Installing Lets Encrypt Certificates on ubuntu 16.4/Nginx and iRedMal


#1

I am having trouble with site mailtest.example.com, ubuntu 16.4 installed fresh, in hosts hostname is set to mailtest.example.cm, iRedmail installed with nginx, DNS pointed to IP address and it kinda works, but with self-signed certs. Certbot will not install them automatically, When I try manually by removing comments in etc/nginx/templates/ssl.tmpl that goes like this:

ssl on;
ssl_protocols TLSv1.2;

# Fix 'The Logjam Attack'.
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/dh2048_param.pem;

# To use your own ssl cert (e.g. LetsEncrypt), please create symbol link to
# ssl cert/key used below, so that we can manage this config file with Ansible.
#
# For example:
#
# rm -f /etc/ssl/private/iRedMail.key
# rm -f /etc/ssl/certs/iRedMail.crt
# ln -s /etc/letsencrypt/live/mailtest.arcanet.com.mt/privkey.pem /etc/ssl/private/iRedMail.key
# ln -s /etc/letsencrypt/live/mailtest.arcanet.com.mt/fullchain.pem /etc/ssl/certs/iRedMail.crt
#
ssl_certificate /etc/ssl/certs/iRedMail.crt;
ssl_certificate_key /etc/ssl/private/iRedMail.key;

and certificates start to work, however, nginx cash and I am presented with the index page that I have setup nginx instead of the mail client. Puting #'s back on solves the crash but goes back to self-signed certificates. If anyone could help please do. Thank you in advance


#2

Hi @Rohirrimus,

Are you saying that you are removing the # ? these ones?

# rm -f /etc/ssl/private/iRedMail.key
# rm -f /etc/ssl/certs/iRedMail.crt
# ln -s /etc/letsencrypt/live/mailtest.arcanet.com.mt/privkey.pem /etc/ssl/private/iRedMail.key
# ln -s /etc/letsencrypt/live/mailtest.arcanet.com.mt/fullchain.pem /etc/ssl/certs/iRedMail.crt 

If the answer is yes then don’t do that, those are the commands you should run as root to link LE certificates into the right place so iRedMail can read them but you should NOT remove the # in that file.

Cheers,
sahsanu


#3

yes that is what I was saying. But even when I run them as root It does not help, I still have self assigned key.
I also tried to edit in sited-available
00-defoult-ssl file and to add
ssl_certificate /etc/letsencrypt/live/mailtest.arcanet.com.mt/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mailtest.arcanet.com.mt/privkey.pem;
but I had no luck aswell.


#4

What seems to be the problem when that is done is that files original and the ones copied into iRedMail.crt and key are the same,but still its visible as self signed key.
Is there maybe a way you could help me with that? Thank you


#5

Could you please run again these commands as root or with your own user but preceding them with sudo and paste here the output?.

rm -f /etc/ssl/private/iRedMail.key
rm -f /etc/ssl/certs/iRedMail.crt
ln -s /etc/letsencrypt/live/mailtest.arcanet.com.mt/privkey.pem /etc/ssl/private/iRedMail.key
ln -s /etc/letsencrypt/live/mailtest.arcanet.com.mt/fullchain.pem /etc/ssl/certs/iRedMail.crt
ls -l /etc/ssl/private/iRedMail.key /etc/ssl/certs/iRedMail.crt
openssl x509 -in /etc/ssl/certs/iRedMail.crt -noout -text

#6

Hello,out put is as follows:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 10016252805842969476 (0x8b00e0dbc8c7a384)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=GuangDong, L=ShenZhen, O=mailtest.arcanet.com.mt, OU=IT, CN=mailtest.arcanet.com.mt/emailAddress=root@mailtest.arcanet.com.mt
        Validity
            Not Before: Jul  5 21:16:36 2018 GMT
            Not After : Jul  2 21:16:36 2028 GMT
        Subject: C=CN, ST=GuangDong, L=ShenZhen, O=mailtest.arcanet.com.mt, OU=IT, CN=mailtest.arcanet.com.mt/emailAddress=root@mailtest.arcanet.com.mt
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c6:3f:cd:06:c7:ff:92:3c:30:83:79:69:b5:52:
                    8b:ab:f1:03:a3:88:63:67:74:b5:7e:43:7f:9d:68:
                    78:2d:92:ef:11:c3:05:1b:45:e3:66:4a:29:55:2d:
                    be:87:a5:e0:39:bc:92:2d:2e:50:1f:3c:19:2b:a6:
                    bf:3d:d5:3d:45:35:d0:7b:7c:32:e4:cf:be:bd:f7:
                    de:44:fb:5e:9b:0d:c5:d5:a2:1c:47:e9:94:f4:47:
                    b8:8e:88:7a:c1:89:5e:b1:57:2c:45:c8:a1:2e:b0:
                    95:6e:52:ff:62:62:7b:0f:51:51:49:2f:cf:99:d0:
                    d0:4a:fe:c9:62:97:5c:d1:d3:d8:67:b4:89:86:b3:
                    30:0f:7e:ea:e0:20:28:56:d9:a4:b0:60:ef:b3:b3:
                    13:90:c9:ea:cc:96:1c:91:be:89:5c:9e:58:3e:92:
                    f4:b3:14:01:83:2e:9c:78:9f:db:25:9d:a0:c1:94:
                    d5:3b:91:72:0d:7e:2c:2f:bd:27:2e:08:af:ed:fc:
                    df:db:d6:aa:05:79:c0:8a:78:d2:f6:2a:e1:36:7a:
                    6a:4c:a6:21:95:00:1e:b0:9d:0b:f6:34:6d:6b:ee:
                    cf:88:8f:c3:95:87:c1:1f:61:50:27:fc:a9:9b:5c:
                    82:73:78:49:34:d0:7d:93:37:e3:ce:84:73:a1:af:
                    20:13
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                24:AB:12:50:8C:62:60:F3:AE:78:92:CA:35:67:E1:15:8B:C3:6B:1B
            X509v3 Authority Key Identifier:
                keyid:24:AB:12:50:8C:62:60:F3:AE:78:92:CA:35:67:E1:15:8B:C3:6B:1B

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         72:09:b3:26:2d:2a:76:9d:e7:28:a4:35:f3:da:f6:ac:2c:36:
         43:c1:df:17:55:fc:08:fd:dd:3f:88:a0:5d:87:d7:a5:e6:0d:
         e2:c8:cb:4f:2d:ee:60:9d:1f:8d:99:42:a6:85:15:e0:55:3c:
         55:2d:ef:81:84:11:31:3d:99:6a:97:5a:f9:9f:5b:44:98:1f:
         6c:fa:7e:d7:d2:0d:e7:d6:2b:6e:a0:20:f9:ba:04:e7:12:4c:
         26:d4:7b:a6:b8:3c:28:f4:38:4f:f3:0b:57:e1:47:fe:24:a3:
         8e:26:29:07:d5:bb:15:ed:9f:db:6f:3e:47:16:b0:9a:02:bf:
         5b:b9:2c:b7:53:c2:a9:be:c7:70:e3:e2:93:38:91:72:76:c1:
         cf:46:34:90:a9:6b:90:e2:bf:60:47:91:52:5f:06:eb:91:e5:
         90:4d:0f:13:14:64:2e:8f:e2:05:da:9b:28:24:e5:42:a0:cf:
         cc:ee:92:93:64:93:74:6a:d6:02:8b:db:a0:02:9d:ce:cd:18:
         1a:94:85:ab:97:56:db:61:31:ce:ef:09:39:cd:59:25:27:e4:
         29:bb:0e:c3:c5:99:5b:39:f4:cf:e7:dd:58:d3:c9:f6:3d:3d:
         a8:f4:bc:7d:06:36:87:18:f9:b4:05:91:82:25:66:7f:99:24:
         a6:ac:81:28

#8

Hi @Rohirrimus,

The certificate is a self-signed one so, either the commands issued to link it to your LE certificate didn’t work as expected or iRedMail is recreating the self-signed cert once and again.

