weird issue certs/postfix/php/jailkit/cron???

Discussion in 'General' started by nhybgtvfr, Feb 28, 2019.

  1. nhybgtvfr

    nhybgtvfr Active Member

    ispconfig 3.1.13 multi-server on ubuntu 18.04
    sorry, this is going to be a long one...

    having a very strange issue with some cron jobs set up in ispconfig, not sure whether the problem is in the configuration of postfix, jaillkit, php, or something else, not sure if this is even the right place for the question, but it seems the most likely place to find others using all the software involved.

    basically, i have a multi-server ispconfig setup. a single postfix server for all the mailboxes, outbound mail etc. postfix is configured on the all the webservers as well, but it's blocked from sending anything externally, instead everything is sent to the main postfix server, which acts as a smarthost for the webservers.

    the issue is with sending mail from a jailkit ssh or cron user, running a php script which apparently tries to send mail using phpmailer, and should be using isSMTP to send through the main mailserver, not using a local sendmail (which was removed as per perfect server tutorials)

    everything points to the problem being something to do with TLS or certificate verification. (it s geotrust wildcard cert. same cert is used on the ispconfig panel, every postfix config, and the vhosts i'm trying to run the crons on. )

    everything seems to be fine with the mailserver config, testing from checktls.com:

    but a posttls-finger to the server fails certficate verification:

    watching the mail logs on the main mailserver, when running the php script, manually as root, it all works fine, the script runs without problems, and the email gets sent ok.

    running the script, as a jailkit ssh user, or as jailkit ispconfig cron, i believe everything in the php script is running fine apart from the email sending.
    i get this in the main mailservers mail log:

    everything i've seen so far suggests that the jailkit ssh user can't verify the certificate. but i've run update-ca-certificates, and double checked, as the ssh user, it does have access to /etc/ssl/certs/ca-certificates.crt
    and i've checked in that file, the Digicert-Global_Root_CA is in that file.
    the only other suggestion i've seen is to change the phpmailer settings to not verify the peer. but it's all third pary code downloaded into the vhost and is ioncube protected, i don't see any way to do that.

    i have no idea where to even start on resolving this issue now. any suggestions, hints, correct answers ;) would be greatly appreciated

    thanks
    lee.
     
  2. Jesse Norell

    Jesse Norell Well-Known Member

    Do you have a php.ini for cli interface inside your jail? Try specifying openssl.cafile in it, pointing to your ca-certificates.crt.
     
  3. nhybgtvfr

    nhybgtvfr Active Member

    Brilliant. thanks Jesse.
    was the openssl.cafile setting, it always ends up being something simple.
    would think, with everything in standard ubuntu locations, with standard ubuntu versions of the software, it'll automatically check/apply default settings like that, :rolleyes: It had me going around in circles for days. :confused:
    the ssh user / cron jobs now send emails fine.
    still get the can't verify issuer certificate from posttls-finger but I've only changed the php.ini file for cli on one php version on one server so far, so I think that'll be fixed when I get all the other php.ini files done.
     
  4. nhybgtvfr

    nhybgtvfr Active Member

    ok, guess I was wrong on the last part. still get untrusted issuer on the certificate with posttls-finger

    posttls-finger: < 220 2.0.0 Ready to start TLS
    posttls-finger: email.scl.co.uk[18.202.128.131]:25: Matched subjectAltName: *.scl.co.uk
    posttls-finger: email.scl.co.uk[18.202.128.131]:25: subjectAltName: scl.co.uk
    posttls-finger: email.scl.co.uk[18.202.128.131]:25 CommonName *.scl.co.uk
    posttls-finger: certificate verification failed for email.scl.co.uk[18.202.128.131]:25: untrusted issuer /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
    posttls-finger: email.scl.co.uk[18.202.128.131]:25: subject_CN=*.scl.co.uk, issuer_CN=RapidSSL RSA CA 2018, fingerprint=A3:9D:ED:EE:01:58:80:A1:B4:B4:EA:E0:75:18:80:F8:58:07:B1:10, pkey_fingerprint=20:3A:F2:D7:E0:96:C6:A8:2C:4F:15:1A:13:C0:EB:C7:AA:05:2B:72
    posttls-finger: Untrusted TLS connection established to email.scl.co.uk[18.202.128.131]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)

    no idea why, the certs are there, the opennssl.cafile=/etc/ssl/certs/ca-certificates.crt is set in every php.ini file.
    I've tried smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt and = /var/spool/postfix/etc/ssl/certs/ca-certificates.crt in /etc/postfix/main.cf
    it's not a case of something needing restarting to pick up changes, the server's been rebooted. still get the same response.
     
  5. nhybgtvfr

    nhybgtvfr Active Member

    damn, i'm an idiot, just thought of the obvious: postfix is fine, posttls-finger doesn't know about the root certs file. :oops:
    just looked at the options for it, and there's one (-F ) for specifying the path/name of the root certs file. gave it that and everything came out ok:

    posttls-finger -F /etc/ssl/certs/ca-certificates.crt email.scl.co.uk
    posttls-finger: Connected to email.scl.co.uk[18.202.128.131]:25
    posttls-finger: < 220 email.scl.co.uk ESMTP Postfix (Ubuntu)
    posttls-finger: > EHLO smtp.scl.co.uk
    posttls-finger: < 250-email.scl.co.uk
    posttls-finger: < 250-PIPELINING
    posttls-finger: < 250-SIZE
    posttls-finger: < 250-VRFY
    posttls-finger: < 250-ETRN
    posttls-finger: < 250-STARTTLS
    posttls-finger: < 250-AUTH PLAIN LOGIN
    posttls-finger: < 250-AUTH=PLAIN LOGIN
    posttls-finger: < 250-ENHANCEDSTATUSCODES
    posttls-finger: < 250-8BITMIME
    posttls-finger: < 250-DSN
    posttls-finger: < 250 SMTPUTF8
    posttls-finger: > STARTTLS
    posttls-finger: < 220 2.0.0 Ready to start TLS
    posttls-finger: email.scl.co.uk[18.202.128.131]:25: Matched subjectAltName: *.scl.co.uk
    posttls-finger: email.scl.co.uk[18.202.128.131]:25: subjectAltName: scl.co.uk
    posttls-finger: email.scl.co.uk[18.202.128.131]:25 CommonName *.scl.co.uk
    posttls-finger: email.scl.co.uk[18.202.128.131]:25: subject_CN=*.scl.co.uk, issuer_CN=RapidSSL RSA CA 2018, fingerprint=A3:9D:ED:EE:01:58:80:A1:B4:B4:EA:E0:75:18:80:F8:58:07:B1:10, pkey_fingerprint=20:3A:F2:D7:E0:96:C6:A8:2C:4F:15:1A:13:C0:EB:C7:AA:05:2B:72
    posttls-finger: Verified TLS connection established to email.scl.co.uk[18.202.128.131]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
    posttls-finger: > EHLO smtp.scl.co.uk
    posttls-finger: < 250-email.scl.co.uk
    posttls-finger: < 250-PIPELINING
    posttls-finger: < 250-SIZE
    posttls-finger: < 250-VRFY
    posttls-finger: < 250-ETRN
    posttls-finger: < 250-AUTH PLAIN LOGIN
    posttls-finger: < 250-AUTH=PLAIN LOGIN
    posttls-finger: < 250-ENHANCEDSTATUSCODES
    posttls-finger: < 250-8BITMIME
    posttls-finger: < 250-DSN
    posttls-finger: < 250 SMTPUTF8
    posttls-finger: > QUIT
    posttls-finger: < 221 2.0.0 Bye
     

Share This Page