Incorrect validation certificate for TLS-SNI-01 challenge

Discussion in 'Installation/Configuration' started by raspdroid, Feb 19, 2017.

  1. raspdroid

    raspdroid Member

    Hello,

    I use ISPConfig 3.1.2 + LetsEncrypt and I want to install a certificate for mail1 server (ISPConfig Multiserver installation) from mail.domian1.com server I run this command from this post:

    Code:
    certbot auth --text --agree-tos --standalone --email postmaster@`hostname -d` -d `hostname -f` -d mail.`hostname -f`
    
    I get this error:
    Is it possible to add mail1.domain1.com if I am already using a certificate on the web1 server for websites and for the ISPConfig interface?

    I have this records to mail1.domain1.com
    A mail1 150.70.50.185
    CNAME mail mail1.domain1.com
    MX @ mail1.domain1.com (Priority: 10)
    TXT @ "v=spf1 mx ip4:150.70.50.185 mx:mail1.domain1.com -all"

    Best regards
     
  2. raspdroid

    raspdroid Member

    On mail server I have not open 80 or 443 ports aslo I have not webserver, only Postfix and Dovecot.
    Should I do it from the web server (web1) and then use it on the mail server?
     
  3. sjau

    sjau Local Meanie Moderator

    Please provide real domain.
     
    raspdroid likes this.
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    raspdroid likes this.
  5. raspdroid

    raspdroid Member

  6. sjau

    sjau Local Meanie Moderator

    what does hostname -f return?
     
  7. raspdroid

    raspdroid Member

    mail1.grancaweb.com

    and short (-s)
    mail1

    and domain (-d)
    grancaweb.com
     
  8. sjau

    sjau Local Meanie Moderator

    so,

    Code:
    -d mail.`hostname -f`
    
    would be
    Code:
    -d mail.mail1.grancaweb.com
    
     
    raspdroid likes this.
  9. raspdroid

    raspdroid Member

    Yes, I guess. But I don't that. I want something like this mail1.grancaweb.com. In the last attempt I have deleted -d mail.`hostname -f`
     
  10. sjau

    sjau Local Meanie Moderator

    the please post according command you've used and the log.
     
    raspdroid likes this.
  11. raspdroid

    raspdroid Member

    Code:
    ./certbot-auto auth --text --agree-tos --standalone --email [email protected] -d mail1.grancaweb.com 
     
  12. raspdroid

    raspdroid Member

    From mail server with dns-api not works to me. with Godaddy production key.


     
    Last edited: Feb 20, 2017
  13. sjau

    sjau Local Meanie Moderator

    do you host the DNS with GoDaddy or do you host it on your ISPConfig installation?

    It seems your authentication with GoDaddy isn't right:
    Code:
    [Mon 20 Feb 12:07:38 UTC 2017] {"code":"UNABLE_TO_AUTHENTICATE","message":"Unable to authenticate","name":"ApiError"}
    
     
    raspdroid likes this.
  14. sjau

    sjau Local Meanie Moderator

    also, don't know why certbot fails :(
     
    raspdroid likes this.
  15. raspdroid

    raspdroid Member

    Still with Godaddy because I have not yet been able to configure my DNS with ISPConfig
     
  16. sjau

    sjau Local Meanie Moderator

    raspdroid likes this.
  17. raspdroid

    raspdroid Member

    Yes. I have checked with echo $GD_Key and $GD_Secret

    I am doing it from the mail server, which has no http or https port enabled. In case it can be for that.

    I now create another Godaddy production key for the web server. And I'll try from the web server. I think it will be better to start from scrtatch. But now using the acme client with the dns-plugin or dns-api-plugin. And creating different certificates for the ISPConfig web interface and for websites.
     
    Last edited: Feb 20, 2017
  18. raspdroid

    raspdroid Member

    From the web server all is success.

    ./acme.sh --issue --dns dns_gd -d grancaweb.com -d www.grancaweb.com -d mail1.grancaweb.com --debug

    In the GoDaddy panel I can see three TXT records.
    _acme-challenge
    _acme-challenge.mail1
    _acme-challenge.www

    dns-api-plugin work like a charm.

    By the way, although not specified here , works fine con ARM hard float (Raspbian Jessie/Stretch).
     
    Last edited: Feb 20, 2017
  19. sjau

    sjau Local Meanie Moderator

    Raspian is basically Debian :)

    You also know about the
    Code:
    acme.sh --installcert -d grancaweb.com --certpath /path/to/cert --keypath /path/to/key --fullchainpath /path/to/fullchain --reloadcmd "systemctl systemctl restart dovecot; systemctl reload postfix"
    
    command?

    If you have adjusted your postfix/dovecot configs to use the certs that were directly download then you can omit the keypath, certpath and fulchainpath options and just use the reloadcmd one to restart/reload the services.

    And DNS-01 auth is really nice because it allows easily to get certs alsof for machines that are behind NAT and stuff.
     
    raspdroid likes this.
  20. raspdroid

    raspdroid Member

    No i do not know him. Thanks.

    At this point I'm lost.

    Now the certificate is on web server in /home/user/.acme/
    To use it on the mail server (which is separate), do I copy the folder containing the certificate to the mail server?

    Something like that?

    Code:
    scp -r -Port /home/user/.acme-sh/grancaweb.com/ [email protected]:/home/user/.acme-sh/
    And then install it with acme.sh --installcert from mail server?

    This are TLS parameter to Postifx:
    # TLS parameters
    smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    smtpd_tls_key_file = /etc/postfix/smtpd.key
    smtpd_use_tls = yes

    Dovecot:
    /etc/dovecot/dovecot.conf
    listen = *,[::]
    protocols = imap pop3
    ssl_cert = </etc/postfix/smtpd.cert
    ssl_key = </etc/postfix/smtpd.key
    ssl_protocols = !SSLv2 !SSLv3


    /etc/dovecot/conf.d/10-ssl.conf
    ##
    ## SSL settings
    ##
    ssl = no
    #ssl_cert = </etc/dovecot/dovecot.pem
    #ssl_key = </etc/dovecot/private/dovecot.pem
     
    Last edited: Feb 20, 2017

Share This Page