Results 1 to 12 of 12

Thread: Letsencrypt..., still getting localhost cert

  1. #1
    Join Date
    Aug 2008
    Posts
    9

    Letsencrypt..., still getting localhost cert

    Hello,

    I have enabled let's encrypt on a domain, but it doesn't really do what i expect it to do....

    The server, web01.domain.com, runs the domain under the admin user. I have enabled let's encrypt. Going to www.domain.com i get a valid cert. Going to smtp.domain.com, (should be included according to the letsencrypt query) i get a localhost cert.

    Using outlook to request mail via smtp.domain.com i get the same localhost domain.

    How do i replace that localhost thing without breaking the letsencrypt autorenewal?


    hope you guys can help me,

    Thanks

    oehTie

  2. #2
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    12,216

  3. #3
    Join Date
    Aug 2008
    Posts
    9
    Yes, mail_sni=1 is present in directadmin.conf.

  4. #4
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    12,216
    Though the presence of mail_sni in directadmin.conf is obligatory, it is not sufficient. Exim's config and dovecot's config should be updated, OpenSSL 1.x+ should be installed.

  5. #5
    Join Date
    Aug 2008
    Posts
    9
    I now get:

    Key is for a different cert than ssl_cert


    in my maillog.... I use the directadmin function to request the certs at Letsencrypt.... configs have been updates by custombuild 2.0.

    openssl is installed:
    # openssl
    OpenSSL> version
    OpenSSL 1.0.1e-fips 11 Feb 2013
    OpenSSL>

    is this version too old maybe?

  6. #6
    Join Date
    Aug 2008
    Posts
    9
    the key i see in the dovecot conf matches the key i see in the directadmin gui...

  7. #7
    Join Date
    Aug 2008
    Posts
    9
    the key i see in the dovecotconfig matches what i see in the directadmin gui's

  8. #8
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    12,216
    OpenSSL 1.0 is OK. Make sure to

    1. read
    2. follow

    what is written there https://www.directadmin.com/features.php?id=2019

    Double check you did everything which was written in the guide.

    If the issue still persists provide a real domain name so that we could test it on our side.

  9. #9
    Join Date
    Aug 2008
    Posts
    9
    hi zEitEr,

    first of all thanks for your time.

    I have walked through the document again, i have everything. Domain is for example www.interops.nl (which works) but if i go to smtp.interops.nl i get a localhostcert. When i try to login at www.interops.nl/squirrelmail or smtp.interops.nl/squirrelmail i get the localhost cert, the Imap connection error, and in the maillog the error message that the key mismatches.... But i can't find to set the correct key because it all seems correct....

  10. #10
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    12,216
    I see a cert from Kerio Connect Appliance. Does it make any sense to you?

  11. #11
    Join Date
    Aug 2008
    Posts
    9
    ehm nope.... i have kerio appliances running but on different ip's. you should get 185.165.69.92. When i try pinging the domains, i get the right ip...

    MX record points to a kerio appliance now. I have a customer that uses mail.interops.nl and smtp.interops.nl which still point to the webserver. He doesn't use the mx.

  12. #12
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    12,216
    When I connect to your main IP, I get the error:

    Code:
    CONNECTED(00000003)
    140510348514984:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:782:
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 270 bytes and written 327 bytes
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : 0000
        Session-ID:
        Session-ID-ctx:
        Master-Key:
        Key-Arg   : None
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        Start Time: 1514968687
        Timeout   : 300 (sec)
        Verify return code: 0 (ok)
    ---
    When I connect to your MX host mx1.interops.nl I get the kerio cert:

    Code:
    CONNECTED(00000003)
    depth=0 CN = kerio-connect-appliance, C = US
    verify error:num=18:self signed certificate
    verify return:1
    depth=0 CN = kerio-connect-appliance, C = US
    verify error:num=10:certificate has expired
    notAfter=Oct  4 12:18:36 2015 GMT
    verify return:1
    depth=0 CN = kerio-connect-appliance, C = US
    notAfter=Oct  4 12:18:36 2015 GMT
    verify return:1
    ---
    Certificate chain
     0 s:/CN=kerio-connect-appliance/C=US
       i:/CN=kerio-connect-appliance/C=US
    ---
    ...
    ...

    So I'd rather have access to your server in order to investigate it further and suggest a fix (usually I charge for it).

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •