.3+ }
    Wish I could tip you with some gold ;)
     
  12. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Can you recall how you set this up? There are different approaches but the one I earlier mentioned is the most common one. Because the certificate is replaced and the only thing remaining is to restart dovecot, there must be a script that handles this.
     
  13. markelino

    markelino Member

    Pretty sure the guide was and not an OVA on this one:
    https://www.howtoforge.com/tutorial...l-pureftpd-bind-postfix-doveot-and-ispconfig/

    and I recall I had to create an exact website for the server host so to issue an LE for it and then map/symlink various files to it so to secure my https://s1.ispconfig.com:8080 server.

    Found this too for that website if it provide some insight.

    Code:
    [email protected]:/etc/letsencrypt/renewal# cat s1.edited.com.conf
    # renew_before_expiry = 30 days
    version = 0.23.0
    archive_dir = /etc/letsencrypt/archive/s1.edited.com
    cert = /etc/letsencrypt/live/s1.edited.com/cert.pem
    privkey = /etc/letsencrypt/live/s1.edited.com/privkey.pem
    chain = /etc/letsencrypt/live/s1.edited.com/chain.pem
    fullchain = /etc/letsencrypt/live/s1.edited.com/fullchain.pem
    
    # Options used in the renewal process
    [renewalparams]
    account = ***********8b3***
    rsa_key_size = 4096
    server = https://acme-v02.api.letsencrypt.org/directory
    authenticator = webroot
    installer = None
    post_hook = echo '1' > /usr/local/ispconfig/server/le.restart
    [[webroot_map]]
    s1.edited.com = /usr/local/ispconfig/interface/acme
    [email protected]:/etc/letsencrypt/renewal# 
    Thank you sir for your help on this.
     
  14. markelino

    markelino Member

    Seems this does the renewal, right?
    if so, I guess it wont be right to add a restart of dovecot here, so it would need to belong elsewhere.

    Code:
    [email protected]:/etc/cron.d# cat certbot
    # /etc/cron.d/certbot: crontab entries for the certbot package
    #
    # Upstream recommends attempting renewal twice a day
    #
    # Eventually, this will be an opportunity to validate certificates
    # haven't been revoked, etc.  Renewal will only occur if expiration
    # is within 30 days.
    SHELL=/bin/sh
    PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
    
    0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew
     
  15. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    That cron entry runs twice daily, and once in 60 days it renews the certificate. So you would restart dovecot twice daily just for fun.
    Why not do it like the tutorial by @ahrasis tells you to do? Link to that has been given to you in messages #4 and #6.
     
  16. markelino

    markelino Member

    Maybe back then this tutorial was not the one to follow. Obviously I followed one (maybe the one from the manual, or somewhere else published on here) to get the renewal of SSL since it works. Surely I did not do it on my own. And its obsurd why this was set to run twice a day, when especially not needed for checking SSL renewal.

    So what you recommend, is now move from this method with this cron and follow @ahrasis way? or simply implement @ahrasis method as is?

    Is this planned to be part of core for a future version of ISPc maybe - as i think it maybe a good idea?
     
  17. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Let's Encrypt project recommends running the check twice daily. It checks if any certificates are due for renewal, and if not nothing is done.
    If you do not understand how your system is set up, I suggest following the instructions in that very good tutorial. Then you have a known setup.
    I have not any ISPConfig 3.2 hosts running, but remember reading there Let's Encrypt setup is different. So it may be better?
     
  18. ahrasis

    ahrasis Well-Known Member

    So far that I know this is already part of 3.2 stable release but a little bit different method i.e. using hook method, instead of the old incron method.

    Notably, the old way(s) is still useful though, but restart of postfix and docexot is not actually done by the "cron job" but by the "incron job" which is supposedly run via the created script on the renewal of the server LE SSL certs.

    The cron job mentioned by @Taleman is for all LE SSL certs, which is inclusive for the server website, if any was set, and is done by ISPConfig but you have to do nothing for it as it is automatic for all ISPConfig server.

    I did read and follow this thread and intend to help however I cannot focus as I have some recently arising real life problems to solve with regards of my children with different abilities care centre, so I hope the above explanation with enlighten you a bit about the way it works.

    Do note to remove previously followed tutorial in securing your ISPConfig server(s) before updating to 3.2, if you choose to do so, since they may be conflicting with the one with ISPConfig 3.2.
     

Share This Page