Invalid Certificate warning for all services except web...

Discussion in 'Server Operation' started by WATYF, Dec 5, 2020.

  1. WATYF

    WATYF New Member

    I've got a VPS running CentOS 7.9.2009 and Pure-FTPd 1.0.47. I've got all of the basic stuff up and running (web, FTP, email, etc), but I'm new to SSL so I'm having a lot of trouble getting it to work with my various services. I purchased a PositiveSSL cert, thinking it would work with all of the services, but apparently that's not the case. I have it working for web (which is the one thing I *don't* need it for), but can't get it working properly for the ISPConfig control panel, FTP or Email. I setup the cert in ISPConfig3 for my domain in the Sites panel, but nothing changed except the web aspect. For ISPConfig, FTP, and Email, I get an invalid certificate warning telling me to store an exception if I want to connect to the server. I thought purchasing a cert would make that go away, but apparently not. Obviously I can still connect, but why am I getting this warning for everything except web? Is there something else I need to do to get this cert to function properly for all of the other services?
     
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

  3. WATYF

    WATYF New Member

    Are you saying I should put the .crt file they sent me in the "web" folder and then reference it in the steps mentioned in that tutorial? What about .key and .pem files? They didn't send me those.

    Would I be better off scrapping this cert and just using Let's Encrypt?
     
  4. WATYF

    WATYF New Member

    I should mention that I also have a Let's Encrypt cert. I had a lot of trouble figuring out how to get FTP to work with SSL and one of the steps I tried was this script, which created the cert: https:// github.com/ahrasis/LE4ISPC
     
  5. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    You can install the cert in the SSL tab of your domain.

    I personally use Let’s Encrypt and it works fine. Haven’t used the built-in script nor LE4ISPC, but with the tutorial I send you and https://www.howtoforge.com/securing...server-with-a-valid-lets-encrypt-certificate/

    But if you replace the Let’s Encrypt paths you can use your own cert.

    PositiveSSL has a knowledge base with articles like https://support.sectigo.com/PS_KnowledgeDetailPage?Id=kA03l00000117PV that can help you.
     
  6. WATYF

    WATYF New Member

    Well, I got SSL working for ISPConfig, but not FTP or Email. I copied my cert/key into to the appropriate location (which I found here: https://www.getpagespeed.com/server-setup/ssl-directory) and then I ran the commands for ISPConfig, rebooted the server, and it worked. No invalid cert warning.

    But I ran the commands for Postfix/Dovecot/Pure-FTPd, which reference the same crt/key files I used for ISPConfig, but there was no change. I still get the invalid cert warning for FTP cons or when checking email or sending email via SMTP. Is there something else I need to do?
     
  7. WATYF

    WATYF New Member

    Just for kicks, I tried removing the cert I purchased and using Let's Encrypt for my Site. I ran all of the commands from that link (which were the same for the most part, since I'm now using Let's Encrypt), and I got the same result: Web and ISPConfig are secured and working fine with no warning, Email and FTP still give an invalid cert warning.

    One thing to note: in the instructions, it tells you to use $(hostname -f) to reference the letsencrypt folder, but that returns the FQDN of the server. Let's Encrypt is setup on the Site (i.e. mydomain.com). I used mydomain.com instead of $(hostname -f). I don't know if that could have anything to do with this.

    Also worth noting is that I discovered that if I remove the "mail." from mail.mydomain.com in my email client, it was able to successfully check for and return email via IMAP. The same trick didn't work for sending mail (SMTP), and another app I use to check for new messages also failed to work even without the mail subdomain.
     
  8. WATYF

    WATYF New Member

    I tried a .NET client I have the source code for, and this is what it says when I try to connect. It appears that a self-signed cert is being returned. So why? I have the correct cert installed and setup for pure-ftpd. Why would it be referencing this invalid cert?

    upload_2020-12-5_20-37-49.png
     
  9. WATYF

    WATYF New Member

    Well, I figured this out, for the most part. It was that Thumbprint (in the screenshot above) that helped. I did a search of every crt and pem file on my server and ran them through OpenSSL to see what their fingerprint was. It ends up that the pem file being used by pure-ftpd was not in /etc/ssl/private/ (like the tutorial says), it was in /etc/pki/pure-ftpd. It was similarly different for dovecot.
     
    ahrasis and Th0m like this.
  10. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Yes, the paths can differ in CentOS.
     
  11. ahrasis

    ahrasis Well-Known Member

    I remember mkdir -p and symlink server LE SSL certs create to /etc/ssl/private, so it is almost not possible you are missing the folder if you use ISPConfig 3.2+ (install or update) to obtain LE SSL certs for the server and its services.
     

Share This Page