ssl cert not working

Discussion in 'ISPConfig 3 Priority Support' started by Tom John, Jan 10, 2021.

  1. Tom John

    Tom John Active Member HowtoForge Supporter

    Hi guys,
    i use ubuntu 20.04 and ISPConfig 3.2
    i used the ISPConfig migration tool to migrate all accounts to another server as a backup.
    Can it be possible, that the SSL certificates not renovate automatic after the migration?
    I have a domain and in ISPConfig i can see the SSL certificate is working.
    Under domain SSL and letsencript the box is checked and under SSL i can see the certificate, so i wonder why it does not work.
    How i can check if the certificate is working for that domain?
    thanks a lot for your kind help.
     
    Tom John, Jan 10, 2021
    #1
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Yes, this is true. The easy fix is to disable LE manually and re-enable it when the cert expires within 30 days. The renewal only works on the server that your DNS record points to.

    When there is also a cert shown in the SSL tab, this can conflict with the SSL cert. Disable LE, go to the SSL tab, select "Delete certificate" as SSL action and then save. When this is done, re-enable LE.
     
    Th0m, Jan 10, 2021
    #2
    ahrasis likes this.
  3. Tom John

    Tom John Active Member HowtoForge Supporter

    thanks a lot it is working.
    may i ask another question, i have SSL cert on the domain and it works well but on the email when i want to send i get a not secure warning, the domain and the server have a valid ssl certificate.
    do you have any idea where i can look to make email work without a secure warning?
    thanks a lot for your help
     
    Tom John, Jan 12, 2021
    #3
  4. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    For email, you check what certificates you have in use (postfix and dovecot), ensure those are correct, then have the client use a hostname that is in the certificate.
    Code:
    # postconf smtpd_tls_cert_file smtpd_tls_key_file
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key

# grep -E '^ssl_(cert|key)' /etc/dovecot/dovecot.conf                                                                                     
ssl_cert = </etc/postfix/smtpd.cert
ssl_key = </etc/postfix/smtpd.key

# ls -l /etc/postfix/smtpd.{cert,key}
lrwxrwxrwx 1 root root 48 Sep 22 14:59 /etc/postfix/smtpd.cert -> /usr/local/ispconfig/interface/ssl/ispserver.crt
lrwxrwxrwx 1 root root 48 Sep 22 14:59 /etc/postfix/smtpd.key -> /usr/local/ispconfig/interface/ssl/ispserver.key

# ls -l /usr/local/ispconfig/interface/ssl/ispserver.{crt,key}
lrwxrwxrwx 1 root root 49 Jan  5 08:20 /usr/local/ispconfig/interface/ssl/ispserver.crt -> /root/.acme.sh/server.hostname.fqdn/fullchain.cer
lrwxrwxrwx 1 root root 52 Jan  5 08:19 /usr/local/ispconfig/interface/ssl/ispserver.key -> /root/.acme.sh/server.hostname.fqdn/server.hostname.fqdn.key
    In my example, using the server's name "server.hostname.fqdn" should work without error, whereas using "mail.clientdomain.tld" would give a certificate error.
     
    Jesse Norell, Jan 12, 2021
    #4

Share This Page