Lets encrypt is activated on domains and works on websites but not email

Hi There
As the title sayes , we have enabled ssl with lets encrypt using built in ispconfig 3.1 ability and it works with https websites hosted , but the email clients do not work . The mail client reports that the cert is from internet widgets .

Is there a seperate place to enable ssl for email services ?
thanks

Paul

 

You must set up your mail server to use the LE certificate. See for example this very long thread:
https://www.howtoforge.com/communit...l-port-8080-with-lets-encrypt-free-ssl.75554/

 

Thanks Taleman but that refers to ispconfig 3.0 using nginx , ispconfig 3.1 has the setup integrated into it so im looking for a more specific reason or guide to get it working .
I don't want to experiment as it is a live server and I'm not particulary conversant with Linux ...it does run on a vm so ill create a bookmark before I do it so that if I totally screw it up can revert it back .

 

Just wondering if Till or Falko have any words of wisdom here ?
THanks

 

SO if my hunch is correct , the utility in the ISPCF3.1 has probably setup the LE cert for web only as it seems to work for websites . HTTPS sites work well for each domain hosted .
I'm also going to assume at this stage that ISPCF3.1 auto renews these certs with lets encrypt when they expire ?
So if I follow the guide to copy the certs to postfix etc for email will that automatically renew still ? also , do I have to copy the certs for each individual domain ?
Thanks ..

 

SO if I have clients use their own domain name as their mail server address ( mail.individualcompanydomain.com) as opposed to (mail.ourserverdomain.com ) it will create problems ?
Thanks ..

 

Hi Guys
I have followed the guide for creating the links to the certs for postfix and dovecot etc .
when I test this using outlook on a clients machine I get this warning ..

The server you are connecting to is using a security certificate that connot be verified.

The target principle name is incorrect …

How do I correct this ? is it an issue with the way the servers SSL cert from lets encrypt is viewed ? or is it an issue with the config of the mail client .
the outgoing smtp port used is 465 with ssl .

we don't use 25 (only 465 and 587) because we have a Proxmox spam device filtering all incoming mail to the server on 25 ..

Thanks

 

Hi Till
when I analyze the domain for SSL ability I get this from digicert.com test :-
DNS resolves ibcbrantford.com to 72.139.27.78
HTTP Server Header: Apache/2.4.18 (Ubuntu)

SSL certificate
Common Name = www.ibcbrantford.com

Subject Alternative Names = ibcbrantford.com, www.ibcbrantford.com

Issuer = Let's Encrypt Authority X3

Serial Number = 032A585EC508F8E91CB5A1FD908DA43B468F

SHA1 Thumbprint = 8376672FBA839EA63F4427291902E92742BDBE17

Key Length = 4096

Signature algorithm = SHA256 + RSA (excellent)

Secure Renegotiation: Supported

SSL Certificate has not been revoked
OCSP Staple: Good
OCSP Origin: Good
CRL Status: Not Enabled

SSL Certificate expiration
The certificate expires October 24, 2018 (81 days from today)

Certificate Name matches ibcbrantford.com

Subject www.ibcbrantford.com
Valid from 26/Jul/2018 to 24/Oct/2018
Issuer Let's Encrypt Authority X3


Subject Let's Encrypt Authority X3
Valid from 17/Mar/2016 to 17/Mar/2021
Issuer DST Root CA X3
SSL Certificate is correctly installed

website works with https with no problems other than some insecure items which I know about …

if I look at the cert that outlook now complains about it says the issuer is "my email address" , my domain
valid from may 07 2018 to may 04 , 2028

Cert information: This CA root certificate is not trusted. To enable trust install this certificate in the trusted root certification authorities store

When I setup the LE cert I then executed the following code as per the instructions further back in this thread :-
Code:-
cd /etc/postfix/
mv smtpd.cert smtpd.cert-$(date +"%y%m%d%H%M%S").bak
mv smtpd.key smtpd.key-$(date +"%y%m%d%H%M%S").bak
ln -s /usr/local/ispconfig/interface/ssl/ispserver.crt smtpd.cert
ln -s /usr/local/ispconfig/interface/ssl/ispserver.key smtpd.key
service postfix restart
service dovecot restart
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
update certs for dovecot :
Check if it is set to use the postfix SSL files (see below) via "nano /etc/dovecot/dovecot.conf".
[...]
ssl_cert = </etc/postfix/smtpd.cert
ssl_key = </etc/postfix/smtpd.key
[...]
Leave it, if it is rightly set. Otherwise, fix it. In any event, running "service dovecot restart" is already covered earlier.
----------------------------------------------------------------------------------------------------------------------------------------------------------------------
I didn't execute the code for the ISPconfig interface as I didn't want to lock myself out if I messed it up .

 

I just realized that it copies the certs to the interface folder , then it creates links to those certs for postfix .
So essentially my postfix links aren't working because I didn't complete the interface part .
I just ran the code to copy the certs for the interface , this part didn't work properly
if [ -f "ispserver.pem" ]; then
mv ispserver.pem ispserver.pem-$(date +"%y%m%d%H%M%S").bak
fi
ln -s /etc/letsencrypt/live/$(hostname -f)/fullchain.pem ispserver.crt
ln -s /etc/letsencrypt/live/$(hostname -f)/privkey.pem ispserver.key
cat ispserver.{key,crt} > ispserver.pem
chmod 600 ispserver.pem

probably because I don't have a .PEM file in the interface folder .
it copied the .crt and .key files across which show up as red in nano now .
restarting the server ends in a error not able to start dovecot because there is an issue with smtp.cert

 

So what would you recommend to get Links to the cert files into my mail folder so that the mail clients can access the SSL files properly ( Sorry for my complete ignorance )

 

It looks to me dovecot is not using the LE certificate you made.
I use the script @ahrasis made to see what file goes where when setting up Dovecot certificate. It is in the long post by ahrasis about setting up LE for ISPConfig panel.

 

so I am running
(Ubuntu 16.04.4 LTS (Xenial Xerus)) ISPConfig 3.1.11
SSL is already functioning for secure website .. HTTPS works .

So as per Taleman's referral above I should execute the following changes logged in a root ?

to get SSL working for the ispconfig interface :

cd /usr/local/ispconfig/interface/ssl/
mv ispserver.crt ispserver.crt-$(date +"%y%m%d%H%M%S").bak
mv ispserver.key ispserver.key-$(date +"%y%m%d%H%M%S").bak
if [ -f "ispserver.pem" ]; then
mv ispserver.pem ispserver.pem-$(date +"%y%m%d%H%M%S").bak
fi
ln -s /etc/letsencrypt/live/$(hostname -f)/fullchain.pem ispserver.crt
ln -s /etc/letsencrypt/live/$(hostname -f)/privkey.pem ispserver.key
cat ispserver.{key,crt} > ispserver.pem
chmod 600 ispserver.pem


followed by :-

to get SSL working for the email services :

cd /etc/postfix/
mv smtpd.cert smtpd.cert-$(date +"%y%m%d%H%M%S").bak
mv smtpd.key smtpd.key-$(date +"%y%m%d%H%M%S").bak
ln -s /usr/local/ispconfig/interface/ssl/ispserver.crt smtpd.cert
ln -s /usr/local/ispconfig/interface/ssl/ispserver.key smtpd.key
service postfix restart
service dovecot restart

I don't care about the other modules for SSL at the moment I just want SSL for HTTPS and mail …
If I'm missing something please let me know ..
I'm trying to clarify "EXACTLY" what I need to execute to get it to work. I don't have a good working knowledge of Linux so anything vague tends to throw me and mistakes happen very easily because of my ignorance . ( although I am slowly picking things up over time ).

 

OK so i disabled the ssl and sessl check boxes for about 10 other domains , removed their ssl keys from the ssl tab
Ran this :-
cd /usr/local/ispconfig/interface/ssl/
mv ispserver.crt ispserver.crt-$(date +"%y%m%d%H%M%S").bak
mv ispserver.key ispserver.key-$(date +"%y%m%d%H%M%S").bak
mv ispserver.pem ispserver.pem-$(date +"%y%m%d%H%M%S").bak
ln -s /etc/letsencrypt/live/$(hostname -f)/fullchain.pem ispserver.crt
ln -s /etc/letsencrypt/live/$(hostname -f)/privkey.pem ispserver.key
cat ispserver.{key,crt} > ispserver.pem <------------------ fails at this line
chmod 600 ispserver.pem
it displays this message:
cat: ispserver.key: no such file or directory
cat: ispserver.crt: no such file or directory
see below
---------------------------------------------------------------------------------------------------------------------------------------------
root@mars2:/usr/local/ispconfig/interface/ssl# cat ispserver.{key,crt} > ispserver.pem
cat: ispserver.key: No such file or directory
cat: ispserver.crt: No such file or directory
root@mars2:/usr/local/ispconfig/interface/ssl# ls -l
total 20
-rwxr-x--- 1 root root 45 May 8 02:50 empty.dir
lrwxrwxrwx 1 root root 58 Aug 4 23:06 ispserver.crt -> /etc/letsencrypt/live/Mars2.ibcb rantford.com/fullchain.pem
-rwxr-x--- 1 root root 2114 May 8 02:50 ispserver.crt-180804230554.bak
-rwxr-x--- 1 root root 1813 May 8 02:50 ispserver.csr
lrwxrwxrwx 1 root root 56 Aug 4 23:06 ispserver.key -> /etc/letsencrypt/live/Mars2.ibcb rantford.com/privkey.pem
-rwxr-x--- 1 root root 3247 May 8 02:50 ispserver.key-180804230603.bak
-rwxr-x--- 1 root root 3311 May 8 02:50 ispserver.key.secure
-rw-r--r-- 1 root root 0 Aug 4 23:06 ispserver.pem
root@mars2:/usr/local/ispconfig/interface/ssl#
---------------------------------------------------------------------------------------------------------------------------------------------
So to me it looks like its failing at the part where it creates the ispserver.PEM file ?
Where do I go from here ?

Thanks for your patience guys

 

The previous two lines fail. They create the .crt and .key files. Or should create. Is there error message from those? What does show

Code:

ls -lh ispserver.*

Are the files these links point to missing?
Is there a space character in the middle of the file name?
I wish for code tags when listings are shown. Makes reading easier.