Server TLS setup

H

hugovanmeijeren

Verified User
Joined
Feb 27, 2017
Messages
10
Hello,

Since the recent Dovecot update, I'm having trouble sending mail with external mail programs. I've read the topics here on the forum and understand that plain text authentication is no longer supported. Fair enough, I can understand that and I would like to fix this the proper way (I was still using plain-text until now).

I thought that the first step is to setup a Server TLS Certificate, currently this is a self-signed certificate, which is not trusted. I'd like to fix that, but I am not getting further. If I request a new certificate, I get an error that 'automated certificate renewal' was not possible. I went through the steps to install/update ca in AlmaLinux, but these are already installed.

Anyone able to help? Do I need to complete any other steps after this in order to get secured authentication for SMTP to work?

da_tls.jpg
 
Hello,

Run as root:

Code: 
rm -f  /usr/local/directadmin/conf/cacert.pem /usr/local/directadmin/conf/cakey.pem /usr/local/directadmin/conf/carootcert.pem
/usr/local/directadmin/scripts/letsencrypt.sh request $(hostname -f)
 
You can always still keep using plaintext if you want, but some other customisation needs to be done then. It's better to have SSL certificates for everything, it's free anyway.

The command from @zEitEr will give you a hostname SSL certificate, however, you might also be needing domain certificates if you don't have them yet and send mail via domain name.
 
Thank you for your replies. I do have domain SSL certificates (including mail), using Let's Encrypt.

I ran the command from @zEitEr and this removed the existing self-signed certificate:

da_tls2.jpg


However, I am still unable to create a new certificate here: 'Error during automated certificate renewal for server.domain.nl'
 
Richard G said:
You can always still keep using plaintext if you want, but some other customisation needs to be done then. It's better to have SSL certificates for everything, it's free anyway.
Click to expand...
Yes, I'm aware of this, but I would definitely like to fix this the proper way. If all else fails, it could be an option to revert to plain text, but preferably not.
 
hugovanmeijeren said:
'Error during automated certificate renewal for server.domain.nl'
Click to expand...
Normally it will also give an error reason why.

Check if your hostname is setup correctly and you can find it from home (or another server/network) with the nslookup command.
If you have external DNS, you need to add the hostname also in the external DNS to prevent errors.

Try this command also, should be the same but one never knows, it's the modern command:
Code: 
cd /usr/local/directadmin/scripts
./letsencrypt.sh server_cert

If you want you can also contact me by pm, then we can speak in Dutch, that might be easier.
 
Hi Richard,

The hostname appears to be setup correctly, this is an older setup that has worked for many years without issues. I do use external DNS.

Your command returns a 'No such file or directory'...

I've send you a PM, if we figure it out, I'll post the answer in this topic.
 
zEitEr said:
The command to create a certificate for a hostname was and still is:
Click to expand...
This also can be used, but fln changed this to a more modern command which should also take care of replacing the old certificates correctly.

Version 1.661 | Directadmin Docs

DirectAdmin Knowledge Base
docs.directadmin.com

But if this is an old installation, that one might not work (yet).
 
Richard G said:
This also can be used, but fln changed this to a more modern command which should also take care of replacing the old certificates correctly.

Version 1.661 | Directadmin Docs

DirectAdmin Knowledge Base
docs.directadmin.com
Click to expand...


Thanks. I did not find a line that would remove existing certificate and key files. Probably it is not required, but still the certificate failed to issue for @hugovanmeijeren.

I checked the script, I will test it for sure:

Bash: 
command_server_cert() {
        local domain_csv=$1
        local key_type=$2

        da config-set acme_server_cert_enabled "1"
        if [ -n "${domain_csv}" ]; then
                ADDITIONAL_DOMAINS="$(tr , '\n' <<< "${domain_csv}" | grep -Fvx "$(da config-get servername)" | paste -sd,)"
                da config-set acme_server_cert_additional_domains "${ADDITIONAL_DOMAINS}"
        fi
        if [ -n "${key_type}" ]; then
                da config-set acme_server_cert_key_type "$(lego_key_type "${key_type}")"
        fi
        if [ -s "${SERVER_CERT_DNSPROVIDER_ENV}" ]; then
                da config-set acme_server_cert_dns_provider_env_file "${SERVER_CERT_DNSPROVIDER_ENV}"
        fi

        if ! da taskq --run 'action=ssl&value=server_acme&force=true'; then
                echo "Failed to issue new certificate"
                exit 1
        fi

        echo "Server certificate with domains ${domain_csv} has been created successfully"

        da config-set ssl 1

        if systemctl --quiet is-active directadmin.service; then
                systemctl restart directadmin.service
        fi
}
 
zEitEr said:
I did not find a line that would remove existing certificate and key files.
Click to expand...
Ah oke, then he might not added that. When it needs to be removed I always advise your removal method anyway.
I've only read that in the Changelog and since then I'm using that command.

The cause that Hugo could not get a certificate was because for some reason the letsencrypt.sh file was not present anymore as we discovered in our pm conversation.
I gave him the command to fix that, but he's busy this weekend so he might report back Sunday or after the weekend.
 
You must log in or register to reply here.
Back
Top