I think I made a mess of my SSL stuff

J

jlixfeld

Verified User
Joined
Jun 1, 2009
Messages
60
I'm a complete SSL noob and I've been trying to get letsencrypt working and it seems I've made a huge mess. I'm unable to send from my client to this server.

I ran the server in debug mode and captured this:

Code: 
09:03:34 32696 SMTP<< STARTTLS
09:03:34 32696 openssl option, adding from 1100000: 1000000 (no_sslv2 +no_sslv3)
09:03:34 32696 openssl option, adding from 1100000: 2000000 (no_sslv3)
09:03:34 32696 setting SSL CTX options: 0x3100000
09:03:34 32696 Diffie-Hellman initialized from default with 2048-bit prime
09:03:34 32696 ECDH: curve 'prime256v1'
09:03:34 32696 ECDH: enabled 'prime256v1' curve
09:03:34 32696 tls_certificate file /etc/exim.cert
09:03:34 32696 tls_privatekey file /etc/exim.key
09:03:34 32696 Initialized TLS
09:03:34 32696 required ciphers: ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
09:03:34 32696 host in tls_verify_hosts? no (option unset)
09:03:34 32696 host in tls_try_verify_hosts? no (option unset)
09:03:34 32696 SMTP>> 220 TLS go ahead
09:03:34 32696 Calling SSL_accept
09:03:34 32696 SSL info: before/accept initialization
09:03:34 32696 SSL info: before/accept initialization
09:03:34 32696 Received TLS SNI "mail.ariohosts.ca" (unused for certificate selection)
09:03:34 32696 SSL info: unknown state
09:03:34 32696 SSL info: unknown state
09:03:34 32696 SSL info: unknown state
09:03:34 32696 SSL info: unknown state
09:03:34 32696 SSL info: unknown state
09:03:34 32696 SSL info: unknown state
09:03:34 32696 SSL info: unknown state
09:03:34 32696 LOG: MAIN
09:03:34 32696   TLS error on connection from ([10.0.1.4]) [66.207.220.190] (SSL_accept): error:00000000:lib(0):func(0):reason(0)
09:03:34 32696 LOG: MAIN
09:03:34 32696   TLS client disconnected cleanly (rejected our certificate?)
09:03:34 32696 TLS failed to start
09:03:34 32696 LOG: smtp_connection MAIN
09:03:34 32696   SMTP connection from ([10.0.1.4]) [66.207.220.190] closed by EOF
09:03:34 32696 search_tidyup called
09:03:34 32631 child 32696 ended: status=0x0
09:03:34 32631   normal exit, 0
09:03:34 32631 0 SMTP accept processes now running
09:03:34 32631 Listening...
09:03:34 32631 Connection request from 66.207.220.190 port 47011
09:03:34 32631 interface address=158.85.85.179 port=465
09:03:34 32631 search_tidyup called
09:03:34 32631 1 SMTP accept process running
09:03:34 32631 Listening...
09:03:34 32697 expanding: /etc/virtual/helo_data
09:03:34 32697    result: /etc/virtual/helo_data
09:03:34 32697 condition: exists{/etc/virtual/helo_data}
09:03:34 32697    result: false
09:03:34 32697 expanding: $interface_address
09:03:34 32697    result:
09:03:34 32697 skipping: result is not used
09:03:34 32697 expanding: /etc/virtual/helo_data
09:03:34 32697    result: /etc/virtual/helo_data
09:03:34 32697 skipping: result is not used
09:03:34 32697 expanding: $value
09:03:34 32697    result:
09:03:34 32697 skipping: result is not used
09:03:34 32697 expanding: $primary_hostname
09:03:34 32697    result:
09:03:34 32697 skipping: result is not used
09:03:34 32697 expanding: ${lookup{$interface_address}iplsearch{/etc/virtual/helo_data}{$value}{$primary_hostname}}
09:03:34 32697    result:
09:03:34 32697 skipping: result is not used
09:03:34 32697 expanding: $primary_hostname
09:03:34 32697    result: hosting1.tor1.ariohosts.ca
09:03:34 32697 expanding: ${if exists{/etc/virtual/helo_data}{${lookup{$interface_address}iplsearch{/etc/virtual/helo_data}{$value}{$primary_hostname}}}{$primary_hostname}}
09:03:34 32697    result: hosting1.tor1.ariohosts.ca
09:03:34 32697 sender_fullhost = [66.207.220.190]
09:03:34 32697 sender_rcvhost = [66.207.220.190]
09:03:34 32697 Process 32697 is handling incoming connection from [66.207.220.190]
09:03:34 32697 host in host_lookup? yes (matched "*")
09:03:34 32697 looking up host name for 66.207.220.190
09:03:34 32697 DNS lookup of 190.220.207.66.in-addr.arpa (PTR) succeeded
09:03:34 32697 Reverse DNS security status: unverified
09:03:34 32697 IP address lookup yielded "66-207-220-190.beanfield.net"
09:03:34 32697 DNS lookup of 66-207-220-190.beanfield.net (A) gave HOST_NOT_FOUND
09:03:34 32697 returning DNS_NOMATCH
09:03:34 32697 no IP addresses found for 66-207-220-190.beanfield.net
09:03:34 32697 66.207.220.190 does not match any IP address for 66-207-220-190.beanfield.net
09:03:34 32697 sender_fullhost = [66.207.220.190]
09:03:34 32697 sender_rcvhost = [66.207.220.190]
09:03:34 32697 set_process_info: 32697 handling incoming connection from [66.207.220.190]
09:03:34 32697 openssl option, adding from 1100000: 1000000 (no_sslv2 +no_sslv3)
09:03:34 32697 openssl option, adding from 1100000: 2000000 (no_sslv3)
09:03:34 32697 setting SSL CTX options: 0x3100000
09:03:34 32697 Diffie-Hellman initialized from default with 2048-bit prime
09:03:34 32697 ECDH: curve 'prime256v1'
09:03:34 32697 ECDH: enabled 'prime256v1' curve
09:03:34 32697 tls_certificate file /etc/exim.cert
09:03:34 32697 tls_privatekey file /etc/exim.key
09:03:34 32697 Initialized TLS
09:03:34 32697 required ciphers: ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
09:03:34 32697 host in tls_verify_hosts? no (option unset)
09:03:34 32697 host in tls_try_verify_hosts? no (option unset)
09:03:34 32697 Calling SSL_accept
09:03:34 32697 SSL info: before/accept initialization
09:03:34 32697 SSL info: before/accept initialization
09:03:34 32697 Received TLS SNI "mail.ariohosts.ca" (unused for certificate selection)
09:03:34 32697 SSL info: unknown state
09:03:34 32697 SSL info: unknown state
09:03:34 32697 SSL info: unknown state
09:03:35 32697 SSL info: unknown state
09:03:35 32697 SSL info: unknown state
09:03:35 32697 SSL info: unknown state
09:03:35 32697 SSL info: unknown state
09:03:35 32697 LOG: MAIN
09:03:35 32697   TLS error on connection from [66.207.220.190] (SSL_accept): error:00000000:lib(0):func(0):reason(0)
09:03:35 32697 LOG: MAIN
09:03:35 32697   TLS client disconnected cleanly (rejected our certificate?)
09:03:35 32697 search_tidyup called
09:03:35 32631 child 32697 ended: status=0x0
09:03:35 32631   normal exit, 0
09:03:35 32631 0 SMTP accept processes now running
09:03:35 32631 Listening...

