Exim has no access to letsencrypt SSL cert

[Mattie]

So, my letsencrypt cert got renewed any now I cannot send email.

Why you might ask?

2016-10-21 13:09:12 TLS error on connection from xx-xx-xx-85.ftth.glasoperator.nl [xx.xx.xx.230] (SSL_CTX_use_certificate_chain_file file=/etc/exim.cert): error:0200100D:system library:fopenermission denied

The exim.cert seems to be a symlink to the actual certificate

lrwxrwxrwx 1 root root 79 Aug 22 09:48 exim.cert -> /usr/local/directadmin/data/users/admin/domains/xxx-xxx.nl.cert.combined

The cert:

-rw------- 1 diradmin diradmin 3924 Oct 21 00:13 /usr/local/directadmin/data/users/admin/domains/xxx-xxx.nl.cert.combined

So yes, ONLY the diradmin user may read this file, the "mail" user is already in the "diradmin" group but group reads are disabled.

So, did I do something strange? Should the renew script copy/paste the certificate with the correct permission (should I set that up myself with a post renew script if that exists)?

 

[SeLLeRoNe]

You can change the symlink owner using:
chown -h diradmin:diradmin FILENAME

Not sure if exim will follow the symlink, you may also consider to add the mailserver host you want in the server-host certificate: /usr/local/directadmin/conf/ca.san_config

Try this approach and let us know.

Best regards

 

[ditto]

But why was @Mattie /etc/exim.cert being a symlink? It is not on my servers. Is there a recent change in DirectAdmin that will change it to be a symlink when host names cert by lets encrypt is renewed by DirectAdmin?

 

[SeLLeRoNe]

I don't know, i just tought he created that

Best regards

 

[Mattie]

You can change the symlink owner using:
chown -h diradmin:diradmin FILENAME

Not sure if exim will follow the symlink, you may also consider to add the mailserver host you want in the server-host certificate: /usr/local/directadmin/conf/ca.san_config

Try this approach and let us know.

Best regards

Yes exim does follow the symlink so I'll need to change the permissions there.
My san-config already has this:

[ req_attributes ]
[ SAN ]
subjectAltName=DNS:mail.xx-xx.nl, xx-xx.nl, DNS:www.xx-xx.nl

So that should be ok right?

But why was @Mattie /etc/exim.cert being a symlink? It is not on my servers. Is there a recent change in DirectAdmin that will change it to be a symlink when host names cert by lets encrypt is renewed by DirectAdmin?

Hm that is strange, perhaps I did this in the past (I cannot remember) I know I had some real trouble before with certificates vanishing when the renew again used "mail.vps.xx.xx.nl" instead of "mail.xx.xx.nl". So how is it configured at you?

I don't know, i just tought he created that

Best regards

See above

 

[ditto]

[..cut..]
Hm that is strange, perhaps I did this in the past (I cannot remember) I know I had some real trouble before with certificates vanishing when the renew again used "mail.vps.xx.xx.nl" instead of "mail.xx.xx.nl". So how is it configured at you?

I have always manually added my certificate to /etc/exim.cert and my private key to /etc/exim.key - however this was when I still bought my certificate, I have recently started using let's encrypt for my server hostname (wich I also use for email), and installed it with DirectAdmin command:

cd /usr/local/directadmin/scripts
./letsencrypt.sh request myserver.hostname.com 4096

When I run that command, DirectAdmin automatically added the certificate and key to /etc/exim.cert and /etc/exim.key - It is not old enough to be renewed yet, but I hope DirectAdmin will do the same when it is renewed and automatically update the certificate and key in /etc/exim.cert and /etc/exim.key

When reading your post, I was worried that DirectAdmin might have done some changes and suddenly created a symlink, I would not want that.

 

[Mattie]

I have always manually added my certificate to /etc/exim.cert and my private key to /etc/exim.key - however this was when I still bought my certificate, I have recently started using let's encrypt for my server hostname (wich I also use for email), and installed it with DirectAdmin command:

cd /usr/local/directadmin/scripts
./letsencrypt.sh request myserver.hostname.com 4096

When I run that command, DirectAdmin automatically added the certificate and key to /etc/exim.cert and /etc/exim.key - It is not old enough to be renewed yet, but I hope DirectAdmin will do the same when it is renewed and automatically update the certificate and key in /etc/exim.cert and /etc/exim.key

When reading your post, I was worried that DirectAdmin might have done some changes and suddenly created a symlink, I would not want that.

Well yes, I think that happed now that I've re-ready my old post (http://forum.directadmin.com/showthread.php?t=52935)

If I'm correct the problem was:

server hostname: vps.xx.nl
DNS I use for email: mail.xx.nl
DNS used by DA for certificate: mail.vps.xx.nl

So perhaps that's the reason I've created a symlink. However now that the certificate is renewed again why didn't it overwrite my certificate.... If that's what it's supposed to do.

Starting to think if it might be better to reinstall the VPS and configure it all from start.

 

[Mattie]

And just to let you know:

I just did this again
https://help.directadmin.com/item.php?id=629

root@vps:/usr/local/directadmin/scripts# ./letsencrypt.sh request vps.xx-xx.nl 4096
Setting up certificate for a hostname: vps.xx-xx.nl
vps.xx-xx.nl mail.xx-xx.nl
Getting challenge for vps.xx-xx.nl from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for mail.xx-xx.nl from acme-server...
Waiting for domain verification...
Challenge is valid.
Generating 4096 bit RSA key for vps.xx-xx.nl...

But nope it did not create a new exim.key....

------------- edit

Perhaps I fixed it now, in my opinion one of these options work
1) domain SSL certificate through DA
2) server SSL certificate through CLI
But when I wanted to do both -> brrrr doesn't work

So now I simply added the "xxx.nl and www.xxx.nl" to the server san config and let that generated. Set DA to use server certificate and so far so good

Hopefully this will also auto-renew correctly

 

[SeLLeRoNe]

Maybe is a silly question, but, do you have sni=1 in your directadmin.conf file?

Best regards

 

[Mattie]

Maybe is a silly question, but, do you have sni=1 in your directadmin.conf file?

Best regards

I assume you are pointing to the flag "enable_ssl_sni"? That is set to 1 only "sni" is not in my config.

 

[SeLLeRoNe]

Yep, i just went by memory

 

[Mattie]

Allright np just making sure

Well I guess that if you don't hear from me after 90 days (certificate expires) this worked great !