Server TLS setup

[hugovanmeijeren]

Hello,

Since the recent Dovecot update, I'm having trouble sending mail with external mail programs. I've read the topics here on the forum and understand that plain text authentication is no longer supported. Fair enough, I can understand that and I would like to fix this the proper way (I was still using plain-text until now).

I thought that the first step is to setup a Server TLS Certificate, currently this is a self-signed certificate, which is not trusted. I'd like to fix that, but I am not getting further. If I request a new certificate, I get an error that 'automated certificate renewal' was not possible. I went through the steps to install/update ca in AlmaLinux, but these are already installed.

Anyone able to help? Do I need to complete any other steps after this in order to get secured authentication for SMTP to work?

 

[zEitEr]

Hello,

Run as root:

rm -f  /usr/local/directadmin/conf/cacert.pem /usr/local/directadmin/conf/cakey.pem /usr/local/directadmin/conf/carootcert.pem
/usr/local/directadmin/scripts/letsencrypt.sh request $(hostname -f)

 

[Richard G]

You can always still keep using plaintext if you want, but some other customisation needs to be done then. It's better to have SSL certificates for everything, it's free anyway.

The command from @zEitEr will give you a hostname SSL certificate, however, you might also be needing domain certificates if you don't have them yet and send mail via domain name.

 

[hugovanmeijeren]

Thank you for your replies. I do have domain SSL certificates (including mail), using Let's Encrypt.

I ran the command from @zEitEr and this removed the existing self-signed certificate:

However, I am still unable to create a new certificate here: 'Error during automated certificate renewal for server.domain.nl'

 

[hugovanmeijeren]

You can always still keep using plaintext if you want, but some other customisation needs to be done then. It's better to have SSL certificates for everything, it's free anyway.

Yes, I'm aware of this, but I would definitely like to fix this the proper way. If all else fails, it could be an option to revert to plain text, but preferably not.

 

[Richard G]

'Error during automated certificate renewal for server.domain.nl'

Normally it will also give an error reason why.

Check if your hostname is setup correctly and you can find it from home (or another server/network) with the nslookup command.
If you have external DNS, you need to add the hostname also in the external DNS to prevent errors.

Try this command also, should be the same but one never knows, it's the modern command:

cd /usr/local/directadmin/scripts
./letsencrypt.sh server_cert

If you want you can also contact me by pm, then we can speak in Dutch, that might be easier.

 

[hugovanmeijeren]

Hi Richard,

The hostname appears to be setup correctly, this is an older setup that has worked for many years without issues. I do use external DNS.

Your command returns a 'No such file or directory'...

I've send you a PM, if we figure it out, I'll post the answer in this topic.

 

[zEitEr]

However, I am still unable to create a new certificate here: 'Error during automated certificate renewal for server.domain.nl'

The command to create a certificate for a hostname was and still is:

/usr/local/directadmin/scripts/letsencrypt.sh request $(hostname -f)

 

[Richard G]

The command to create a certificate for a hostname was and still is:

This also can be used, but fln changed this to a more modern command which should also take care of replacing the old certificates correctly.

Version 1.661 | Directadmin Docs

DirectAdmin Knowledge Base

docs.directadmin.com

But if this is an old installation, that one might not work (yet).

 

[zEitEr]

This also can be used, but fln changed this to a more modern command which should also take care of replacing the old certificates correctly.

Version 1.661 | Directadmin Docs

DirectAdmin Knowledge Base

docs.directadmin.com

Thanks. I did not find a line that would remove existing certificate and key files. Probably it is not required, but still the certificate failed to issue for @hugovanmeijeren.

I checked the script, I will test it for sure:

command_server_cert() {
        local domain_csv=$1
        local key_type=$2

        da config-set acme_server_cert_enabled "1"
        if [ -n "${domain_csv}" ]; then
                ADDITIONAL_DOMAINS="$(tr , '\n' <<< "${domain_csv}" | grep -Fvx "$(da config-get servername)" | paste -sd,)"
                da config-set acme_server_cert_additional_domains "${ADDITIONAL_DOMAINS}"
        fi
        if [ -n "${key_type}" ]; then
                da config-set acme_server_cert_key_type "$(lego_key_type "${key_type}")"
        fi
        if [ -s "${SERVER_CERT_DNSPROVIDER_ENV}" ]; then
                da config-set acme_server_cert_dns_provider_env_file "${SERVER_CERT_DNSPROVIDER_ENV}"
        fi

        if ! da taskq --run 'action=ssl&value=server_acme&force=true'; then
                echo "Failed to issue new certificate"
                exit 1
        fi

        echo "Server certificate with domains ${domain_csv} has been created successfully"

        da config-set ssl 1

        if systemctl --quiet is-active directadmin.service; then
                systemctl restart directadmin.service
        fi
}

 

[Richard G]

I did not find a line that would remove existing certificate and key files.

