Let's Encrypt is not working in PHP for SMTP mail in Webuzo Panel


#1

Hi,
by searcing on the forum I fount this related topic closed without a link to a FAQ:

In thoose day I have moved my VPS to a new one and … decide to try to configure the server for use Let’s Encrypt certificate… but if you know how VPS and Dedicated server works… for have a valid SMTP or secure email also for client email you need a valid certificate.

I AM using Comodo Positive SSL who is good for web and also for email … but is very expensive.
Why you let’s encrypt cannot done a certificate like Positive SSL of Comodo that works for secure web and email.

Also email security should be considered. I AM not into web Business so for me is just a stress pay a server… I cannot spend a lot of money also for certificate. Now I have a solution but in the future if the price will gruow UP I will be unable to have my own mail.

Please consider to … implement support for emails… so also Control Panel for VPS and Servers can find solution for let users use mail in secure way easly.

Certificate for email is usefull for be able to send email by SMTP web application, also for receve and configure emails in Thunderbird for example … without use self signed certificate… but I tried to configure Let’s Encrypt also for this but doesn’t work. Only Comodo Positive SSL allow me to protect web side and email side connection.

Hope let’s Encrypt can introduce the support of this because for who has a private server this is a big and important issue: configure email!


Cert renewed but Outlook says "nope"
#2

What kind of e-mail encryption certificate do you require exactly?

Because you can perfectly use a Let’s Encrypt certificate to secure an e-mail server, SMTP or IMAP/POP3.

Let’s Encrypt certificates can be used for encrypted TLS (formerly known as SSL) connections between the client and server, for sending and receiving. Clients can connect to e.g. smtp.example.com through port 25 and secure the connection with STARTTLS, where the SMTP server will present a Let’s Encrypt certificate for smtp.example.com. The client will verify this certificate and will establish a secure connection to the SMTP server.
The same goes for reading e-mails through IMAP or POP3. A mail client can connect to e.g. imap.example.com through port 143 and use STARTTLS to secure the connection. The IMAP server can provide a Let’s Encrypt certificate for imap.example.com, which is verified by the client and a secure connection is established.

So you see, Let’s Encrypt can perfectly be used for e-mail in the way described above.

What you can’t do with Let’s Encrypt, is verify and get a certificate for an email address. But you’d only need that for things like PGP/GPG and/or S/MIME. Not for regular e-mailing.


#3

I have domain.ext, in the server I install let’s Encrypt for protect the website https. I tried to configure Exim and Dovecot to use that certificate for use email not with STARTLS but with SSL on port 993 and 465 IMAP and let’s encrypt seems to be not working. I can do that only with Comodo Positive SSL.


#4

Why doesn’t it work? What error message do you get?

Technically, there’s no difference between a domain validated certificate for a specific domain between CA’s…


#5

You simply are unable to use SMTP and client email. I tried this on two server and I solved by using Positive SSL certificate so the sisue is with Let’s Encrypt.


#6

Hi @PeopleInside,

I personally use a Let’s Encrypt certificate for SMTP so I don’t think you’re correct to say that it can’t work!

If you can give more technical information, maybe we can figure out why you’re having trouble with it.

This was previously discussed a bit at


#7

OK well, I was able to see Let’s Encrypt work with Thunderbird but using plugin SMTP for wordpress was unable to send email.
I have configured PHP 5.6 or PHP 5.7 with the patch to the ca boundle… all server settings who are working for Positive SSL of Comodo so… set correctly PHP … was not working with Let’s Encrypt…

So you are right sorry, L’et Encrypt allow you to use Thunderbird for example but all my web application was unable to send email by SMTP. Wordpress, OsTicket, Live Helper Chat.

Just removed the Let’s Encrypt certificate, put Comodo Positive SSL and all works fine… so issue seems to be in PHP SMTP application.

PHP + Apache + SuPHP.

Shortly I will move to the new Apache with FastCGI I AM waiting some bug on my panel will be fixed.


#8

Perhaps the server using the Let’s Encrypt certificate wasn’t correctly configured, such as missing the intermediate certificate. That wouldn’t be anything directly caused by the Let’s Encrypt certificate itself, but caused by the server administrator not configuring the server correctly.

As I said before: Let’s Encrypt certificates are valid DV certificates, just like any other DV certificate and technically there is no reason at all for Let’s Encrypt certs not to work, while other CA’s did work, besides of course misconfigurations. (Or root store issues, but that’s rather unlikly.)


#9

PHP + Apache + SuPHP.

Shortly I will move to the new Apache with FastCGI I AM waiting some bug on my panel will be fixed.

as requested several times can you paste the actual errors and the startup logs for your email applications

otherwise I suggest the thread gets closed as you are asking for help but not really providing the relevant information for people to assist

saying one thing works while another doesn’t isn’t a good troubleshooting strategy especially when dealing with other to help you

as a basic example:

let’s encrypt seems to be not working. I can do that only with Comodo Positive SSL.

  • have you actually compared the two certificates

  • is it possible that your letsencrypt certificate is issued from a staging domain

  • do you have a domain name for your Email so others can check

  • is it possible that the LetsEncrypt certificate has expired

for example a screenshot of a certificate below if you can provide that information about your certificate or the domain name we can check the status of the certificate

Andrei


#10

Well installed new server, Issue a new Let’s Encrypt certificate some day ago so is not expired the certificate.
I was able to configure Thunderbird, no issue, let’s Encrypt certificate works SO I set all Correclty Exim and Dovecot BUT if I try to configure the mail to use SMTP in Wordpress or in another web app than is not working wrong certificate.
stream_socket_client(): Failed to enable crypto

now I miss the other log part where seems certificate verification fail. Sorry I have no avaiable VPS for test. I AM not a business and I worked a lot on thoose days for setup my VPS.

The issue seems to be if you are trying to use autheticate SMTP with Let’s Encrypt … again is sufficient in my case remove the let’s Encrypt certificate and put the comodo and all start to work. The Let’s encrypt certificate was issued at the moment and was for the domasin.ext usaed also for mail hostname.

ahaw021 I prefer you do not join this discussion if your tone is this. Please… you can partecipate in other topics. Thanks.
I AM just trying to request a feature support request. Maybe this is trasforming in an issue… I AM reporting something seems is not working with Let’s Encrypt.


#11

Well, I AM testing this in Webuzo panel.
Maybe I will report to the Webuzo Team for be sure there are no errors on… the installation process of let’s Encrypt if you said that should work also with PHP.

Issue seems to be related to PHP and Let’s Encrypt.
In the php.ini I put the line
[openssl]
openssl.cafile= /etc/ssl/cert/domain.ext-cabundle.crt

than when I configure SMTP I use as email host domain.ext and with let’s Encrypt seems not work


#12

So… anyone is using Let’s Encrypt for Exim and also for send authenticated SMTP email in PHP example wordpress or OsTicket?

Seems Let’s Encrypt work well in Thunderbird no certificate error are showed and I can send and receive email but if I try to configure email for use Let’s encrypt for send SMTP email from a PHP application like Wordpress or OsTicket cannot send SMTP emails because certificate is not recognized.

All is solved if I remove Let’s Encrypt and I put Comodo Positive SSL.
Is this an issue of Let’s Encrypt or can be an issue related to my panel Webuzo?

I do not have a server to test. Maybe a solution can be to try a Let’s Encrypt certificate generated from an external site and not generated from Webuzo for see if the issue still persist.


#13

if you can paste the results of the tests here:

Both with your LetsEncrypt and your Comodo SSL certificates.

This is what I was asking you to do before (compare the two certificates)

https://help.directadmin.com/item.php?id=598

My suspicion is that your Comodo certificate has the intermediate included so that’s the first thing to check.

Andrei


#14

Thank you for your useful reply,
maybe the error showed by the try to send email by SMTP PHP was:

Warning: stream_socket_enable_crypto(): SSL operation failed with code 1.
OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

At the moment I will have issue on testing again this because I already setup my server… maybe I will see if I can remove Comodo and reinstall Let’s Encrypt than test again; if I can I will post here the results.

Thanks


#15

So if the issue is the intermediate certificate? umh…


#16

I tried the command
openssl s_client -starttls smtp -crlf -connect smtp.gmail.com:587
and I can see only CONNECTED … I should test ssl and port 465 not startls and port 587 but IF I replace -starttls with -ssl is not recognized command.


#17

Then use this instead:

openssl s_client -connect smtp.gmail.com:465


#18

OK this is the test of the Comodo Positive SSL:

 openssl s_client -connect domain.ext:465
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = domain.ext
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = domain.ext
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = domain.ext
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=domain.ext
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
[... content removed ...]
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=domain.ext
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Server Temp Key: DH, 2048 bits
---
SSL handshake has read 3233 bytes and written 565 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES256-GCM-SHA384
    Session-ID: [... content removed ...]
    Session-ID-ctx:
    Master-Key: [... content removed ...]
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 200 (seconds)
    TLS session ticket:
[... content removed ...]

    Start Time: 1494170160
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)

#19

This is Let’s Encrypt test:

openssl s_client -connect domain.ext:465
CONNECTED(00000003)
depth=0 CN = domain.ext
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = domain.ext
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = domain.ext
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=domain.ext
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
Server certificate
-----BEGIN CERTIFICATE-----
[... removed ...]
-----END CERTIFICATE-----
subject=/CN=domain.ext
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Server Temp Key: DH, 2048 bits
---
SSL handshake has read 2663 bytes and written 565 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES256-GCM-SHA384
    Session-ID: [... removed ...]
    Session-ID-ctx:
    Master-Key: [... removed ...]
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 200 (seconds)
    TLS session ticket:
[... removed ...]

    Start Time: 1494171165
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)

And as soon I install let’s Encrypt Wordpress SMTP mailer are unable to send email:

Thanks for your support.


#20

Apparently, the chain isn’t installed for the mailserver.