Could you please show the ouput of these commands (all of them):

ls -l /etc/ssl/private/iRedMail.key /etc/ssl/certs/iRedMail.crt

openssl x509 -in /etc/letsencrypt/live/mailtest.arcanet.com.mt/fullchain.pem -noout -text | grep -Ei '(Before:|Issuer:|DNS:)' | sed "s/^[ \t]*//"

Cheers,
sahsanu


#9

sure, than you for reply,

 ls -l /etc/ssl/private/iRedMail.key /etc/ssl/certs/iRedMail.cr               t
lrwxrwxrwx 1 root root 59 Jul  9 11:13 /etc/ssl/certs/iRedMail.crt -> /etc/letse               ncrypt/live/mailtest.arcanet.com.mt/fullchain.pem
lrwxrwxrwx 1 root root 57 Jul  9 11:13 /etc/ssl/private/iRedMail.key -> /etc/let               sencrypt/live/mailtest.arcanet.com.mt/privkey.pem

and the 2nd one is:

root@mailtest ~ # openssl x509 -in /etc/letsencrypt/live/mailtest.arcanet.com.mt/fullchain.pem -noout -text | grep -Ei '(Before:|Issuer:|DNS:)' | sed "s/^[ \t]*//"
unable to load certificate
140583000004248:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE

Thank you in adcance for all your help


#10

That is strange, seems you don’t have a certificate for your domain, are you sure you issued one for mailtest.arcanet.com.mt?

Let’s see what is in that path, show the output of these two command:

namei -mo /etc/letsencrypt/live/mailtest.arcanet.com.mt/fullchain.pem

ls -l /etc/letsencrypt/live/ /etc/letsencrypt/archive/


#11
root@mailtest ~ # namei -mo /etc/letsencrypt/live/mailtest.arcanet.com.mt/fullchain.pem
f: /etc/letsencrypt/live/mailtest.arcanet.com.mt/fullchain.pem
 drwxr-xr-x root root /
 drwxr-xr-x root root etc
 drwxr-xr-x root root letsencrypt
 drwxr-xr-x root root live
 drwxr-xr-x root root mailtest.arcanet.com.mt
 -rw-r--r-- root root fullchain.pem

that would be the output of the 1st one,and regardng 2nd its:

root@mailtest ~ # ls -l /etc/letsencrypt/live/ /etc/letsencrypt/archive/
ls: cannot access '/etc/letsencrypt/archive/': No such file or directory
/etc/letsencrypt/live/:
total 4

Thank you for all the help,hope this will help you help me resolve my isssue. Thanks


#12

@Rohirrimus, seems you have copied the self-signed certificate into/etc/letsencrypt/live/mailtest.arcanet.com.mt/ and it is clear that you have removed the dir /etc/letsencrypt/archive/ and I don’t know whether you remoed or changed something else… so seems you messed it just a bit ;). You have already issued a valid certificate for your domain so I’m wondering what you did…

Also, you didn’t show the entire ouput of this command:

ls -l /etc/letsencrypt/live/ /etc/letsencrypt/archive/

My advise, read carefully the iRedMail installation guide and start over following step by step to configure it.


#13

The problem is that since I rebuild server few times trying to fix problems with certs, LetsEncrypt didn’t want to issue me any more certs , so I got copy of ones from before,but they are the same,same domain.


#14

@Rohirrimus

Correct, you have reached the 5 duplicated certificates per 7 days limit:

CRT ID     CERT TYPE  DOMAIN (CN)              VALID FROM             VALID TO               EXPIRES IN  SANs
576752899  Pre cert   mailtest.arcanet.com.mt  2018-Jul-05 12:21 UTC  2018-Oct-03 12:21 UTC  85 days     mailtest.arcanet.com.mt
576561692  Pre cert   mailtest.arcanet.com.mt  2018-Jul-05 12:17 UTC  2018-Oct-03 12:17 UTC  85 days     mailtest.arcanet.com.mt
576487019  Pre cert   mailtest.arcanet.com.mt  2018-Jul-05 11:17 UTC  2018-Oct-03 11:17 UTC  85 days     mailtest.arcanet.com.mt
575007716  Pre cert   mailtest.arcanet.com.mt  2018-Jul-04 11:29 UTC  2018-Oct-02 11:29 UTC  84 days     mailtest.arcanet.com.mt
574921867  Pre cert   mailtest.arcanet.com.mt  2018-Jul-04 09:25 UTC  2018-Oct-02 09:25 UTC  84 days     mailtest.arcanet.com.mt

You could issue a new certificate for mailtest.arcanet.com.mt on 2018-Jul-11 10:25 UTC so you can wait 2 days or could override that limit adding a new domain so if you issue a certificate covering mailtest.arcanet.com.mt and for example mailtest2.arcanet.com.mt you could issue a new cert right now.

Seems you didn’t copy the right ones because you are using the self-signed certificate instead of the one issued by Let’s Encrypt.


#15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.