Nick,

Thanks for updating!

Siv

HowTo updated.

I've done some testing and it looks like once you make a change to a key's permissions, it is copied through on all renewals so you don't need the bit in the event file.

What I'll probably do is change the instructions so that for the initial set up you do:

chown root:ssl-cert /etc/letsencrypt/live/privkey.pem -R

chmod g+r /etc/letsencrypt/live/privkey.pem -R

It should then work for posterity.

Yes. It is a bit brutal because it is generic so has to make the change recursively. Better would be to do:

chown root:ssl-cert /etc/letsencrypt/live/{your_certificate_name}/privkey.pem

chmod g+r /etc/letsencrypt/live/{your_certificate_name}/privkey.pem

But then it would be not be a generic solution for everyone that they can copy and paste.

Even better would be to have a standalone job which did it once as it is conceivable that you will have more than one events file - I have both postfix and cyrus-imapd bit I don't know the order of the firing of the events. I am trying to do some tests.

Nick,

OK, so I have edited the /var/clearos/events/lets_encrypt/cyrus-imapd file so that it looks like this now:

#!/bin/sh



sleep 10



chown root:ssl-cert /etc/letsencrypt/live/privkey.pem -R

chmod g+r /etc/letsencrypt/live/privkey.pem -R



systemctl condrestart cyrus-imapd.service

Does this look like you were expecting?

Siv

Nick,

Would you be able to ping me an email when you do that so I am aware you have updated it.
I don't know why, but I don't seem to get any notifications when someone posts here like I used to?

Which of the replies you gave do you want me to mark as the answer to my question here?

Siv

.... the one you created, cyrus-imapd. Put the lines before the restart.

It is looking like there has been a change somewhere along the line. I have set up some tests to see if new certs inherit the old permissions or if there is something else going on and there is a different set up between certificates. My newest are 0600 and older ones are 0644. I don't know if I changed my primary certificate, but I know I did not change my second or third which are 0644. The fourth is 0600. Once I get an idea, I'll amend the HowTo.

Nick,
Sorry for my delay getting back to you I have been busy finishing off everything else on the server and network at the client.
When you say add the lines to the events file, which file do you mean? I had a look in the /var/clearos/events/lets_encrypt/ folder and there are 3 files:

[root@unityserver lets_encrypt]# ls -l

total 12

-rwxr-xr-x 1 root root  64 Sep 13 18:37 cyrus-imapd

-rwxr-xr-x 1 root root 111 Apr  2 20:10 lets_encrypt

-rwxr-xr-x 1 root root  60 Sep 13 18:20 postfix

Should I edit on of those?

Siv

You could always stick those two lines in your events file before the restart.

What I'd like to establish somehow is if the new key inherits the old key's properties or not. I had two certificates renew on 1st Sept and the are 644 so it looks like they inherited the previous values. They won't update for 60 days (not 90 - renewal is attempted for 30 days up to the expiry) so I can't tell.

Note I have not tested yet if it works using groups but it should.

Nick,

Thanks as always for your help.
What should I do, just keep an eye on it when the cert renews in December of is there something I can do to make sure even if it does revert to 0600 I could have a script correct that.
It will be an issue as it stops email clients from connecting until it's fixed.

Siv

It looks like you can do better than that. If you "change the permissions of the symlink" you actually change the symlinked files so you can do:

chown root:ssl-cert /etc/letsencrypt/live/privkey.pem -R

chmod g+r /etc/letsencrypt/live/privkey.pem -R

That is not good and I may have to revisit the subject. All my old keys are 0644, but a newly created one is 0600. It will be interesting to see if yours stays on 0644 or if privkey2.pem goes to 0600. If it does, I may need to add a step to the /var/clearos/events/lets_encrypt/* file which is either a blanket "chmod 0644 /etc/letsencrypt/archive/privkey*.pem -R" or tailor it to the individual certificate.

