Results 1 to 12 of 12

Thread: Letsencrypt..., still getting localhost cert

  1. #1
    Join Date
    Aug 2008
    Posts
    9

    Letsencrypt..., still getting localhost cert

    Hello,

    I have enabled let's encrypt on a domain, but it doesn't really do what i expect it to do....

    The server, web01.domain.com, runs the domain under the admin user. I have enabled let's encrypt. Going to www.domain.com i get a valid cert. Going to smtp.domain.com, (should be included according to the letsencrypt query) i get a localhost cert.

    Using outlook to request mail via smtp.domain.com i get the same localhost domain.

    How do i replace that localhost thing without breaking the letsencrypt autorenewal?


    hope you guys can help me,

    Thanks

    oehTie

  2. #2
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,542
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

  3. #3
    Join Date
    Aug 2008
    Posts
    9
    Yes, mail_sni=1 is present in directadmin.conf.

  4. #4
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,542
    Though the presence of mail_sni in directadmin.conf is obligatory, it is not sufficient. Exim's config and dovecot's config should be updated, OpenSSL 1.x+ should be installed.
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

  5. #5
    Join Date
    Aug 2008
    Posts
    9
    I now get:

    Key is for a different cert than ssl_cert


    in my maillog.... I use the directadmin function to request the certs at Letsencrypt.... configs have been updates by custombuild 2.0.

    openssl is installed:
    # openssl
    OpenSSL> version
    OpenSSL 1.0.1e-fips 11 Feb 2013
    OpenSSL>

    is this version too old maybe?

  6. #6
    Join Date
    Aug 2008
    Posts
    9
    the key i see in the dovecot conf matches the key i see in the directadmin gui...

  7. #7
    Join Date
    Aug 2008
    Posts
    9
    the key i see in the dovecotconfig matches what i see in the directadmin gui's

  8. #8
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,542
    OpenSSL 1.0 is OK. Make sure to

    1. read
    2. follow

    what is written there https://www.directadmin.com/features.php?id=2019

    Double check you did everything which was written in the guide.

    If the issue still persists provide a real domain name so that we could test it on our side.
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

  9. #9
    Join Date
    Aug 2008
    Posts
    9
    hi zEitEr,

    first of all thanks for your time.

    I have walked through the document again, i have everything. Domain is for example www.interops.nl (which works) but if i go to smtp.interops.nl i get a localhostcert. When i try to login at www.interops.nl/squirrelmail or smtp.interops.nl/squirrelmail i get the localhost cert, the Imap connection error, and in the maillog the error message that the key mismatches.... But i can't find to set the correct key because it all seems correct....

  10. #10
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,542
    I see a cert from Kerio Connect Appliance. Does it make any sense to you?
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

  11. #11
    Join Date
    Aug 2008
    Posts
    9
    ehm nope.... i have kerio appliances running but on different ip's. you should get 185.165.69.92. When i try pinging the domains, i get the right ip...

    MX record points to a kerio appliance now. I have a customer that uses mail.interops.nl and smtp.interops.nl which still point to the webserver. He doesn't use the mx.

  12. #12
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,542
    When I connect to your main IP, I get the error:

    Code:
    CONNECTED(00000003)
    140510348514984:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:782:
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 270 bytes and written 327 bytes
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : 0000
        Session-ID:
        Session-ID-ctx:
        Master-Key:
        Key-Arg   : None
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        Start Time: 1514968687
        Timeout   : 300 (sec)
        Verify return code: 0 (ok)
    ---
    When I connect to your MX host mx1.interops.nl I get the kerio cert:

    Code:
    CONNECTED(00000003)
    depth=0 CN = kerio-connect-appliance, C = US
    verify error:num=18:self signed certificate
    verify return:1
    depth=0 CN = kerio-connect-appliance, C = US
    verify error:num=10:certificate has expired
    notAfter=Oct  4 12:18:36 2015 GMT
    verify return:1
    depth=0 CN = kerio-connect-appliance, C = US
    notAfter=Oct  4 12:18:36 2015 GMT
    verify return:1
    ---
    Certificate chain
     0 s:/CN=kerio-connect-appliance/C=US
       i:/CN=kerio-connect-appliance/C=US
    ---
    ...
    ...

    So I'd rather have access to your server in order to investigate it further and suggest a fix (usually I charge for it).
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •