DA no longer updates server cert and exim cert (hostname)

[Sempiterna]

I found out today that I can no longer send e-mail using exim:

TLS error on connection from aa.bbb.com (bb.cc.com) [111.111.111.111] (SSL_accept): error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired

After a while I found out that the hostname/exim cert expired on september 21st. I don't know when DA usually renews LetsEncrypt certificates, but something went wrong there. I tried to renew the certificate using the GUI, but eventhough it renewed the certificate, it did not update the certificates in the /etc/httpd/conf/ssl.crt directory, nor the exim certificate in the /etc directory.

I then manually copied the certificates, chain and key to the directories and restarted exim and httpd. That worked for httpd, but exim now shows:

TLS error on connection from aa.bbb.com (bb.cc.com) [111.111.111.111] (SSL_accept): error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca

What CA is this error talking about? I copied everything (cert and chain). And how can I force DA to do what it usually does after renewing a hostname/exim certificate?

 

[Richard G]

And how can I force DA to do what it usually does after renewing a hostname/exim certificate?

You can do it as root via SSH.
/usr/local/directadmin/scripts/letsencrypt.sh server_cert

As for the other question, I'm not suer. SSL3_read sometimes points to old stuff. Just to be sure check this setting in custombuild.
ssl_configuration=intermediate

DA does normally automatically update the server certificate.

 

[Sempiterna]

That first command is what I used initially after changing the DA skin to evolution. My old default DA skin didnt have an option (or i couldnt find it) to renew the cert. However, it did not copy the generated certificate. I already have the intermediate setting in the options.conf.

 

[Richard G]

However, it did not copy the generated certificate.

That's why I never use the GUI but use console because then I can see better what is happening or not.

If you run the latest DA version it should all not be a problem. So it's best to monitor it and see what's happening.

 

[Sempiterna]

That's why I never use the GUI but use console because then I can see better what is happening or not.

If you run the latest DA version it should all not be a problem. So it's best to monitor it and see what's happening.

Actually the regular CLI functions don't show what's happening either, and they do not copy the certificate either. However, I think i have an idea what's happening here. DA updated to a newer version sometime (or multiple times) after the last LetsEncrypt certificate renewal. And in one of these updates the action which copies the hostname certificate were moved from the letsencrypt.sh script to "da build sync_server_cert". And if something goes wrong there during an automated process, it just goes wrong and breaks things without notifying the administrator. Which will leave an administrator (like me) with hours of work trying to find out what's going wrong.

So, manually running "da build sync_server_cert" brings up that there's a problem in the options .conf ("phpMyAdmin requires PHP 7.2 or newer as main PHP version, please change 'php1_relase' or 'phpmyadmin' line in options.conf").... which I think should not be a fatal error on this certificate copy option at all, because it has nothing to do with PHP. I'm beyond frustrated by this process, because I cannot fix this options.conf problem without significant downtime and testing (which is impossible because DA doesnt provide a testing license) due to this unnecessary PHP update and possible other problems.

Maybe someone here knows exactly which steps "da build sync_server_cert" actually takes in order to move the hostname certificate to the services relying on this certificate?

 

[fln]

@Sempiterna, an update in the current release channel is released to make sure da build sync_server_cert will work even with problems in options.conf.

This action copies DA certificate to exim, dovecot, apache, nginx, openlitespeed, pureftpd and proftpd and reloads/restarts the affected services. Because CustomBuild knows which web or FTP service is used it syncs the new cert only for services that are actually used.

You can see what this action does by adding a --debug flag and running it with da build --debug sync_server_cert.

 

[Sempiterna]

@Sempiterna, an update in the current release channel is released to make sure da build sync_server_cert will work even with problems in options.conf.

Thank you for this quick update. This update now correctly copies the certificate to exim, and certificate errors are no longer present when sending e-mail.