New iRedMail Installation: Failed authorization procedure


#1

full domain of my site: freeholdcomputertech.com
command run: sudo letsencrypt certonly --webroot --agree-tos --email postmaster@freeholdcomputertech.com -d freeholdcomputertech.com -w /var/www/html/
output of command:Failed authorization procedure. freeholdcomputertech.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to freeholdcomputertech.com

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: freeholdcomputertech.com
    Type: connection
    Detail: Could not connect to freeholdcomputertech.com

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.
    name / version of OS: Ubuntu 16.04 Desktop
    web server: Apache/2.4.18 (Ubuntu)
    hosting provider: Optimum business w/5 static IPs


#2

Do you have a webserver running on freeholdcomputertech.com ? I couldn’t connect on port 80. Or do you have a firewall blocking access ?


#3

I have a webserver setup on a different public IP than my iRedmail mail server. And the web server is offline.


#4

The method you were using ( webroot ) requires a working web server.

You may be better using the DNS-01 challenge if you only want it for the mail server, as that doesn’t require ports 80 or 443 and can just be done by adding a confirmation token to your DNS records.


#5

Can you provide a URL with instructions for using the DNS-01 challenge method?

Check That, Please: Can you provide instructions for me to use your DNS-01 challenge method, given my network configuration of 1- iRedmail mail server with 1- static public IP, and 1- separate Apache2 web server on a different static public IP?

Thank you for your help with this matter. I greatly appreciate it.


#6

it depends what you mean by “your method”. I personally don’t use certbot for the DNS challenge ( because I started using the DNS challenge before it was available in certbot). I use a bash script. Eitehr certbot or any of the bash scripts should work.

You use GoDaddy for your DNS records don’t you ? in which case probably acme.sh may be easiest, as that already has the script to connect direct to the GoDaddy API and update the DNS records as needed. The only bit it won’t do is automatically upload the certs to your mail server and check it’s installed correctly. I use GetSSL, (which I wrote, so am biased) because that will automatically upload the certs for you, and check they have been uploaded correctly on renewals. GetSSL has a range of DNS providers (16) that it currently supports, but GoDaddy isn’t one of them. It should be relatively easy to script that part though if needed.


#7

First, let me thank you for your willingness to help, serverco.

I Got my DNS AND Port Forwarding on my router completely straightened out, did a fresh/clean VM Workstation 12 build of Ubuntu 16.04 Desktop, then installed iRedMail again - and then I was able to successfully obtain a free SSL certificate from Let’s Encrypt using the webroot method via the command:

sudo letsencrypt certonly --webroot --agree-tos --email postmaster@freeholdcomputertech.com -d freeholdcomputertech.com -w /var/www/html/

The problem now: apache2 service won’t start. This happened after I followed the instructions for “Installing the Certificate” on this URL:

Up until this point above, everything went through without a problem.

When I check apache2.service status: systemctl status apache2.service
I get the following results:

apache2.service - LSB: Apache2 web server
Loaded: loaded (/etc/init.d/apache2; bad; vendor preset: enabled)
Drop-In: /lib/systemd/system/apache2.service.d
└─apache2-systemd.conf
Active: failed (Result: exit-code) since Tue 2017-01-31 16:16:40 EST; 1min 24s ago
Docs: man:systemd-sysv-generator(8)
Process: 7928 ExecStart=/etc/init.d/apache2 start (code=exited, status=1/FAILURE)

Jan 31 16:16:40 mail apache2[7928]: * The apache2 configtest failed.
Jan 31 16:16:40 mail apache2[7928]: Output of config test was:
Jan 31 16:16:40 mail apache2[7928]: AH00526: Syntax error on line 29 of /etc/apache2/sites-enabled/000-
Jan 31 16:16:40 mail apache2[7928]: Invalid command ‘RewriteEngine’, perhaps misspelled or defined by a
Jan 31 16:16:40 mail apache2[7928]: Action ‘configtest’ failed.
Jan 31 16:16:40 mail apache2[7928]: The Apache error log may have more information.
Jan 31 16:16:40 mail systemd[1]: apache2.service: Control process exited, code=exited status=1
Jan 31 16:16:40 mail systemd[1]: Failed to start LSB: Apache2 web server.
Jan 31 16:16:40 mail systemd[1]: apache2.service: Unit entered failed state.
Jan 31 16:16:40 mail systemd[1]: apache2.service: Failed with result 'exit-code

Any suggestions would be most welcome.


#8

The key part is

Jan 31 16:16:40 mail apache2[7928]: AH00526: Syntax error on line 29 of /etc/apache2/sites-enabled/000-
Jan 31 16:16:40 mail apache2[7928]: Invalid command ‘RewriteEngine’, perhaps misspelled or defined by a
Jan 31 16:16:40 mail apache2[7928]: Action ‘configtest’ failed.

can you check the file there ( I can’t see the whole file name from what you pasted ) and check for the error RewriteEngine


#9

Ran: sudo nano /etc/apache2/sites-enabled/000-default.conf and found the following:

RewriteEngine on
RewriteCond %{SERVER_NAME} =mail.freeholdcomputertech.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]


#10

can you comment that out (for now) and run

apachectl -t

to test the config, to see if it still gives errors.


#11

comment out all 3 lines?

RewriteEngine on
RewriteCond %{SERVER_NAME} =mail.freeholdcomputertech.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
and then run

apachectl -t

yes?


#12

Commented out those 3 lines, then ran apachectl -t results are:

AH00526: Syntax error on line 34 of /etc/apache2/sites-enabled/default-ssl.conf:
SSLCertificateFile: file ‘/etc/letsencrypt/live/mail.freeholdcomputertech.com/fullchain.pem’ does not exist or is empty
Action ‘-t’ failed.


#13

OK - so where are the files in /etc/letsencrypt/live/ … ?


#14

sudo ls /etc/letsencrypt/live/mail.freeholdcomputertech.com/
cert.pem chain.pem fullchain.pem privkey.pem

just running ls for the path above would not work - permissions denied.


#15

I can’t see a typo there … have the files got contents in them ( certificates - but don’t paste the contents of the privatekey here - the others are safe to paste if you are unsure )


#16

/etc/letsencrypt/live/mail.freeholdcomputertech.com/fullchain.pem does have content - certificates


#17

is there any typo in the link …
SSLCertificateFile: file ‘/etc/letsencrypt/live/mail.freeholdcomputertech.com/fullchain.pem’ does not exist or is empty

alternatively it could be permissions that apache can’t read the file.


#18

there are no typos in that link…I was thinking, I had to sudo in order to ls the contents of /etc/letsencrypt/live/mail.freeholdcomputertech.com/ …could it be that apache doesn’t have permissions needed to read that file?


#19

That could be the case, yes - not knowing what your permissions and ownership are on the files, I can’t be certain. You should ensure that apache has read permissions on those files.


#20

Please pardon my newbie ignorance…can you tell me how to ensure that apache has read permissions on those files?