Hi,
I recently set up a ClearOS 7.6 server and successfully obtained a Let's Encrypt certificate for it. I then went through your procedure:
https://www.clearos.com/resources/documentation/clearos/content:en_us:kb_howtos_using_letsencrypt_certificates_for_mail
Now when I open roundcube webmail and try to log in I get:
"Connection to IMAP server failed."
Likewise if I connect using MS Outlook when it does the test connection I get "unable to connect to server" error messages.
Could someone point me in the right direction as to what to check to find out why the connection is getting refused (i.e. where to look).
Siv
I recently set up a ClearOS 7.6 server and successfully obtained a Let's Encrypt certificate for it. I then went through your procedure:
https://www.clearos.com/resources/documentation/clearos/content:en_us:kb_howtos_using_letsencrypt_certificates_for_mail
Now when I open roundcube webmail and try to log in I get:
"Connection to IMAP server failed."
Likewise if I connect using MS Outlook when it does the test connection I get "unable to connect to server" error messages.
Could someone point me in the right direction as to what to check to find out why the connection is getting refused (i.e. where to look).
Siv
Share this post:
Responses (17)
-
Accepted Answer
I've done some testing and it looks like once you make a change to a key's permissions, it is copied through on all renewals so you don't need the bit in the event file.
What I'll probably do is change the instructions so that for the initial set up you do:
It should then work for posterity.chown root:ssl-cert /etc/letsencrypt/live/privkey.pem -R
chmod g+r /etc/letsencrypt/live/privkey.pem -R
-
Accepted Answer
Yes. It is a bit brutal because it is generic so has to make the change recursively. Better would be to do:
But then it would be not be a generic solution for everyone that they can copy and paste.chown root:ssl-cert /etc/letsencrypt/live/{your_certificate_name}/privkey.pem
chmod g+r /etc/letsencrypt/live/{your_certificate_name}/privkey.pem
Even better would be to have a standalone job which did it once as it is conceivable that you will have more than one events file - I have both postfix and cyrus-imapd bit I don't know the order of the firing of the events. I am trying to do some tests. -
Accepted Answer
Nick,
OK, so I have edited the /var/clearos/events/lets_encrypt/cyrus-imapd file so that it looks like this now:
#!/bin/sh
sleep 10
chown root:ssl-cert /etc/letsencrypt/live/privkey.pem -R
chmod g+r /etc/letsencrypt/live/privkey.pem -R
systemctl condrestart cyrus-imapd.service
Does this look like you were expecting?
Siv -
Accepted Answer
-
Accepted Answer
.... the one you created, cyrus-imapd. Put the lines before the restart.
It is looking like there has been a change somewhere along the line. I have set up some tests to see if new certs inherit the old permissions or if there is something else going on and there is a different set up between certificates. My newest are 0600 and older ones are 0644. I don't know if I changed my primary certificate, but I know I did not change my second or third which are 0644. The fourth is 0600. Once I get an idea, I'll amend the HowTo. -
Accepted Answer
Nick,
Sorry for my delay getting back to you I have been busy finishing off everything else on the server and network at the client.
When you say add the lines to the events file, which file do you mean? I had a look in the /var/clearos/events/lets_encrypt/ folder and there are 3 files:
[root@unityserver lets_encrypt]# ls -l
total 12
-rwxr-xr-x 1 root root 64 Sep 13 18:37 cyrus-imapd
-rwxr-xr-x 1 root root 111 Apr 2 20:10 lets_encrypt
-rwxr-xr-x 1 root root 60 Sep 13 18:20 postfix
Should I edit on of those?
Siv -
Accepted Answer
You could always stick those two lines in your events file before the restart.
What I'd like to establish somehow is if the new key inherits the old key's properties or not. I had two certificates renew on 1st Sept and the are 644 so it looks like they inherited the previous values. They won't update for 60 days (not 90 - renewal is attempted for 30 days up to the expiry) so I can't tell.
Note I have not tested yet if it works using groups but it should. -
Accepted Answer
Nick,
Thanks as always for your help.
What should I do, just keep an eye on it when the cert renews in December of is there something I can do to make sure even if it does revert to 0600 I could have a script correct that.
