Hey folks, Anyone seen this recently "Server returned error: "SSL error: Leaf certificate is expired" (from nov 5th) from gmail, when POPing an email address hosted on ispconfig 3.1.15 apache? (not updated anything on server yet nor ispconfig) This was working fine, on 995 SSL has not expired on host server e.g. ispconfig.server.com nor on server.com which I also checked against ssllabs.com too. Appreciate any feedback on this. Thanks.
Did you check the certificate the e-mail server is using? Like postfix and dovecot? https://ssl-tools.net/mailservers https://www.ssllabs.com/ssltest/ https://community.letsencrypt.org/t/ssl-error-leaf-certificate-is-expired/100070/7
Thanks Taleman for your reply. from browser no issues, and SSL: Expires: Monday, January 4, 2021 ssllabs says no issues (nothing expired and gives a score of B) and could not check port 995 for ssl, so I tried: https://www.immuniweb.com/ssl/ and indeed what I see is the following with a score of F: Valid ToNovember 5th 2020, 05:15 CET Root CADST Root CA X3 > Expires in326 days Intermediate CALet's Encrypt Authority X3 > Expires in129 days Server certificate Expired 3 days ago Guess I need to renew server certificate if I can recall how this was done, but was sure I had set cron upon installing Perfect server and some steps to have it renew SSL on its own. Can you explain this to me, why browser, and ssllabs will say not expired and immuniweb check would say expired? Thanks
Dovecot is not using the same certificate as http server. The tutorial by @ahrasis explains how to make all services use the same certificate, so when LE renews it all services start using the same certificate. If you have created the symbolic links to all services use the same files, then maybe you have not restarted dovecot so it would read in the renewed certificate files? https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/
Mate, well tipped /etc/init.d/dovecot restart fixed the issue. So wonder what is best to implement now so this does not happen next time for dovecot to know when cert renewed since cert does auto-renew? Some cron for dovecot maybe or other way suggested?
If you followed https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/, you created a renewal script. Make sure that the restart of dovecot and postfix is included in that script.
Interesting, that I do not see a /etc/init.d/le_ispc_pem.sh nor the alt option file: /etc/ssl/le4ispc.sh so wondering if there was another option to renew ssl since it did auto renew so to find where to add the dovecot restart option, but baffled how it renewed when there is no cron AFAIK for SSL to renew Code: # crontab -l (as root) * * * * * /usr/local/ispconfig/server/server.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done * * * * * /usr/local/ispconfig/server/cron.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done and /var/spool/cron/crontabs only has besides root only getmail
found this though: Code: grep -r certbot /etc/cron* /etc/cron.d/certbot:# /etc/cron.d/certbot: crontab entries for the certbot package /etc/cron.d/certbot:0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew and for incrontab -e Command 'incrontab' not found
Then you have not followed the before mentioned tutorial (completely). Can you share your dovecot config?
I am sure either this was an OVA image, or Perfect server I see this too if it helps: Code: # pwd /etc/dovecot/private # ls -lqa lrwxrwxrwx 1 root root 38 Apr 26 2018 dovecot.key -> /etc/ssl/private/ssl-cert-snakeoil.key lrwxrwxrwx 1 root root 36 Apr 26 2018 dovecot.pem -> /etc/ssl/certs/ssl-cert-snakeoil.pem and for /etc/dovecot/dovevot.conf Code: :/etc/dovecot# cat dovecot.conf listen = *,[::] protocols = imap pop3 auth_mechanisms = plain login disable_plaintext_auth = no log_timestamp = "%Y-%m-%d %H:%M:%S " mail_privileged_group = vmail postmaster_address = [email protected] ssl_cert = </etc/postfix/smtpd.cert ssl_key = </etc/postfix/smtpd.key ssl_protocols = !SSLv3 mail_max_userip_connections = 100 passdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } userdb { driver = prefetch } userdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } plugin { quota = dict:user::file:/var/vmail/%d/%n/.quotausage sieve=/var/vmail/%d/%n/.sieve sieve_max_redirects = 25 } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } unix_listener auth-userdb { group = vmail mode = 0600 user = vmail } user = root } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } service imap-login { client_limit = 1000 process_limit = 512 } protocol imap { mail_plugins = quota imap_quota } protocol pop3 { pop3_uidl_format = %08Xu%08Xv mail_plugins = quota } protocol lda { postmaster_address = [email protected] mail_plugins = sieve quota } protocol lmtp { postmaster_address = [email protected] mail_plugins = quota sieve } mail_plugins = $mail_plugins quota #2.3+ service stats { #2.3+ unix_listener stats-reader { #2.3+ user = vmail #2.3+ group = vmail #2.3+ mode = 0660 #2.3+ } #2.3+ #2.3+ unix_listener stats-writer { #2.3+ user = vmail #2.3+ group = vmail #2.3+ mode = 0660 #2.3+ } #2.3+ } Wish I could tip you with some gold
Can you recall how you set this up? There are different approaches but the one I earlier mentioned is the most common one. Because the certificate is replaced and the only thing remaining is to restart dovecot, there must be a script that handles this.
Pretty sure the guide was and not an OVA on this one: https://www.howtoforge.com/tutorial...l-pureftpd-bind-postfix-doveot-and-ispconfig/ and I recall I had to create an exact website for the server host so to issue an LE for it and then map/symlink various files to it so to secure my https://s1.ispconfig.com:8080 server. Found this too for that website if it provide some insight. Code: root@s1:/etc/letsencrypt/renewal# cat s1.edited.com.conf # renew_before_expiry = 30 days version = 0.23.0 archive_dir = /etc/letsencrypt/archive/s1.edited.com cert = /etc/letsencrypt/live/s1.edited.com/cert.pem privkey = /etc/letsencrypt/live/s1.edited.com/privkey.pem chain = /etc/letsencrypt/live/s1.edited.com/chain.pem fullchain = /etc/letsencrypt/live/s1.edited.com/fullchain.pem # Options used in the renewal process [renewalparams] account = ***********8b3*** rsa_key_size = 4096 server = https://acme-v02.api.letsencrypt.org/directory authenticator = webroot installer = None post_hook = echo '1' > /usr/local/ispconfig/server/le.restart [[webroot_map]] s1.edited.com = /usr/local/ispconfig/interface/acme root@s1:/etc/letsencrypt/renewal# Thank you sir for your help on this.
Seems this does the renewal, right? if so, I guess it wont be right to add a restart of dovecot here, so it would need to belong elsewhere. Code: root@s1:/etc/cron.d# cat certbot # /etc/cron.d/certbot: crontab entries for the certbot package # # Upstream recommends attempting renewal twice a day # # Eventually, this will be an opportunity to validate certificates # haven't been revoked, etc. Renewal will only occur if expiration # is within 30 days. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew
That cron entry runs twice daily, and once in 60 days it renews the certificate. So you would restart dovecot twice daily just for fun. Why not do it like the tutorial by @ahrasis tells you to do? Link to that has been given to you in messages #4 and #6.
Maybe back then this tutorial was not the one to follow. Obviously I followed one (maybe the one from the manual, or somewhere else published on here) to get the renewal of SSL since it works. Surely I did not do it on my own. And its obsurd why this was set to run twice a day, when especially not needed for checking SSL renewal. So what you recommend, is now move from this method with this cron and follow @ahrasis way? or simply implement @ahrasis method as is? Is this planned to be part of core for a future version of ISPc maybe - as i think it maybe a good idea?
Let's Encrypt project recommends running the check twice daily. It checks if any certificates are due for renewal, and if not nothing is done. If you do not understand how your system is set up, I suggest following the instructions in that very good tutorial. Then you have a known setup. I have not any ISPConfig 3.2 hosts running, but remember reading there Let's Encrypt setup is different. So it may be better?
So far that I know this is already part of 3.2 stable release but a little bit different method i.e. using hook method, instead of the old incron method. Notably, the old way(s) is still useful though, but restart of postfix and docexot is not actually done by the "cron job" but by the "incron job" which is supposedly run via the created script on the renewal of the server LE SSL certs. The cron job mentioned by @Taleman is for all LE SSL certs, which is inclusive for the server website, if any was set, and is done by ISPConfig but you have to do nothing for it as it is automatic for all ISPConfig server. I did read and follow this thread and intend to help however I cannot focus as I have some recently arising real life problems to solve with regards of my children with different abilities care centre, so I hope the above explanation with enlighten you a bit about the way it works. Do note to remove previously followed tutorial in securing your ISPConfig server(s) before updating to 3.2, if you choose to do so, since they may be conflicting with the one with ISPConfig 3.2.
