Hi, I upgraded succesfully from debian 9 with ispconfig 3.2.8p2 to debian 10. The upgrade went well but it is no more possible access to the mail using an external client (thunderbird,outlook....). If I use webmail the mail works perfectly. Where should I verify the missing configuration? Thank you! Christian
Yes, I run a ispconfig update --force (because I've already had the newest version) with a reconfigure service yes. Probably I made a mistake ansering YES at "Create new ISPConfig SSL certificate". The default was NO but I choose YES
dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load DH parameters: error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small dovecot: imap-login: Disconnected: TLS initialization failed. (no auth attempts in 1 secs): user=<>
Seems as if the old dh params file from Debian 9 is using a key that is too small for the dovecot version that you use now. try this: Code: curl https://ssl-config.mozilla.org/ffdhe4096.txt > /etc/dovecot/dh.pem service dovecot restart
It works, perfectly, but obviously the certificate is not trusted because it is auto generated. Could I follow this tutorial to use let's encrypt to have a signed certificate? https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/
My server has been upgraded from 3.1 and probably the auto creation and configuration of a let's encrypt certificate didn't work correctly for some reason. Could I follow that guide anyway to verify where could be the problem?
No, that's an outdated guide. ISPconfig creates SSL certs by itself. Run: ispconfig_update.sh --force and chose to create a new SSL cert during update when the updater asks. But before you do that, ensure that the hostname of the server (which you get with the command 'hostname -f' really points to your server in DNS as let's Encrypt will try to reach your system on this hostname from internet via http to verify the SSL cert.
I run the ispconfig_update --force answering yes to create a new SSL certificate. My hostname -f point to the IP of the server but the certificate created is not emitted by let's encrypt and is not a trusted certificate.
Ok, in this case, LE is probably unable to access your server. See let's encrypt error FAQ for the steps to find out why LE fails to issue the cert: https://forum.howtoforge.com/threads/lets-encrypt-error-faq.74179/ the FAQ is mainly targeted to failing website certs, but the first steps also apply to LE cert issuing at the install stage.
I read the document, but I notice something strange. There is no logs in the file: /var/log/letsencrypt at the time I run ispconfig_update.sh --force
Please run the following two commands and post the result: ls -la /root/.acme.sh/ ls -la /etc/letsencrypt/
ls -la /root/.acme.sh/ ls: impossibile accedere a '/root/.acme.sh/': File o directory non esistente (File or directory not exists) ls -la /etc/letsencrypt/ totale 84 drwxr-xr-x 9 root root 4096 ott 27 03:00 . drwxr-xr-x 130 root root 12288 ott 31 23:19 .. drwx------ 3 root root 4096 mag 3 2020 accounts drwx------ 19 root root 4096 ott 22 00:14 archive drwxr-xr-x 2 root root 20480 ott 26 03:04 csr drwx------ 2 root root 20480 ott 26 03:04 keys drwx------ 19 root root 4096 ott 22 00:14 live -rw-r--r-- 1 root root 952 lug 19 2020 options-ssl-apache.conf drwxr-xr-x 2 root root 4096 ott 26 03:04 renewal drwxr-xr-x 5 root root 4096 mag 2 2020 renewal-hooks -rw-r--r-- 1 root root 64 lug 19 2020 .updated-options-ssl-apache-conf-digest.txt
Ok, but I still don't understand why my ispconfig installation does not have a valid certificate to use https and server connections on ftp and mail. I have already forced the ispconfig installation and nothing is written in the letsencrypt log during the install process as I wrote few posts ago. Is it correct?
Yes, that can be perfectly ok. Run the ISPConfig update again with ispconfig_update.sh --force and choose reconfigure services during update plus choose to create a new SSL cert during update and post the whole output you got from update on the screen.