It will be an issue as it stops email clients from connecting until it's fixed.
Siv -
Accepted Answer
-
Accepted Answer
That is not good and I may have to revisit the subject. All my old keys are 0644, but a newly created one is 0600. It will be interesting to see if yours stays on 0644 or if privkey2.pem goes to 0600. If it does, I may need to add a step to the /var/clearos/events/lets_encrypt/* file which is either a blanket "chmod 0644 /etc/letsencrypt/archive/privkey*.pem -R" or tailor it to the individual certificate.
If doing that in the events file, it may be better for security reasons to do:
chown root:ssl-cert /etc/letsencrypt/archive/privkey*.pem -R
chmod g+r /etc/letsencrypt/archive/privkey*.pem -R -
Accepted Answer
Nick,
I figured out what it was, when I went to the target of the symbolic link, I found that the LetsEncrypt files were there but the privkey1.pem had different permissions than the other files they were all listed as:
-rw-r--r-- cert1.pem
-rw-r--r-- chain1.pem
-rw-r--r-- fullchain1.pem
-rw------- privkey1.pem
So I changed privkey1.pem to be the same as the others and straight away the IMAP server came up and I could connect from the email clients again.
So you were right it looks like the permissions were set wrong on that one file?
Siv -
Accepted Answer
-
Accepted Answer
I checked maillog (sorry, I was thinking it was called IMAP or Cyrus) and get this:
Sep 13 20:06:17 unityserver imaps[5806]: Fatal error: tls_init() failed
Sep 13 20:06:17 unityserver imaps[5807]: unable to get private key from '/etc/letsencrypt/live/remote.unityfp.co.uk/privkey.pem'
Sep 13 20:06:17 unityserver imaps[5807]: TLS server engine: cannot load cert/key data
Sep 13 20:06:17 unityserver imaps[5807]: error initializing TLS
Sep 13 20:06:17 unityserver imaps[5807]: Fatal error: tls_init() failed
Sep 13 20:06:17 unityserver imaps[5808]: unable to get private key from '/etc/letsencrypt/live/remote.unityfp.co.uk/privkey.pem'
Sep 13 20:06:17 unityserver imaps[5808]: TLS server engine: cannot load cert/key data
Sep 13 20:06:17 unityserver imaps[5808]: error initializing TLS
Sep 13 20:06:17 unityserver imaps[5808]: Fatal error: tls_init() failed
Sep 13 20:06:17 unityserver imaps[5809]: unable to get private key from '/etc/letsencrypt/live/remote.unityfp.co.uk/privkey.pem'
Sep 13 20:06:17 unityserver imaps[5809]: TLS server engine: cannot load cert/key data
Sep 13 20:06:17 unityserver imaps[5809]: error initializing TLS
Sep 13 20:06:17 unityserver imaps[5809]: Fatal error: tls_init() failed
Sep 13 20:06:28 unityserver imaps[5810]: unable to get private key from '/etc/letsencrypt/live/remote.unityfp.co.uk/privkey.pem'
Sep 13 20:06:28 unityserver imaps[5810]: TLS server engine: cannot load cert/key data
Sep 13 20:06:28 unityserver imaps[5810]: error initializing TLS
Sep 13 20:06:28 unityserver imaps[5810]: Fatal error: tls_init() failed
Sep 13 20:06:28 unityserver imaps[5811]: unable to get private key from '/etc/letsencrypt/live/remote.unityfp.co.uk/privkey.pem'
Sep 13 20:06:28 unityserver imaps[5811]: TLS server engine: cannot load cert/key data
Sep 13 20:06:28 unityserver imaps[5811]: error initializing TLS
Sep 13 20:06:28 unityserver imaps[5811]: Fatal error: tls_init() failed
Sep 13 20:06:28 unityserver imaps[5812]: unable to get private key from '/etc/letsencrypt/live/remote.unityfp.co.uk/privkey.pem'
I am pretty certain that privkey.pem is in the /etc/letsencrypt/live/remote.unityfp.co.uk/ folder?
Does this give you any clues.
Siv -
Accepted Answer
-
Accepted Answer
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »