Hello, I followed the directions located at: https://www.howtoforge.com/tutorial...l-pureftpd-bind-postfix-doveot-and-ispconfig/ Everything seems to work except when I send email. In thunderbird I get the error "The certificate is not trusted because it is self-signed." I try in webmail and I get SMTP ERROR (250): Authentication Failed. I am seeing alot of these messages in /var/log/mail.log: Sep 27 18:28:28 localhost postfix/submission/smtpd[7656]: warning: TLS library problem: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:../ssl/record/rec_layer_s3.c:1543:SSL alert number 42: I cannot seem to figure it out. Can someone please give me some advice? I should note that this is on Ubuntu 20.04 LTS Thank you in advance.
I used srv1.jayhosts.ca whenever asked during the install process. When I type hostname -f it outputs srv1.hostname.ca
I have done a complete re-install and I am still getting similar issues. I am still using srv1.jayhosts.ca as the hostname. I have added 1 client, 1 website and 1 email address. This is the output of the last bunch of lines from letsencrypt.log Code: Domain: attackofthegamer.com Type: dns Detail: During secondary validation: DNS problem: query timed out looking up A for attackofthegamer.com Domain: www.attackofthegamer.com Type: dns Detail: During secondary validation: DNS problem: query timed out looking up CAA for attackofthegamer.com 2020-09-28 01:05:44,192:DEBUG:certbot.error_handler:Encountered exception: Traceback (most recent call last): File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 91, in handle_authorizations self._poll_authorizations(authzrs, max_retries, best_effort) File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 180, in _poll_authorizations raise errors.AuthorizationError('Some challenges have failed.') certbot.errors.AuthorizationError: Some challenges have failed. 2020-09-28 01:05:44,193:DEBUG:certbot.error_handler:Calling registered functions 2020-09-28 01:05:44,193:INFO:certbot.auth_handler:Cleaning up challenges 2020-09-28 01:05:44,193:DEBUG:certbot.plugins.webroot:Removing /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/TTJIrTO32ZWnWDp1FoGizkHwhgZQv5Ki8UjmIxpzyHw 2020-09-28 01:05:44,193:DEBUG:certbot.plugins.webroot:Removing /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/0LD4azOEa3GllQKRmKARmt6gtZ4tN4yEYiIK0nmga0g 2020-09-28 01:05:44,193:DEBUG:certbot.plugins.webroot:All challenges cleaned up 2020-09-28 01:05:44,193:DEBUG:certbot.log:Exiting abnormally: Traceback (most recent call last): File "/bin/letsencrypt", line 11, in <module> load_entry_point('certbot==0.40.0', 'console_scripts', 'certbot')() File "/usr/lib/python3/dist-packages/certbot/main.py", line 1382, in main return config.func(config, plugins) File "/usr/lib/python3/dist-packages/certbot/main.py", line 1265, in certonly lineage = _get_and_save_cert(le_client, config, domains, certname, lineage) File "/usr/lib/python3/dist-packages/certbot/main.py", line 121, in _get_and_save_cert lineage = le_client.obtain_and_enroll_certificate(domains, certname) File "/usr/lib/python3/dist-packages/certbot/client.py", line 417, in obtain_and_enroll_certificate cert, chain, key, _ = self.obtain_certificate(domains) File "/usr/lib/python3/dist-packages/certbot/client.py", line 348, in obtain_certificate orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names) File "/usr/lib/python3/dist-packages/certbot/client.py", line 396, in _get_order_and_authorizations authzr = self.auth_handler.handle_authorizations(orderr, best_effort) File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 91, in handle_authorizations self._poll_authorizations(authzrs, max_retries, best_effort) File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 180, in _poll_authorizations raise errors.AuthorizationError('Some challenges have failed.') certbot.errors.AuthorizationError: Some challenges have failed. 2020-09-28 01:05:44,669:DEBUG:certbot.main:certbot version: 0.40.0 2020-09-28 01:05:44,670:DEBUG:certbot.main:Arguments: ['--domains', 'attackofthegamer.com', '--domains', 'www.attackofthegamer.com'] 2020-09-28 01:05:44,670:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot) 2020-09-28 01:05:44,680:DEBUG:certbot.log:Root logging level set at 20 2020-09-28 01:05:44,680:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
Seems as if the DNS server that is authoritative for this domain is not working and therefore, let's encrypt failed to issue the SSL cert. So you don't have a problem with your server setup or ISPConfig, the actual problem is the DNS setup of that domain.
I am not hosting my own DNS. I am using my hosting provider (linode) to manage my DNS. Is this a problem? I have re-installed everything multiple times. I finally changed distributions and moved to debian. Its been a couple years since I have installed / used ispconfig. This has me baffled. Ive followed the perfect server guides for both ubuntu (when installing on ubuntu) and now debian. Is there a way to make this work using my setup or should I investigate a new avenue of doing what I want?
No, but the information in name service must be correct. That one error at least seems to be fixed now: Code: $ dig attackofthegamer.com -t A ; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> attackofthegamer.com -t A ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62105 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 11 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;attackofthegamer.com. IN A ;; ANSWER SECTION: attackofthegamer.com. 86292 IN A 172.105.4.208 . . .
Is the problem I am experiencing the untrusted issuer listed below? How do I fix this? Is it worth noting I am not having problems when I go to the https version of any of my urls I don't get any errors, and when i click the lock beside the url it says the certificate is valid and issued by Let's Encrypt Authority X3. Code: root@srv1:/var/log# posttls-finger mail.attackofthegamer.com posttls-finger: Connected to mail.attackofthegamer.com[172.105.4.208]:25 posttls-finger: < 220 srv1.jayhosts.ca ESMTP Postfix (Debian/GNU) posttls-finger: > EHLO srv1.jayhosts.ca posttls-finger: < 250-srv1.jayhosts.ca posttls-finger: < 250-PIPELINING posttls-finger: < 250-SIZE 10240000 posttls-finger: < 250-VRFY posttls-finger: < 250-ETRN posttls-finger: < 250-STARTTLS posttls-finger: < 250-AUTH PLAIN LOGIN posttls-finger: < 250-AUTH=PLAIN LOGIN posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-8BITMIME posttls-finger: < 250-DSN posttls-finger: < 250-SMTPUTF8 posttls-finger: < 250 CHUNKING posttls-finger: > STARTTLS posttls-finger: < 220 2.0.0 Ready to start TLS posttls-finger: mail.attackofthegamer.com[172.105.4.208]:25: subjectAltName: srv1.jayhosts.ca posttls-finger: mail.attackofthegamer.com[172.105.4.208]:25 CommonName srv1.jayhosts.ca posttls-finger: certificate verification failed for mail.attackofthegamer.com[172.105.4.208]:25: untrusted issuer /O=Digital Signature Trust Co./CN=DST Root CA X3 posttls-finger: mail.attackofthegamer.com[172.105.4.208]:25: subject_CN=srv1.jayhosts.ca, issuer_CN=Let's Encrypt Authority X3, fingerprint=03:85:98:38:15:BC:4C:38:63:D6:A4:5B:83:5C:BF:20:F3:A3:79:77, pkey_fingerprint=55:F1:5F:28:78:4B:0B:F6:70:AD:82:17:09:86:E4:7A:09:2E:F4:20 posttls-finger: Untrusted TLS connection established to mail.attackofthegamer.com[172.105.4.208]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 posttls-finger: > EHLO srv1.jayhosts.ca posttls-finger: < 250-srv1.jayhosts.ca posttls-finger: < 250-PIPELINING posttls-finger: < 250-SIZE 10240000 posttls-finger: < 250-VRFY posttls-finger: < 250-ETRN posttls-finger: < 250-AUTH PLAIN LOGIN posttls-finger: < 250-AUTH=PLAIN LOGIN posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-8BITMIME posttls-finger: < 250-DSN posttls-finger: < 250-SMTPUTF8 posttls-finger: < 250 CHUNKING posttls-finger: > QUIT posttls-finger: < 221 2.0.0 Bye I really appreciate the answers so far. Thank you very much.
You can not test the certificate postfix and dovecot use by clicking address bar in browser. Browser shows the certificate website uses, which is not necessarily the same as postfix and dovecot. My signature has links to DNS setup, it includes instructions on how to test name service is working properly. Also signature has link to e-mail setup, that show how to test e-mail is set up properly. Tutorial by @ahrasis shows how to setup certificates for applications.