Ah oke, then he might not added that. When it needs to be removed I always advise your removal method anyway.
I've only read that in the Changelog and since then I'm using that command.

The cause that Hugo could not get a certificate was because for some reason the letsencrypt.sh file was not present anymore as we discovered in our pm conversation.
I gave him the command to fix that, but he's busy this weekend so he might report back Sunday or after the weekend.

 

[Richard G]

@zEitEr or anybody else. We fixed it partly by installing the letsencrypt.sh script again, which dissapeared, alsof fixed a minor issue.

However, this is the current proble which is still there when checking with the checktls.com site.

Cert Hostname DOES NOT VERIFY (mail.customerdomain.nl != server.hostingdomain.nl | DNS:server.hostingdomain.nl | DNS:customerdomain.nl)
		(turning on Send SNI might fix this: Try It)
		So email is encrypted but the host is not verified

In Directadmin the mail_sni=1 setting is present.
He's using external DNS. Mail-tester gives a 10/10 so it's only the mail SSL for smtp giving issues.

What are we missing here?

 

[zEitEr]

However, this is the current proble which is still there when checking with the checktls.com site.

I don't have anything to say about tests made by this site. I'm not familiar with the site, and have no idea how it tests the servers. When I visit the site, it does not look trustworthy (for me at least).

 

[hugovanmeijeren]

I don't have anything to say about tests made by this site. I'm not familiar with the site, and have no idea how it tests the servers. When I visit the site, it does not look trustworthy (for me at least).

Just to clarify a bit more: The server TLS certificate is now working properly, however I'm still having trouble sending mail with external mail programs (for example on my Android phone). When editing the settings for outgoing mail, I'm trying to setup STARTTLS on port 587, when Android mail tries to connect to the server, I'm getting an error: Invalid certificate - Certificate subject and host name mismatch.

The test by the website that Richard refers to seems to return this same error, the question now is how to solve this?

 

[zEitEr]

I'm getting an error: Invalid certificate - Certificate subject and host name mismatch.

If you have SNI enabled and a valid certificate installed for your domain, and still get the error, you are advised to:

1. open a ticket with Directadmin support (if you qualify for a free support)
2. hire somebody to fix it on your server (if you need a fast solution)
3. provide more details on your setup (if you need a free assistance)

there is no way to guess why it's not working in your case.

 

[hugovanmeijeren]

provide more details on your setup

there is no way to guess why it's not working in your case.

I absolutely understand that and I appreciate your help.

Here is some more info on my setup:

I'm on a VPS.
OS: AlmaLinux 8.10 (migrated from CentOS 7 last autumn)
DirectAdmin: v1.676
Domains: my main domain that I use for private mail and testing is vanmeijeren.nl
There are 12 other users in DirectAdmin.

SNI is enabled and there are valid certificates, including mail.domain.nl

Is there any other info you would like to have?

 

[zEitEr]

Is there any other info you would like to have?

Even though you claim SNI is enabled, it is still not working. It means you've got either not standard installation or customized or even outdated configs. The provided information does not clarify anything. If you're using the server since CentOS 7, it increases chances that there might be customised things. It would be more helpful to see content of your custom settings for exim. Probably somebody (or even I) will have time to guide you further.

You've got two options here:

1. Either remove existing Exim setup and install Exim from a scratch
2. Or undo/fix customized settings. In order to identify what is customized, you might check this article https://docs.directadmin.com/other-hosting-services/exim/configuring-exim.html

Anyway, you will need to check the files or get someone to check them for you:

ls -1 /etc/exim*.{conf,custom}

Backup the existing setup before doing anything.

It's your go now

 

[Richard G]

When I visit the site, it does not look trustworthy (for me at least).

I curious (as I also like safety) what gives you that impression. Maybe the simplicity of the setup?
It's a great place to test mail servers, but maybe the direct link gives a better impression. It's a great place to test SSL for mail without the need to give away too much info.

I advised to rebuild exim, exim.conf, dovecot and dovecot.conf again and if that helps if there are no customisations. Otherwise indeed somebody (maybe you) having a closer look might be a good idea indeed.

 

[hugovanmeijeren]

I do not have customised Exim configs, so I rebuilt all of them and this seems to fix the certificate issue.
No more mismatch.

However: I'm still unable to send mail from my phone. They get stuck in the outbox and are labelled 'Failed'. I would think that we're quite close to solving this now, but something is still stopping my e-mail from being sent...

 

[Richard G]

We have to discover the cause now for that failed. See logs and pm.