Incorrect validation certificate for TLS-SNI-01 challenge

This seems to work.

On web server:

Code:

./acme.sh --issue --dns dns_gd -d grancaweb.com -d www.grancaweb.com -d mail1.grancaweb.com -d smtp.grancaweb.com  -d imap.grancaweb.com -d pop3.grancaweb.com --debug

[Mon 20 Feb 23:57:02 UTC 2017] _on_issue_success

$ scp -r grancaweb.com/ to mail server.

On mail server:

Code:

acme.sh --installcert -d grancaweb.com --certpath /etc/postfix/smtpd.cert --keypath /etc/postfix/smtpd.key --reloadcmd "systemctl restart dovecot; systemctl reload postfix"
[Tue 21 Feb 00:12:28 UTC 2017] Installing cert to:/etc/postfix/smtpd.cert
[Tue 21 Feb 00:12:28 UTC 2017] Installing key to:/etc/postfix/smtpd.key
[Tue 21 Feb 00:12:28 UTC 2017] Run reload cmd: systemctl restart dovecot; systemctl reload postfix
[Tue 21 Feb 00:12:29 UTC 2017] Reload success

Then in Mozilla Thundebird:
File --> New --> Existing e-mail account:
Your name --> HowToForge
E-mail --> [email protected]
Password --> howtoforge
Click on Continue button.
Wait a little.
And magic !. Everything is set up alone.
Click on Done button and ready.

 

I added the DKIM record to DNS zone generated from ISPConfig3 and everything works fine. It is possible to sent and and receive, and the mails arrive in the inbox of Gmail, not in Spam folder.

Thanks for your help guys.

Best regards.

 

now you have to wait 60 days to see if auto-renewal works. Best mark april 25 or so as a date in your calender to recheck the certs if all is fine

 

I doubt very much that the certificate is renewed because it did not add anything to cron, neither in the web server nor the mail server . I do not know how to do it either. It is a bit lousy to have to issue the certificate from the web server to then copy it to the mail server and install it from there and also have to renew it,I guess the procedure is to renew it on the web server and then copy and install it on the mail server.

All this would be great if it did ISPConfig3.

Best Regards

 

What you could do is run this reloadcmd:

Code:

cat "/home/user/.acme-sh/grancaweb.com/grancaweb.com.key" "/home/user/.acme.sh/grancaweb.com/fullchain.cer" > /tmp/smtpd.cert"; scp "/tmp/smtpd.cert" "[email protected]:/etc/postfix/smtpd.cert"; scp "/home/user/.acme.sh/grancaweb.com/grancaweb.com.key" "[email protected]:/etc/postfix/smtpd.key"; ssh "[email protected]" "systemctl restart postfix; systemctl restart dovecot"

Basically this will concatenate the cert and the full chain into one file,
then copy that over to your mail server
also copy over the key to your mail server
tell mailserver through ssh to restart postfix and dovecot

You should be able to put that into the reload command. You can edit the /home/user/.acme-sh/grancaweb.com.conf file and add it there. Very likely you'll have to replace the double quotes (") with single quotes (')


but why don't you run the acme.sh script on the mailserver?

 

Hello!,
I had problems with the renovation and the services stopped working. I deleted all the certificates and requested them again.

Code:

acme.sh --issue --dns dns_gd -d domain.com -d www.domain.com -d mail1.domain.com -d smtp.domain.com  -d imap.domain.com -d pop3.domain.com --debug

In /var/www/domain.com/ssl I deleted all files and copy the fullcachin.cer the .crt and .key files so:

Code:

systemctl restart apache2.service

But not works to me:

Line 227:
IncludeOptional sites-enabled/

Any idea how to solve this?

Regards

 

I have no idea what you did.... but there's an install cert routine for acme.sh. You should use that. acme.sh has two main routeins: (a) obtaining a cert [and storing it in the ~/.acme.sh/ path if not indicated otherwise]; and (b) installing the cert to its actual location on the system.

E.g. I use this:

Code:

domain="domain.tld";
acme.sh --installcert -d ${domain} --ecc --certpath /var/www/${domain}/ssl/${domain}.crt --keypath /var/www/${domain}/ssl/${domain}.key --fullchainpath /var/www/${domain}/ssl/${domain}.bundle --reloadcmd "systemctl reload apache2"

Omit the --ecc option if you don't use an eliptic curve though. Maybe I should make an interactive script out of it that will do both... first get cert and then install it.

 

Hello!,
I have not been able to resolve this yet for a while. I'm going to try it now. Did you finally create a script?
Best regards

 

not sure what you mean... DNS-01 plugin for ISPC has been integrated into acme.sh for a long time now. It works fine. No idea what you mean by script.

 

to this:
Omit the --ecc option if you don't use an eliptic curve though. Maybe I should make an interactive script out of it that will do both... first get cert and then install it.

 

never written the script... haven't seen a need... you have all the necessary info already...

 

Ok, thank you!

 

btw, did you get it to run?

 

I got "Incorrect validation certificate for tls-sni-01 challenge" while trying to renew certificates for my sites (all sharing the same ip). Running Centos 7.2 + apache. Here's how I corrected this:
1. installed the updated certbot (yum install python2-certbot-apache)
2. stopped apache and called certbot, like this:
apachectl stop
certbot renew --standalone
Turns out certbot starts apache after a successful renew, so I had to "apachectl stop ; certbot renew --standalone" over and over again until all certificates were renewed.
Then started apache:
apachectl start
Hope this helps, Tech::LevOr

 

Manual job for renewing is bad. There is hook for certbot of which you can set when you were requesting LE certs. That hook will be kept inside its renewal file conf and called automatically during the renewal process so you don't to do it manually.

So you either edit the renewal conf file; or delete your current certs and request the new ones with hooks.