Scripts for Exim SNI with a (Let's Encrypt) user certificate

[SeLLeRoNe]

No worries

In my opinion, you didn't recreated the configuration using CB after you'd set mail_sni to 1 (and restarted DA), is the only explanation to me, the config were generated when the SNI was not enabled so didn't matter the restarts, they would have never changed if not forced to

Glad you found and fixed the last problem

Best regards

 

[whitehat]

Updating Certs broke a working dovecot

Frustration galore revisited.

I updated several Let'sEncrypt certificates (first by command line and then later by using the DA control panel). Now dovecot is defaulting back to using the server certificate for mail for all domains.

Yes, I rebuilt dovecot configs via the command line

echo "action=rewrite&value=mail_sni" >> /usr/local/directadmin/data/task.queue

.
Yes, I restarted dovecot and exim.
Yes, the dovecot conf sni files exist.
Yes, the /etc/virtual/* files are all in place.

I am wondering why a simple update of the certificate(s) would break the functionality of what was a perfectly fine working system. The only thing I did was update the certificates.

I fail to understand why I may have to rebuild everything (which I resent having to do when all I did was update some certs).

Any ideas anyone? Is anyone else experiencing this issue?

Mike Brown

(fwiw: DA version is 1.55.0)

 

[SeLLeRoNe]

Does the file for that domain exists in: /etc/dovecot/conf/sni/?
Does the certifices you created include the host you're using on the mail client? (ex. mail.domain.tld)?

Can you provide the domain name?
Have you tried to rewrite all the configs? /usr/local/directadmin/custombuild/build rewrite_confs
Is mail_sni=1 in your directadmin.conf file?

 

[whitehat]

Does the file for that domain exists in: /etc/dovecot/conf/sni/?

Yes

Does the certifices you created include the host you're using on the mail client? (ex. mail.domain.tld)?

Yes

Can you provide the domain name?

One example - refs.org

Have you tried to rewrite all the configs? /usr/local/directadmin/custombuild/build rewrite_confs

No - why should I have to? I updated via DA control panel as a user, not as an admin. This process shouldn't be that difficult.

Is mail_sni=1 in your directadmin.conf file?

Yes - as it has been all along.

Everything was working fine until I updated the certs.

As a side note and probably better posted in a separate post, but here goes....Frankly, I hesitated to post, but as DA's documentation sucks. In my not so humble opinion, John and everyone else who may be working on updates should stop right now and spend however long it takes to update the OFFICIAL help/documentation site.

My understanding is that the forum here is supposed to be for users helping users, with some occasional official DA announcements scattered, but it has become the quasi-official support site because the official DA help site, help.directadmin.com is nothing more than a lazily made patchwork of documents.

I am a metaphor person - The official DA help site is the owners manual for a 2004 Volvo for people owning a 2019 Volvo, with loose leaf sheets of old and updated information and other scraps of 'paper' scattered everywhere, and the user can't always discern what is still current and what is outdated. Some are copyrighted 2003, some 2018, and all sorts of combos in between. Some 2003 pages are still valid today. Some 2017 pages are now outdated. What a total complete mess.

I do LOVE DirectAdmin because of all the user friendly configurable options ... but the OFFICIAL help site is a clusterF* . Shame on DA.

The last time a list was made for the various DA.conf variables is now 10 years old. That's Totally inexcusable. Why should Anyone have to Google or hunt through this forum of 50,000+ posts to find what should be easily and readily available in a Current document? Shame on DA.

CustomBuild by Marty is very well documented here in the forum - exceedingly well. Why is it not done as well on the OFFICIAL help site? Shame on DA.

Before John and the contributors put out a new update, they owe it to themselves and to admins, to resellers, and to users to UPDATE the OFFICIAL site. NOT everyone who uses DA is an admin. Lately, the feature updates are being written as if the end reader is supposed to have a full understanding of DA history and a level of technical knowledge as great as the writer's. (try dumbing it down for those not as savvy). A new user to DA or those who don't spend their entire lives on DA Forums can find the reading challenging and the documentation wanting.

If John and the team are going to make a 2019 model of DA - you owe it to have a 2019 owners' manual to go with it. Anything less is unacceptable.

