[BUG] Renewing certificates with Let's Encrypt destroys Postfix/Dovecot configuration

SYSTEM INFORMATION
OS type and version Debian 12
Webmin version 2.303
Virtualmin version 7.30.8

Hi,

For a couple of weeks now, I get a strange behavior:
Whenever there’s an automated let’s encrypt ssl renewal OR when I request it manually, the related ssl coniguration in config files of postfix and dovecot gets screwed.
Mainly:
/etc/dovecot/dovecot.conf
/etc/postfix/master.cf
/etc/postfix/sender_dependent_default_transport_maps
/etc/postfix/sni_map

I also try to use the “Copy SSL Certificate to Services” but nothing happens.
If I correct the configurations in the above files manually, adding the missing lines, then this button turns to “Remove SSL Certificate from Services” on his own.

I don’t get any relevant logs, so I’m wondering what’s happening behind the scenes. 'cause this breaks all the “mail chain” afterwards (and maybe other things I don’t realize).

Thanks !

I don’t know what “gets screwed” means. You’ve got to be specific. We need to see the actual error(s) and whatever config files are wrong.

Are you saying the old cert gets deleted and the new one isn’t added to these files?

Sorry if it’s not clear.

When I mean it gets screwed it’s the fact that the certs gets apprently renewed correctly, no errors reported, but then, in the files listed it “removes” the lines for the corresponding domain (why ? IDK).

So in the end, the configuration file are not updated properly, no matter if it’s a new certificate or a renewal. I tried to check the webmin action logs but there’s no error reported.
What else can I check/monitor to report better the bug I’m facing ?

Thanks.

That’s closer to the bug I’m facing yes!

Are the config lines completely removed from those files, or are they replaced with ones that have the other path?

they are completely removed.
others are left untouched.

Can you provide a diff of how config files looked before and after?

What output do you get when you click this button?

Sure, here is an example on the 4 files I’m talking about:

in /etc/dovecot/dovecot.conf:
Before :

local_name mydomain.tld {
ssl_cert = </etc/ssl/virtualmin/DOMAIN-ID/ssl.combined
ssl_key = </etc/ssl/virtualmin/DOMAIN-ID/ssl.key
}
local_name *.mydomain.tld {
ssl_cert = </etc/ssl/virtualmin/DOMAIN-ID/ssl.combined
ssl_key = </etc/ssl/virtualmin/DOMAIN-ID/ssl.key
}

after: these lines are not present anymore.


in /etc/postfix/master.cf
Before :

smtp-DOMAIN-ID unix - - y - - smtp -o smtp_bind_address=IPV4 -o smtp_bind_address6=IPV6 -o smtp_helo_name=mail.MY-DOMAIN.TLD

after: these lines are not present anymore.


in /etc/postfix/sender_dependent_default_transport_maps
Before :

@MY-DOMAIN.TLD smtp-DOMAIN-ID

after: these lines are not present anymore.


in /etc/postfix/sni_map
Before :

MY-DOMAIN.TLD /etc/ssl/virtualmin/DOMAIN-ID/ssl.key,/etc/ssl/virtualmin/DOMAIN-ID/ssl.cert,/etc/ssl/virtualmin/DOMAIN-ID/ssl.ca
.MY-DOMAIN.TLD /etc/ssl/virtualmin/DOMAIN-ID/ssl.key,/etc/ssl/virtualmin/DOMAIN-ID/ssl.cert,/etc/ssl/virtualmin/DOMAIN-ID/ssl.ca

after: these lines are not present anymore.


I noticed I’m able to reproduce the bug whenever I click on the “Copy SSL Certificate to Services”. I get no errors. After the action, the button stays the same.
If I go to webmin actions log, I see the “peripcerts domain MY-DOMAIN.TLD” action.
But no errors in there.

@Xender I’m quite confused—I simply cannot reproduce this issue! What is the output of webmin --versions on your system?

@Jamie, do you remember fixing this issue or know what’s going on here?

I thought I’d fixed all cases of this kind of error, but I guess not!

