Hello, I am running into an issue with Dovecot. I think this has to do with the dh.pem file. But I am unable to find the problem at the moment. I am hoping some can help. Thanks. Error: Code: Oct 3 16:41:29 s1 dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=77.248.76.56, lip=136.144.206.44, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<OhO3lAKUqWFN+Ew4> Oct 3 16:41:29 s1 dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=77.248.76.56, lip=136.144.206.44, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<0SS5lAKUWdNN+Ew4> Config [/etc/dovecot/dovecot.conf]: Code: listen = *,[::] protocols = imap pop3 auth_mechanisms = plain login disable_plaintext_auth = no log_timestamp = "%Y-%m-%d %H:%M:%S " mail_privileged_group = vmail ssl_cert = </etc/postfix/smtpd.cert ssl_key = </etc/postfix/smtpd.key #test 2019-10-03 #ssl_protocols = !SSLv3 #added 2019-09-08 ssl_dh =</usr/share/dovecot/dh.pem ssl_min_protocol = TLSv1.2 # mail_max_userip_connections = 100 mail_plugins = $mail_plugins zlib passdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } userdb { driver = prefetch } userdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } plugin { quota = dict:user::file:/var/vmail/%d/%n/.quotausage sieve=/var/vmail/%d/%n/.sieve sieve_max_redirects = 25 zlib_save_level = 9 # 1..9; default is 6 zlib_save = gz # or bz2, xz or lz4 } service auth { unix_listener /var/spool/postfix/private/auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } unix_listener auth-userdb { group = vmail mode = 0600 user = vmail } user = root } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix # For higher volume sites, it may be desirable to increase the number of active listener processes. # A range of 5 to 20 is probably good for most sites # process_min_avail = 5 } } service imap-login { client_limit = 1000 process_limit = 512 } protocol imap { mail_plugins = quota imap_quota zlib } protocol pop3 { pop3_uidl_format = %08Xu%08Xv mail_plugins = quota } protocol lda { postmaster_address = [email protected] mail_plugins = sieve quota zlib } protocol lmtp { postmaster_address = [email protected] mail_plugins = quota sieve } service stats { unix_listener stats-reader { user = vmail group = vmail mode = 0660 } unix_listener stats-writer { user = vmail group = vmail mode = 0660 } }
Unable to rerun the update per https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/ Code: Please choose the update method. For production systems select 'stable'. WARNING: The update from GIT is only for development systems and may break your current setup. Do not use the GIT version on servers that host any live websites! Note: Update all slave server, before you update master server. Select update method (stable,git-stable,git-master) [stable]: There are no updates available for ISPConfig 3.1.15 root@s1:/# Unable to re-install Let's Encrypt per https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/ Code: root@s1:/opt/certbot# ./certbot-auto --install-only Error: couldn't get currently installed version for /opt/eff.org/certbot/venv/bin/letsencrypt: Traceback (most recent call last): File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 7, in <module> from certbot.main import main File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 5, in <module> import logging.handlers File "/usr/lib/python2.7/logging/__init__.py", line 26, in <module> import sys, os, time, cStringIO, traceback, warnings, weakref, collections File "/usr/lib/python2.7/weakref.py", line 14, in <module> from _weakref import ( ImportError: cannot import name _remove_dead_weakref root@s1:/opt/certbot# Help. I am stuck.
Moved "venv" folder in /opt/eff.org/certbot/ to a backup directory and re-ran ./certbot-auto --install-only which results in re-install of Let's Encrypt. Just removed a certificate and got a new one. I see the last working cert. That seems to work. The problem with Dovecot is still there.
I did look a bit further. I did notice the files "ispserver.crt" and "ispserver.key" are containing expired certificates. When I navigate to https://s1.gigabitjes.nl it will use a valid cert. But when I navigate to https://s1.gigabitjes.nl:8080 the certificate has been expired today. Guess what: the certs used by Dovecot are the same: Code: root@s1:/etc/dovecot# ls -lah /etc/postfix/smtpd.cert lrwxrwxrwx 1 root root 48 Oct 3 16:04 /etc/postfix/smtpd.cert -> /usr/local/ispconfig/interface/ssl/ispserver.crt root@s1:/etc/dovecot# ls -lah /etc/postfix/smtpd.key lrwxrwxrwx 1 root root 48 Oct 3 16:04 /etc/postfix/smtpd.key -> /usr/local/ispconfig/interface/ssl/ispserver.key So, for some reason the certs for ISPConfig itself aren't being updated? Isn't that odd? What am I doing wrong?
After updating and manually executing LE4ISPC the certificates in /usr/local/ispconfig/interface/ssl were overwritten. But the certificate still seems expired. There must be something odd going on. So, removed the certificate for s1.gigabitjes.nl through ISPConfig. Next unticked Let's Encrypt. Ticked Let's encrypt again. Created new certificate - note: changed the state from "Friesland" to "Fryslan". Checked Let's encrypt log... Code: root@s1:/usr/local/ispconfig/interface/ssl# cat /var/log/letsencrypt/letsencrypt.log 2019-10-03 20:52:18,960:DEBUG:certbot.main:certbot version: 0.39.0 2019-10-03 20:52:18,960:DEBUG:certbot.main:Arguments: ['--domains', 's1.gigabitjes.nl'] 2019-10-03 20:52:18,960:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot) 2019-10-03 20:52:18,970:WARNING:certbot.cli:You are running with an old copy of letsencrypt-auto that does not receive updates, and is less reliable than more recent versions. The letsencrypt client has also been renamed to Certbot. We recommend upgrading to the latest certbot-auto script, or using native OS packages. 2019-10-03 20:52:18,970:DEBUG:certbot.cli:Deprecation warning circumstances: /opt/eff.org/certbot/venv/bin/certbot / {'LANG': 'en_US.UTF-8', 'SHELL': '/bin/sh', 'LANGUAGE': 'en_US:en', 'SHLVL': '1', 'OLDPWD': '/root', 'PWD': '/usr/local/ispconfig/server', 'LOGNAME': 'root', 'PATH': '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', 'HOME': '/root', '_': '/opt/eff.org/certbot/venv/bin/certbot'} 2019-10-03 20:52:18,984:DEBUG:certbot.log:Root logging level set at 20 2019-10-03 20:52:18,985:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log 2019-10-03 20:52:19,006:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): ocsp.int-x3.letsencrypt.org:80 2019-10-03 20:52:19,155:DEBUG:urllib3.connectionpool:http://ocsp.int-x3.letsencrypt.org:80 "POST / HTTP/1.1" 200 527 2019-10-03 20:52:19,157:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/live/s1.gigabitjes.nl/cert.pem is signed by the certificate's issuer. 2019-10-03 20:52:19,164:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/live/s1.gigabitjes.nl/cert.pem is: OCSPCertStatus.GOOD
You posted in Linux forum, but it looks to me that host is running ISPConfig. Then you should let ISPConfig handle Let's Encrypt. Running LE commands on the command line breaks the certificate setup made by ISPConfig. I have setup Dovecot to use the same certificate as Postfix using this:https://www.howtoforge.com/tutorial...ote-this-shouldnt-exist-together-with-courier