Server TLS setup

[hugovanmeijeren]

Hello,

Since the recent Dovecot update, I'm having trouble sending mail with external mail programs. I've read the topics here on the forum and understand that plain text authentication is no longer supported. Fair enough, I can understand that and I would like to fix this the proper way (I was still using plain-text until now).

I thought that the first step is to setup a Server TLS Certificate, currently this is a self-signed certificate, which is not trusted. I'd like to fix that, but I am not getting further. If I request a new certificate, I get an error that 'automated certificate renewal' was not possible. I went through the steps to install/update ca in AlmaLinux, but these are already installed.

Anyone able to help? Do I need to complete any other steps after this in order to get secured authentication for SMTP to work?

 

[zEitEr]

Hello,

Run as root:

rm -f  /usr/local/directadmin/conf/cacert.pem /usr/local/directadmin/conf/cakey.pem /usr/local/directadmin/conf/carootcert.pem
/usr/local/directadmin/scripts/letsencrypt.sh request $(hostname -f)

 

[Richard G]

You can always still keep using plaintext if you want, but some other customisation needs to be done then. It's better to have SSL certificates for everything, it's free anyway.

The command from @zEitEr will give you a hostname SSL certificate, however, you might also be needing domain certificates if you don't have them yet and send mail via domain name.

 

[hugovanmeijeren]

Thank you for your replies. I do have domain SSL certificates (including mail), using Let's Encrypt.

I ran the command from @zEitEr and this removed the existing self-signed certificate:

However, I am still unable to create a new certificate here: 'Error during automated certificate renewal for server.domain.nl'

 

[hugovanmeijeren]

You can always still keep using plaintext if you want, but some other customisation needs to be done then. It's better to have SSL certificates for everything, it's free anyway.

Yes, I'm aware of this, but I would definitely like to fix this the proper way. If all else fails, it could be an option to revert to plain text, but preferably not.

 

[Richard G]

'Error during automated certificate renewal for server.domain.nl'

Normally it will also give an error reason why.

Check if your hostname is setup correctly and you can find it from home (or another server/network) with the nslookup command.
If you have external DNS, you need to add the hostname also in the external DNS to prevent errors.

Try this command also, should be the same but one never knows, it's the modern command:

cd /usr/local/directadmin/scripts
./letsencrypt.sh server_cert

If you want you can also contact me by pm, then we can speak in Dutch, that might be easier.

 

[hugovanmeijeren]

Hi Richard,

The hostname appears to be setup correctly, this is an older setup that has worked for many years without issues. I do use external DNS.

Your command returns a 'No such file or directory'...

I've send you a PM, if we figure it out, I'll post the answer in this topic.

 

[zEitEr]

However, I am still unable to create a new certificate here: 'Error during automated certificate renewal for server.domain.nl'

The command to create a certificate for a hostname was and still is:

/usr/local/directadmin/scripts/letsencrypt.sh request $(hostname -f)

 

[Richard G]

The command to create a certificate for a hostname was and still is:

This also can be used, but fln changed this to a more modern command which should also take care of replacing the old certificates correctly.

Version 1.661 | Directadmin Docs

DirectAdmin Knowledge Base

docs.directadmin.com

But if this is an old installation, that one might not work (yet).