When it is Dovecot and Postfix are configured correctly, what output do you get if you run virtualmin list-service-certs --domain yourdomain.com

here is the output just now (correctly onfigured and working):

Service Type Domain or IP


webmin Domain MYDOMAIN.TLD
usermin Domain MYDOMAIN.TLD
dovecot Domain MYDOMAIN.TLD
postfix Domain MYDOMAIN.TLD

here is the output of versions:

Webmin: 2.303 [/usr/share/webmin]
Themes:
Authentic Theme: 23.03 [authentic-theme]
Modules:
AWStats Reporting: 6.1 [virtualmin-awstats]
Jailkit Jail Manager: 1.1 [jailkit]
Ruby GEMS: 1.9 [ruby-gems]
Virtualmin Protected Directories: 3.5 [virtualmin-htpasswd]
Virtualmin Virtual Servers: 7.30.8.gpl-1 [virtual-server]
Usermin: 2.203 [/usr/share/usermin]
Themes:
Authentic Theme: 23.03 [authentic-theme]

Actually can you run virtualmin list-service-certs --domain yourdomain.com --multiline

Here it is:

webmin
Service type: domain
Cert file: /etc/ssl/virtualmin/DOMAIN_ID/ssl.cert
Key file: /etc/ssl/virtualmin/DOMAIN_ID/ssl.key
Domain name: DOMAIN_NAME.TLD
Service port: 10000
usermin
Service type: domain
Cert file: /etc/ssl/virtualmin/DOMAIN_ID/ssl.cert
Key file: /etc/ssl/virtualmin/DOMAIN_ID/ssl.key
Domain name: DOMAIN_NAME.TLD
Service port: 20000
dovecot
Service type: domain
Cert file: /etc/ssl/virtualmin/DOMAIN_ID/ssl.combined
Key file: /etc/ssl/virtualmin/DOMAIN_ID/ssl.key
Domain name: DOMAIN_NAME.TLD
Service port: 993
postfix
Service type: domain
Cert file: /etc/ssl/virtualmin/DOMAIN_ID/ssl.cert
Key file: /etc/ssl/virtualmin/DOMAIN_ID/ssl.key
CA file: /etc/ssl/virtualmin/DOMAIN_ID/ssl.ca
Domain name: DOMAIN_NAME.TLD
Service port: 587

Ok that looks fine, as it indicates that Virtualmin is finding the certificate config for Dovecot and Postfix as expected. And hence when renewing, it should just update those files.

What command or UI action did you use to request a new cert?

As simple as Manage Virtual Server > Setup SSL Certificate > SSL providers.
And from there “Request Certificate”.
Fact is that it also breaks on automated renewals, where there no manual action…and that’s annoying.

So I presume there’s something wrong with letsencrypt scripts that renews certificate and/or maybe subsequent calls to other scripts…but I have no clue on how to debug this.

Is there anything you recall changing aside from the defaults, particularly in the “Virtualmin Configuration / SSL Settings” or “System Settings ⇾ Server Templates / SSL website for domain” pages?

Additionally, is the “Send outgoing email for domain from IP” option in the “Mail Options ⇾ Email Settings” page set to default or a specific IP?

I’m asking because I cannot reproduce it with Webmin 2.303 and Virtualmin 7.30.8.

Where is this option located, I don’t find it ? thanks !

I remember that at some point, saving postfix configuration (under Servers > Postfix Mail Server > General options) failed and I had to edit/save it manually.

Do you have an example maybe of correct configuration in “/etc/postfix/main.cf” for multiple servers with multiple IPs hosted?
I also remember that when that happened, I also add to change the “/etc/postfix/master.cf” to add these lines at the end (that were missing):

smtp-DOMAIN-ID unix - - y - - smtp -o smtp_bind_address=IPV4 -o smtp_bind_address6=IPV6 -o smtp_helo_name=mail.MY-DOMAIN.TLD

BTW, whenever I try to connect to postfix using telnet, it uses the “main server” histname, not the one related to the domain (like indicated above “mail.MY-DOMAIN.TLD”) with the EHLO command.

Thanks for your help !

Yes, sure! Here are the Postfix configs I have on my Debian 12 system—pretty close to the default—and they work just fine.

main.cf (2.0 KB)
master.cf (7.0 KB)

Note that you’ll need to replace host.debian12-pro.virtualmin.dev with your actual hostname.