Apache2 mod_md / sendmail

My domain is:https://majiksunshine.com

I ran this command:N/A

It produced this output:N/A

My web server is (include version):apache2v2.4.46

The operating system my web server runs on is (include version):Linux server 2.6.32-042stabl28.2

My hosting provider, if applicable, is: A2 Hosting unmanaged VPS

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): No Certbot installed

In: sendmail.mc
define(confCACERT_PATH', <path?>')dnl
define(confCACERT', <file?>')dnl

I have no /etc/letsencrypt/ directory since I have not installed Certbot.
I can find no chain.pem file anywhere in the (in my case) /usr/local/apache2/md directory.

Is there a solution ?

Hello @riorick17
Welcome to the community forum.

If you did not install certbot, which client did you use to obtain your certificate?
How did you obtain your certificate?

Your weberver knows where the certificates are because they work. hint

https://crt.sh/?q=majiksunshine.com

I can see a certificate for majiksunshine.com and www.majiksunshine.com
But not for mail.majiksunshine.com... although the host is configured. (without a cert to match)

It would be helpful to know these answers before helping you find a cert that won't work for (Guessing is not a good thing) your intended purpose.

I hope my reply isn't confusing... maybe it's just me that is confiused. :thinking:

I bet @riorick17 is using mod_md for that :wink: See the thread title :grin:

Although, I'm beginning to doubt that now: the certificate with the mail subdomain isn't used by Apache at all! Instead, it uses a certificate with just the apex domain and www subdomain..

So I'm interested to know if the cert with the mail subdomain is actually generated by mod_md if Apache isn't even using it?

Hmm, it seems you can easily add hostnames to a certificate with mod_md using the MDomains directive. (Or MDomainSet.)

Yeah I noticed that.

So apparently the mail vhost was either configured after mod_md was set up or it was left out of the configuration altogether? (am I getting closer?)

I'm not sure if /usr/local/apache2/ is the correct directory to search for the md directory. If I read the documentation correctly, the default for the MDStoreDir directive is indeed md, but the text says it's absolute or relative to the server root. When I look at my own Apache (without mod_md, but not relevant in this case), I see that my ServerRoot is /usr/lib64/apache/:

server ~ # apache2ctl -S | grep -i serverroot
ServerRoot: "/usr/lib64/apache2"
server ~ # 

So maybe you can check where your ServerRoot is with the above command and check for the existance of the md directory and hopefully the certificate(s)?

1 Like

I do not use a "client", mod_md is an Apache2 server module that handles the certs for me.
You do ask a good question though, since 'mail.majiksunshine.com' is listed as a ServerAlias in the VirtualHost setup for the site right next to 'www.majiksunshine.com' and the MDomain directive is still in it's default state of "auto" (scratches head).
And, in looking at the documentation I've come across:
md/domains/your_domain. com
+- pubcert.pem # the certificate, plus the 'chain', e.g. all intermediate ones
...so does "pubcert.pem" double as both the server cert and CA cert ( chain) files ?

1 Like

Well, actually, mod_md is the ACME client. Or at least it contains one. mod_md is obviously more than just an ACME client, but it does have one integrated and therefore you could say mod_md is also your ACME client.

1 Like

I probably could but then I might get comments like this (from another post):
O CACertPath=/etc/letsencrypt/live/example.com
O CACertFile=/etc/letsencrypt/live/example.com/chain.pem
O ServerCertFile=/etc/letsencrypt/live/example.com/cert.pem
O ServerKeyFile=/etc/letsencrypt/live/example.com/privatekey.pem
...and I would be confused because I do not have anything in those directories.

And since I have no "chain.pem" I don't know how to modify it to my needs... unless:

  • CACertPath=${APACHE_RUN_DIR}/md/domains/majiksunshine.com
  • CACertFile=${APACHE_RUN_DIR}/md/domains/majiksunshine.com/cert.pem
  • ServerCertFile=${APACHE_RUN_DIR}/md/domains/majiksunshine.com/cert.pem
  • ServerKeyFile=${APACHE_RUN_DIR}/md/domains/majiksunshine.com/privatekey.pem
    ...works.

I don't know if it actually works, but at least sendmail is not complaining about the missing definition.

What's the contents of your {APACHE_RUN_DIR}/md/domains/majiksunshine.com dir?

Hm, seems to be documented on the mod_md README.md on Github:

job.json
md.json
privkey.pem
pubcert.pem

From the above documentation:

+- pubcert.pem # the certificate, plus the 'chain', e.g. all intermediate ones

And reading better in retrospect you already found and pasted that one :blush: I didn't realise where that piece of your post was coming from, my apologies!

Sooo, it all comes down to sendmail I guess: does sendmail require a separate file for the intermediate? Or does it accept, like most TLS implementations nowadays do, the concatenated cert.pem?

Sometimes trial & error is also a good method :wink: If I were you, I would try it first with just ServerCertFile and ServerKeyFile and check with openssl s_client -connect mail.majiksunshine.com:25 -starttls smtp if the chain is correct.

1 Like

From what I am Learning:

The verification works via OpenSSL library without Sendmail's help

 man s_server

Irrelevant content removed by Rip

So -CAfile is used for client authentication. Nothing we need here.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.