TLS-SNI-01 validation is reaching end-of-life zimbramail server


#1

I have mailserver zimbra i update certbot to HTTP-01.And after that i ran the comand to test :
sudo certbot renew --dry-run.The output is that the The server could not connect to the client to verify the domain :: Fetching http://zimbramail.salus.al/.well-known/acme-challenge/3foqwyJnizGgS1GAk53p5vUVgdwWLCzVULARI7zUFys: Timeout during connect (likely firewall problem). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/zimbramail.salus.al/fullchain.pem (failure)
My question is how can i resolve this problem? because if i try to change the port o zimbra from 443 to 80 it dosnt work


#2

It does seem like a firewall is blocking port 80 (HTTP).
Can you confirm port 80 is allowed and reaching your server?


#3

wget http://zimbramail.salus.al/.well-known/acme-challenge/3foqwyJnizGgS1GAk53p5vUVgdwWLCzVULARI7zUFys
–2019-01-19 07:53:49-- http://zimbramail.salus.al/.well-known/acme-challenge/3foqwyJnizGgS1GAk53p5vUVgdwWLCzVULARI7zUFys
Resolving zimbramail.salus.al (zimbramail.salus.al)… 80.91.118.35
Connecting to zimbramail.salus.al (zimbramail.salus.al)|80.91.118.35|:80… failed: Connection timed out.
Retrying.


#4

Can you show the full output of the renew command you ran?


#5

You need to allow both 80 & 443
80 is now required for the certificate authentication
443 is for your secure email


#6

Host zimbramail.salus.al
Stopping zmconfigd…Done.
Stopping zimlet webapp…Done.
Stopping zimbraAdmin webapp…Done.
Stopping zimbra webapp…Done.
Stopping service webapp…Done.
Stopping stats…Done.
Stopping mta…Done.
Stopping spell…Done.
Stopping snmp…Done.
Stopping cbpolicyd…Done.
Stopping archiving…Done.
Stopping opendkim…Done.
Stopping amavis…Done.
Stopping antivirus…Done.
Stopping antispam…Done.
Stopping proxy…Done.
Stopping memcached…Done.
Stopping mailbox…Done.
Stopping logger…Done.
Stopping dnscache…Done.
Stopping ldap…Done.
zimbra@zimbramail:~$ exit
logout
root@zimbramail:~# sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/zimbramail.salus.al.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for zimbramail.salus.al
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (zimbramail.salus.al) from /etc/letsencrypt/renewal/zimbramail.salus.al.conf produced an unexpected error: Failed authorization procedure. zimbramail.salus.al (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://zimbramail.salus.al/.well-known/acme-challenge/3foqwyJnizGgS1GAk53p5vUVgdwWLCzVULARI7zUFys: Timeout during connect (likely firewall problem). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/zimbramail.salus.al/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/zimbramail.salus.al/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: zimbramail.salus.al
    Type: connection
    Detail: Fetching
    http://zimbramail.salus.al/.well-known/acme-challenge/3foqwyJnizGgS1GAk53p5vUVgdwWLCzVULARI7zUFys:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.


#7

It looks like Certbot is working, but there’s a firewall blocking port 80.


#8

nginx is instalet in obt of zimbra if i change the port dosnt work.The port 80 isnt block by firewall because i have a web server and in the same network and i can reach from aoutside in port 80.
When zimbra is runnig the listen port are
root@zimbramail:~# sudo netstat -plnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:7110 0.0.0.0:* LISTEN 3705/java
tcp 0 0 0.0.0.0:7143 0.0.0.0:* LISTEN 3705/java
tcp 0 0 127.0.0.1:10663 0.0.0.0:* LISTEN 3627/zmlogger: zmrr
tcp 0 0 127.0.0.1:10024 0.0.0.0:* LISTEN 4014/amavisd (maste
tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN 5052/master
tcp 0 0 127.0.0.1:10026 0.0.0.0:* LISTEN 4014/amavisd (maste
tcp 0 0 127.0.0.1:7306 0.0.0.0:* LISTEN 3615/mysqld
tcp 0 0 127.0.0.1:10027 0.0.0.0:* LISTEN 5052/master
tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN 5052/master
tcp 0 0 0.0.0.0:11211 0.0.0.0:* LISTEN 3938/memcached
tcp 0 0 127.0.0.1:10028 0.0.0.0:* LISTEN 5052/master
tcp 0 0 127.0.0.1:10029 0.0.0.0:* LISTEN 5052/master
tcp 0 0 127.0.0.1:10030 0.0.0.0:* LISTEN 5052/master
tcp 0 0 127.0.0.1:3310 0.0.0.0:* LISTEN 4807/clamd
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 3959/nginx.conf
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 3959/nginx.conf
tcp 0 0 127.0.0.1:10032 0.0.0.0:* LISTEN 4014/amavisd (maste
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 3705/java
tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 5052/master
tcp 0 0 127.0.0.1:8465 0.0.0.0:* LISTEN 4825/opendkim
tcp 0 0 0.0.0.0:7025 0.0.0.0:* LISTEN 3705/java
tcp 0 0 192.168.152.7:53 0.0.0.0:* LISTEN 1008/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 1008/named
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1035/sshd
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 5052/master
tcp 0 0 0.0.0.0:7993 0.0.0.0:* LISTEN 3705/java
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 1008/named
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 3959/nginx.conf
tcp 0 0 0.0.0.0:7995 0.0.0.0:* LISTEN 3705/java
tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN 3705/java
tcp 0 0 0.0.0.0:7071 0.0.0.0:* LISTEN 3705/java
tcp 0 0 127.0.0.1:23232 0.0.0.0:* LISTEN 3984/perl
tcp 0 0 0.0.0.0:7072 0.0.0.0:* LISTEN 3705/java
tcp 0 0 127.0.0.1:23233 0.0.0.0:* LISTEN 3986/perl
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 3959/nginx.conf
tcp 0 0 0.0.0.0:7073 0.0.0.0:* LISTEN 3705/java
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 3959/nginx.conf
tcp 0 0 127.0.0.1:7171 0.0.0.0:* LISTEN 2205/java
tcp 0 0 192.168.152.7:389 0.0.0.0:* LISTEN 2185/slapd
tcp6 0 0 ::1:10024 :::* LISTEN 4014/amavisd (maste
tcp6 0 0 ::1:10026 :::* LISTEN 4014/amavisd (maste
tcp6 0 0 :::11211 :::* LISTEN 3938/memcached
tcp6 0 0 ::1:3310 :::* LISTEN 4807/clamd
tcp6 0 0 ::1:10032 :::* LISTEN 4014/amavisd (maste
tcp6 0 0 :::53 :::* LISTEN 1008/named
tcp6 0 0 :::22 :::* LISTEN 1035/sshd
tcp6 0 0 ::1:953 :::* LISTEN 1008/named
tcp6 0 0 :::7780 :::* LISTEN 4852/httpd
and when zimbra is stoped the lsiten port are
root@zimbramail:~# sudo netstat -plnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 192.168.152.7:53 0.0.0.0:* LISTEN 1008/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 1008/named
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1035/sshd
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 1008/named
tcp6 0 0 :::53 :::* LISTEN 1008/named
tcp6 0 0 :::22 :::* LISTEN 1035/sshd
tcp6 0 0 ::1:953 :::* LISTEN 1008/named


#9

As mentioned already, nobody else can reach port 80 from the outside.

Nmap scan report for 80.91.118.35
Host is up (0.33s latency).
PORT   STATE    SERVICE
80/tcp filtered http

#10

this is a another server in the same network that you can reach from 80 http://referti.salus.al/


#11

yes is allowed http://referti.salus.al/ this is another site in the same network that you can chek


#12

Right, which demonstrates that your ISP is not blocking the port.

The suggestion here is, is that you probably have iptables blocking port 80, on 80.91.118.35 specifically.

iptables -L -n | grep -E ":(80|443)"

#13

when i ran this comand as root in server dosnt show anything


#14

Do you have any other kind of firewall in front of 80.91.118.35? Perhaps in your web hosting control panel?

What’s the output of this by itself?

iptables -L -n

It’s pretty clear that the server is using a default-deny firewall policy with an exception being made for port 443 (and some others). You need to add an exception for 80.


#15

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination


#16

Okay, thanks. So we know it is not on the server itself.

If you are able to submit a support request to whoever is providing your hosting service to you, they should be able to assist you in identifying how to add port 80 as an exception.

For the record, I can access the following ports on your server only: 25, 443, 465, 993.


#17

The server is locale .i use nat to accses it.I have create from domain salus.al a sub domain that goin in my public ip .and in my firewall i have creat nat exetions. Thanks i resolved