My rant is because all I did was update my certificates on a perfectly working system and now mailsni is broken. I'm not the first to experience this issue. Where on the official help site can I find checklist of things to do ? It's not there.

End of rant.

I'll rebuild - and I shouldn't have to do that.

Mike Brown

 

[smtalk]

Hi Mike,

I totally agree with you on help.directadmin.com, I hope it could be re-done soon, that'll require a lot of work, but it's mandatory

Would you mind creating a ticket on this at tickets.directadmin.com ? My first guess would be dovecot configuration files having no include of SNI configs. Why - it'd be hard to say without access. Please try the following, if it does not help, I'd really recommend a ticket, to get it solved ASAP:

cd /usr/local/directadmin/custombuild
./build update
./build set dovecot_conf yes
./build dovecot_conf

Thank you for your opinion, it's really valuable!

 

[whitehat]

Andrea,

I DO appreciate your genuine offer of assistance to me. I can only hope you did not take my rant as a personal attack on you.

My rant was directed at DA and not at you.

For what it is worth (fwiw), nothing that I have done so far has succeeded in fixing the situation, so I will probably be taking some draconian measures to attempt to resolve this.

I still stand by my post and still feel that DA management has done a very, very poor woeful job of maintaining its help site.

fwiw, while this was happening on this one box I have, I have been in the process of setting up another DA box; I have had to forage through the forums like Hansel and Gretel, hunting and gathering and trying to remember all the steps necessary to accomplish some basic tasks that are not documented in the DA help files. grrrr..... That's irritating.

And as the new releases of DA continue to come out without a current "owner's manual", I will continue to believe that the support model for DA is a "poster child" prime example of anal-cranial inversion. (That should translate into almost any language).

Again, yes, I thank you for trying to help.

Mike Brown

 

[whitehat]

Marty,

I have been there and done that (your code).

All the files appear to be where they are supposed to be. (dovecot.conf files, etc/virtual/*, et al.)

I have been checking permissions just in case there were errors there, but that doesn't appear to be the issue.

I am in the process of comparing the current situation to an rsync that I did 3 weeks ago, but that will be slow going. For the meantime, clients are advised to use the server cert for mail until I resolve this.

I'll update as I learn (or do not learn) more.

I'll go to tickets later.

Thanks for the offer to help.

Mike Brown

 

[SeLLeRoNe]

Don't worry, I didn't take it personal.
I do agree it needs to be re-done and I find myself (even with 10+ years experience on DA) to have to open tickets from times to times just because I cannot remember by hearth all the possible options (and the search tools doesn't help most of the time)., so really, I got that

Back to your issue, it is quite odd thing, I create new certificate ysterday without having caused any issue.

My biggest suggestion would be to check with Martynas (and possibly let him access your server) because if there is a bug in CB, he will find it and fix it right away, for the peace of mind of everyone using CB

 

[faaramin]

Does anybody knows when DirectAdmin will release this as a supported (non beta) feature?

 

[zEitEr]

You can already use it. It's enough stable as of now.

 

[faaramin]

You can already use it. It's enough stable as of now.

hi
Thanks you
and thanks for active community

 

[faaramin]

hello,
I followed the instructions in here https://www.directadmin.com/features.php?id=2019
But it still does not work for me.
The task `echo "action=rewrite&value=mail_sni" >> /usr/local/directadmin/data/task.queue` does not add anything to /etc/snidomains/ and/or to /etc/dovecot/conf/sni.

I don't know if it is related but when I generate a new Let's Encrypt certificate at the DA SSL page, at the end of the log I see this message:
Cannot find the dovecot_sni.conf template.
After initial certificate creation in DA SSL page the /etc/snidomains/ was updated with the domain but the /etc/dovecot/conf/sni folder is still empty.

 

[SeLLeRoNe]

Are you sure you have everything up2date?

 

[zEitEr]

The task `echo "action=rewrite&value=mail_sni" >> /usr/local/directadmin/data/task.queue` does not add anything to /etc/snidomains/ and/or to /etc/dovecot/conf/sni.

Confirmed on CentOS 7 with DirectAdmin 1.668. The file /etc/virtual/snidomains does not get populated with a list of SNI domains. A manual action is required in CLI or going through all existing domains in a web-interface.