It's a littel bit confusing for me how ISPConfig certificates are linked and used. Can someone explain which services link to which certificates and where the certificates are stored? As I see new issued Letyencrypt certificates are put to /etc/letsencrypt/archiv/FQDN/*.pem To this folder there are soft-links from /etc/letsencrypt/archiv/FQDN and /usr/local/ispconfig/interface/ssl/ispconfig - ispserver.crt -> fullchain.pem (pointing to "live" which is pointing to "archiv") - ispserver.key -> privkey.pem Where, in which folders are the links for postfix, dovecot and puretfp and other services using these certificates and where do they point to?
The above is correct if you are using certbot as LE client. The certs in live folder are symbolicly linked to the latest ones in archive folder. The certs in ISPConfig ssl folder are symbolicly linked to that live folder, though the pem cert is the merged of two main certs, which is done during the certs creation and renewal thereafter. The other services that rely on the LE certs including the created pem cert, are symbolicly linked to ISPConfig ssl folder.
found links for postfix, in my config which are: "/etc/postfix/smtpd.cert" -> "/usr/local/ispconfig/interface/ssl/ispserver.crt" "/etc/postfix/smtpd.key" -> "/usr/local/ispconfig/interface/ssl/ispserver.key" Are they right/ok? But dovecot uses it's onw keys at my system. Should I set a link as postfix does and if how to handle "pem"? What I currently hav is: "/etc/dovecot/private/dovecot.key" -> "/etc/ssl/private/ssl-cert-snakeoil.key" "/etc/dovecot/private/dovecot.pem" -> "/etc/ssl/private/ssl-cert-snakeoil.pem" in the destination there only one file "/etc/ssl/private/ssl-cert-snakeoil.key" but no "ssl-cert-snakeoil.pem" Should it look like this - as postfix does?: "/etc/dovecot/private/dovecot.pem" -> /usr/local/ispconfig/interface/ssl/ispserver.crt" "/etc/dovecot/private/dovecot.key" -> /usr/local/ispconfig/interface/ssl/ispserver.key"
It's really easy, as all services use the central SSL cert files in /usr/local/ispconfig/interface/ssl/ folder, which by itself can be symlinks to certbot files if certbot is used. The mail system also uses the files in /usr/local/ispconfig/interface/ssl/ folder. Yes, they are ok. Dovecot uses the same cert and key as Postfix. You looked into the wrong file. You must only check dovecot.conf file, no other file matters. But as mentioned above, also dovecot is using the cert from /usr/local/ispconfig/interface/ssl/ folder, so no need to look into any further config files.
thank you, got it. At my config entries in "dovecot.config" pointing to "/etc/postfix/smtp.[crt][pem]" and these point to "/usr/local/ispconfig/interface/ssl/ispserver.[crt][pem]" and these pointing to the Letsencrypt folder "/etc/letsencrypt/live/FQDN" which finally pointing to "/etc/letsencrypt/archive/FQDNxx" (xx version number).
to use Rouncube I had to create a website "FQDN" with LE certificate. Updating LE cert for ISPConfing and Roundcube website LE cert, are this different certs/things?
This is related so I thought I'd put the question here so it is easier to find. I have all the certificates set as expected for both web and mail. My web clients are all reporting the certificate to be trusted and valid. My mail clients are getting a not-trusted message when connecting to their mail accounts. Postfix is pointing to the ispconfig keys (smtpd.key -> /usr/local/ispconfig/interface/ssl/ispserver.key) Thoughts?
Mail clients connect to dovecot. So it seems dovecot is using outdated certificate, or self signed certificate. Have you restarted dovecot after certificate was renewed? @till explained above how to see what certificate files dovecot is using.
My guess is your mail clients likely use the wrong domain to connect. They must use the hostname of your system and not a subdomain of one of their own domains. See email guide: https://www.howtoforge.com/ispconfig-email-account/
I believe you are correct Till. However, now a different error has popped up after I ran the ISPConfig update. I'll make another thread.
Check SSL folder of the site to see where the symlink points to. Then check the symlink in ISPConfig SSL folder. If both point to the same cert in /etc/letsencrypt/...... then they use the same SSL cert.
yes thank you, pointing to the LE certs as follows: /var/www/clients/client1/webxx/ssl/FQDN-le.bundle -> /etc/letsencrypt/live/FQDN/chain.pem /var/www/clients/client1/webxx/ssl/FQDN-le.crt -> /etc/letsencrypt/live/FQDN/fullchain.pem /var/www/clients/client1/webxx/ssl/FQDN-le.key -> /etc/letsencrypt/live/FQDN/privkey.pem