I believe the issue is related to the SSL info: unknown state line, but I really don't know.

I tried to revoke and re-request the certificate (mainly to make sure exim was using the correct ones from letsencrypt.sh, but now I'm getting these errors, so I don't even know where to begin :|

Code: 
root@hosting1:/usr/local/directadmin/scripts# ./letsencrypt.sh renew hosting1.tor1.ariohosts.ca 4096
Setting up certificate for a hostname: hosting1.tor1.ariohosts.ca
Getting challenge for hosting1.tor1.ariohosts.ca from acme-server...
Waiting for domain verification...
Challenge is valid.
Generating 4096 bit RSA key for hosting1.tor1.ariohosts.ca...
openssl genrsa 4096 > "/usr/local/directadmin/conf/cakey.pem.new"
Generating RSA private key, 4096 bit long modulus
.................................................................++
..............++
e is 65537 (0x10001)
Size of certificate response is smaller than 500 characters, it means something went wrong. Printing response...

root@hosting1:/usr/local/directadmin/scripts# ./letsencrypt.sh revoke hosting1.tor1.ariohosts.ca 4096
Setting up certificate for a hostname: hosting1.tor1.ariohosts.ca
Certificate has been successfully revoked.
root@hosting1:/usr/local/directadmin/scripts# ./letsencrypt.sh revoke ariohosts.ca 4096
Certificate revocation error. Response: HTTP/1.1 100 Continue
Expires: Sun, 05 Jun 2016 13:20:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 409 Conflict
Server: nginx
Content-Type: application/problem+json
Content-Length: 100
Replay-Nonce: UlpHejfoRhrcx-DlG1Nn8-lK2i0G-fbgwTwDdS7gUwE
Expires: Sun, 05 Jun 2016 13:20:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 05 Jun 2016 13:20:44 GMT
Connection: close

{
  "type": "urn:acme:error:malformed",
  "detail": "Certificate already revoked",
  "status": 409
}.
root@hosting1:/usr/local/directadmin/scripts# ./letsencrypt.sh request hosting1.tor1.ariohosts.ca 4096
Setting up certificate for a hostname: hosting1.tor1.ariohosts.ca
Getting challenge for hosting1.tor1.ariohosts.ca from acme-server...
Waiting for domain verification...
Challenge is valid.
Generating 4096 bit RSA key for hosting1.tor1.ariohosts.ca...
openssl genrsa 4096 > "/usr/local/directadmin/conf/cakey.pem.new"
Generating RSA private key, 4096 bit long modulus
.............................++
..................................++
e is 65537 (0x10001)
Size of certificate response is smaller than 500 characters, it means something went wrong. Printing response...

hosting1:/usr/local/directadmin/scripts# ./letsencrypt.sh request ariohosts.ca 4096
Getting challenge for ariohosts.ca from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for www.ariohosts.ca from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for mail.ariohosts.ca from acme-server...
Waiting for domain verification...
Challenge is valid.
Generating 4096 bit RSA key for ariohosts.ca...
openssl genrsa 4096 > "/usr/local/directadmin/data/users/admin/domains/ariohosts.ca.key.new"
Generating RSA private key, 4096 bit long modulus
.................................................++
...............................................................................................................................................................++
e is 65537 (0x10001)
Size of certificate response is smaller than 500 characters, it means something went wrong. Printing response...

root@hosting1:/usr/local/directadmin/scripts#
 
You must log in or register to reply here.
Back
Top