LE not able to add to certificate for mail server

Discussion in 'ISPConfig 3 Priority Support' started by NeonTigerUK, Apr 18, 2018.

  1. NeonTigerUK

    NeonTigerUK Member

    Hi All

    I've followed the guide as previously made available, for adding LE to mail servers, and until today its worked properly

    running the below from /opt/certbot
    Code:
    /certbot-auto auth --text --agree-tos --standalone --email postmaster@`hostname -d` -d `hostname -f` -d mail.domain1.co.uk -d mail.domain2.co.uk etc -d mail.newdomain.co.uk
    
    I've tried to add a domain to the list, by adding the domain on to the end, as has worked plenty of times before

    Now when I run the command I get
    Code:
    tls-sni-01 challenge for mail1.domain.tld
    tls-sni-01 challenge for mail.domain1.co.uk
    tls-sni-01 challenge for mail.domain2.co.uk
    http-01 challenge for mail.newdomain.co.uk
    Cleaning up challenges
    Problem binding to port 80: Could not bind to IPv4 or IPv6.
    
    I can see that its doing a http-01 challenge for it, so I'm wondering if there is something im missing when the others are tls-sni-01

    Any advice please?
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Are you running an http daemon on this server? To me, it looks as if it can not verify the cert because there is already a service running on port 80, so certbot cannot bind itself to that port.
     
  3. NeonTigerUK

    NeonTigerUK Member

    Hi @till I dont believe I am running any http services on this server - it is mail only
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Please check with:

    netstat -tap | grep http
     
  5. NeonTigerUK

    NeonTigerUK Member

    tcp6 0 0 [::]:http [::]:* LISTEN 774/apache2
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, so you're running apache there. maybe for a webmail client or so? What you can do is to stop apache, use certbot, then start apache again. Or stop and disable apache completely, if you don't need it.
     
  7. NeonTigerUK

    NeonTigerUK Member

    ran service apache2 stop

    re ran the code, it's completed correctly, however, it is still doing http-01 challenge for the new domain, rather than the tls-sni-01 of the pre-existing domains
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    I guess that's ok. Certbot changed some challenge types recently due to security issues.
     
  9. NeonTigerUK

    NeonTigerUK Member

    @till oh ok, but it's still doing the tls-sni-01 for the existing domains

    I've just run the mail domain though SSL-Tools and it can't see the new certificate ... its actually showing some that are not (shouldn't be) on the certificate anymore
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    Did you restart postfix and dovecot after you created the new ssl cert? And did you check that the new ssl cert has the same name, certbot tends to add 0001, 0002 etc. on the cert name which means that you might have to adjust the symlinks in /etc/postfix directory to point them to the correct cert.
     

Share This Page