If doing that in the events file, it may be better for security reasons to do:

chown root:ssl-cert /etc/letsencrypt/archive/privkey*.pem -R

chmod g+r /etc/letsencrypt/archive/privkey*.pem -R

Nick,

I figured out what it was, when I went to the target of the symbolic link, I found that the LetsEncrypt files were there but the privkey1.pem had different permissions than the other files they were all listed as:

-rw-r--r-- cert1.pem

-rw-r--r-- chain1.pem

-rw-r--r-- fullchain1.pem

-rw------- privkey1.pem

So I changed privkey1.pem to be the same as the others and straight away the IMAP server came up and I could connect from the email clients again.
So you were right it looks like the permissions were set wrong on that one file?

Siv

Have you missed the steps to set the folder permissions on /etc/letsencrypt/live?

ls -l /etc/letsencrypt

Also what is the output from:

id cyrus

I checked maillog (sorry, I was thinking it was called IMAP or Cyrus) and get this:

Sep 13 20:06:17 unityserver imaps[5806]: Fatal error: tls_init() failed

Sep 13 20:06:17 unityserver imaps[5807]: unable to get private key from '/etc/letsencrypt/live/remote.unityfp.co.uk/privkey.pem'

Sep 13 20:06:17 unityserver imaps[5807]: TLS server engine: cannot load cert/key data

Sep 13 20:06:17 unityserver imaps[5807]: error initializing TLS

Sep 13 20:06:17 unityserver imaps[5807]: Fatal error: tls_init() failed

Sep 13 20:06:17 unityserver imaps[5808]: unable to get private key from '/etc/letsencrypt/live/remote.unityfp.co.uk/privkey.pem'

Sep 13 20:06:17 unityserver imaps[5808]: TLS server engine: cannot load cert/key data

Sep 13 20:06:17 unityserver imaps[5808]: error initializing TLS

Sep 13 20:06:17 unityserver imaps[5808]: Fatal error: tls_init() failed

Sep 13 20:06:17 unityserver imaps[5809]: unable to get private key from '/etc/letsencrypt/live/remote.unityfp.co.uk/privkey.pem'

Sep 13 20:06:17 unityserver imaps[5809]: TLS server engine: cannot load cert/key data

Sep 13 20:06:17 unityserver imaps[5809]: error initializing TLS

Sep 13 20:06:17 unityserver imaps[5809]: Fatal error: tls_init() failed

Sep 13 20:06:28 unityserver imaps[5810]: unable to get private key from '/etc/letsencrypt/live/remote.unityfp.co.uk/privkey.pem'

Sep 13 20:06:28 unityserver imaps[5810]: TLS server engine: cannot load cert/key data

Sep 13 20:06:28 unityserver imaps[5810]: error initializing TLS

Sep 13 20:06:28 unityserver imaps[5810]: Fatal error: tls_init() failed

Sep 13 20:06:28 unityserver imaps[5811]: unable to get private key from '/etc/letsencrypt/live/remote.unityfp.co.uk/privkey.pem'

Sep 13 20:06:28 unityserver imaps[5811]: TLS server engine: cannot load cert/key data

Sep 13 20:06:28 unityserver imaps[5811]: error initializing TLS

Sep 13 20:06:28 unityserver imaps[5811]: Fatal error: tls_init() failed

Sep 13 20:06:28 unityserver imaps[5812]: unable to get private key from '/etc/letsencrypt/live/remote.unityfp.co.uk/privkey.pem'

I am pretty certain that privkey.pem is in the /etc/letsencrypt/live/remote.unityfp.co.uk/ folder?

Does this give you any clues.

Siv

Nick,

Which log should I be looking at? In the log viewer I can't see anything that sounds like IMAP?

Siv

It sounds like the imap server is failing. Please check the logs. The most likely issue is file ownership on the Let's Encrypt certificate or adding the cyrus user to the ssl-cert group.