Let's Encrypt is not working in PHP for SMTP mail in Webuzo Panel


#11

Well, I AM testing this in Webuzo panel.
Maybe I will report to the Webuzo Team for be sure there are no errors on… the installation process of let’s Encrypt if you said that should work also with PHP.

Issue seems to be related to PHP and Let’s Encrypt.
In the php.ini I put the line
[openssl]
openssl.cafile= /etc/ssl/cert/domain.ext-cabundle.crt

than when I configure SMTP I use as email host domain.ext and with let’s Encrypt seems not work


#12

So… anyone is using Let’s Encrypt for Exim and also for send authenticated SMTP email in PHP example wordpress or OsTicket?

Seems Let’s Encrypt work well in Thunderbird no certificate error are showed and I can send and receive email but if I try to configure email for use Let’s encrypt for send SMTP email from a PHP application like Wordpress or OsTicket cannot send SMTP emails because certificate is not recognized.

All is solved if I remove Let’s Encrypt and I put Comodo Positive SSL.
Is this an issue of Let’s Encrypt or can be an issue related to my panel Webuzo?

I do not have a server to test. Maybe a solution can be to try a Let’s Encrypt certificate generated from an external site and not generated from Webuzo for see if the issue still persist.


#13

if you can paste the results of the tests here:

Both with your LetsEncrypt and your Comodo SSL certificates.

This is what I was asking you to do before (compare the two certificates)

https://help.directadmin.com/item.php?id=598

My suspicion is that your Comodo certificate has the intermediate included so that’s the first thing to check.

Andrei


#14

Thank you for your useful reply,
maybe the error showed by the try to send email by SMTP PHP was:

Warning: stream_socket_enable_crypto(): SSL operation failed with code 1.
OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

At the moment I will have issue on testing again this because I already setup my server… maybe I will see if I can remove Comodo and reinstall Let’s Encrypt than test again; if I can I will post here the results.

Thanks


#15

So if the issue is the intermediate certificate? umh…


#16

I tried the command
openssl s_client -starttls smtp -crlf -connect smtp.gmail.com:587
and I can see only CONNECTED … I should test ssl and port 465 not startls and port 587 but IF I replace -starttls with -ssl is not recognized command.


#17

Then use this instead:

openssl s_client -connect smtp.gmail.com:465


#18

OK this is the test of the Comodo Positive SSL:

 openssl s_client -connect domain.ext:465
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = domain.ext
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = domain.ext
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = domain.ext
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=domain.ext
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
[... content removed ...]
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=domain.ext
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Server Temp Key: DH, 2048 bits
---
SSL handshake has read 3233 bytes and written 565 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES256-GCM-SHA384
    Session-ID: [... content removed ...]
    Session-ID-ctx:
    Master-Key: [... content removed ...]
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 200 (seconds)
    TLS session ticket:
[... content removed ...]

    Start Time: 1494170160
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)

#19

This is Let’s Encrypt test:

openssl s_client -connect domain.ext:465
CONNECTED(00000003)
depth=0 CN = domain.ext
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = domain.ext
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = domain.ext
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=domain.ext
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
Server certificate
-----BEGIN CERTIFICATE-----
[... removed ...]
-----END CERTIFICATE-----
subject=/CN=domain.ext
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Server Temp Key: DH, 2048 bits
---
SSL handshake has read 2663 bytes and written 565 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES256-GCM-SHA384
    Session-ID: [... removed ...]
    Session-ID-ctx:
    Master-Key: [... removed ...]
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 200 (seconds)
    TLS session ticket:
[... removed ...]

    Start Time: 1494171165
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)

And as soon I install let’s Encrypt Wordpress SMTP mailer are unable to send email:

Thanks for your support.


#20

Apparently, the chain isn’t installed for the mailserver.


#21

So with Comodo Positive SSL I AM able to send email in SMTP Mailer Wordpress, if as I do today remove Positive SSL and Install Let’s Encrypt as you can see from the screen I receive error.
I do not why and where is the issue. I was thinking that was a Let’s Encrypt issue…

So I gone immediately back to Positive SSL as if the certificate create mail issue I start to having issue with Wordpress, OsTicket, etc.

For now I have more than one year of validity for the Positive SSL but in future when this certificate expire I will be able to move to the Let’s Encrypt certificate so I can reduce cost… as I AM not into business and I have no money entrace is expensive pay VPS, Panel and also SSL :slight_smile: also if this issue is solved many user can have benefit of this… I AM asking where the issue can be, if is my VPS Control Panel Webuzo who has integrated Let’s Encrypt or where the issue can be :smiley: Thanks


#22

I believe @Osiris was right to suggest (several times) that the intermediate certificate is missing from the chain. If you used Certbot to obtain your certificate, please be sure to use fullchain.pem, not cert.pem, when configuring servers.

If you used something other than Certbot to obtain the certificate, please be sure that you have configured the intermediate certificate.

This is not a problem with the certificates, but a problem with using the wrong files when configuring the server.


#23

Thank you,
I will foward this to Softacoulous, Webuzo Team as the Let’s Encrypt certificate is installed by the panel.
This will help all user of that panel to solve the issue with Let’s Encrypt. I AM just an user of the panel.


#24

Cool, I hope they succeed in fixing it for everybody!


#25

I am too facing the same issue regarding LE certs used for email…

The LE certs that I am using for email are issued via Webuzo. The cert’s are working fine on my domain but the issue persists for emails

This is the folder where the files downloaded by the ACME script corresponding to the domain are stored as mentioned by Webuzo support


As mentioned by @schoen in the previous reply I copied the contents on the fullchain.cer and pasted the content in the 110.compilor.com-cabundle.crt file which is present in the /etc/ssl/cert folder

Before replacing the content I checked and it seems that 110.compilor.com-cabundle.crt was using the contents on ca.cer

Can anybody comment on what is going wrong here


#26

Hi @luffy56 @PeopleInside

The official client is Certbot. Other companies such as Softalicious write their own plugins. The plugins they write are under their control.

For example looking at the webuzo site there is a support email: https://www.softaculous.com/support/

Also looking at the wiki the Plugin Webuzo have written only associates certificates to websites not mail (from what I can gather). http://www.webuzo.com/wiki/Install_SSL_Certificate. You can clarify this with them.

Having a look at their wiki http://www.webuzo.com/wiki/Main_Page there doesn’t seem to be anything about how to use intermediate with Email Server. I would contact them and ask for clarification.

Andrei


#27

Hi,
thank you for your reply. Webuzo is not a plug-in but is a control panel for VPS / Dedicated Server.

Webuzo are currently looking into this issue but they seems are not able, at the moment, to find where the issue is with email. Seems is possibile send email by SSH, Thunderbird but not by PHP (Wordpress, OsTicket, Live Helper Chat).

Install SSL Certificate is for not Let’s Encrypt certificate, for let’s Encrypt there are apposite section: http://www.webuzo.com/wiki/Lets_Encrypt

They are working on the issue and asked to me to also ask here for help for fix the issue.


#28

hi @PeopleInside

Webuzo is a control panel but the letsencrypt component can be considered a plugin (this is semantics and not worth discussing really)

Can you ask them what mail server they use as this can help with the configuration questions.

Andrei


#29

Hi

@ahaw021 I have clarified with the Webuzo team and it seems that they are able to send Emails via Telnet with exim … but the issue arises when mail is sent using PHP Mail libraries and domain verification is on.

So it seems that the problem is narrowed down to PHP but still they are unable to determine how PHP Certificate verification is failing which is throwing this error mentioned by @PeopleInside

Because if the certificates are not configured correctly they shouldn’t work for the Websites as well


#30

@luffy56

Websites and Mail Servers are run by separate processes. So configuration for a web server in terms of ssl has no impact on the mail server.

also did you read up on the links above? the problem is defined pretty clearly

Andrei