My wonderful almost-new VirtualMin host just went through its first tough challenge… and something went seriously wrong.
- My original LetsEncrypt cert timed out because I didn’t have auto-renew, and also didn’t have port 80 properly connecting to the server from the outside world. Fixed that. Whew.
- The cert request then failed with an error saying there was a live cert for the server already in place. Not sure what the correct solution is… I renamed the /etc/letsencrypt/live/my.dom.ain folder, and then it succeeded, creating /etc/letsencrypt/live/my.dom.ain-0001 (not sure what the 0001 is about, but it worked!)
- I then set it to auto-renew, and told VirtualMin to copy the cert to Dovecot and Postfix
- No errors… all seemed well… until I started getting complaints
After some testing and sleuthing, here’s what I found:
- All certs appear to be up to date and no complaints in the VirtualMin GUI
- All actual cert files are updated
- Yet neither Dovecot (pop3, imap) nor Postfix (STARTLS incoming) are functioning properly.
- Incoming connections always fail
- Typical error is a complaint about SSL mismatch
- Several sets of cert-related files are created by the LetsEncrypt scripts in VirtualMin
ServerName/ssl.(ca,cert,key,combined) # these come from LE files (chain,cert,privkey,fullchain).pem
ServerName.(ca,cert,key) # Same as ssl.(ca,cert,key) above
- /etc/webmin/miniserv.(ca,cert,pem) # Should be same as (ca,cert,key) above
- (For those unfamiliar: CA is
root Cert Authority, Cert is my
cert, Key/PEM is
- Either the /home/
/etc/webmin/miniserv.*files are referenced in the various Dovecot and Postfix config files.
- I don’t know why the following happens, but it did/does.
miniserv.cert is NOT my cert. This causes both Postfix STARTLS and Dovecot to fail. My immediate workaround: I pointed all such configs to /home/
ServerName/.(cert,key,ca) as needed.*
- On further examination, miniserv.cert is a copy of miniserv.ca – the Root CA. No wonder everything broke.
- miniserv.cert is NOT my cert. This causes both Postfix STARTLS and Dovecot to fail. My immediate workaround: I pointed all such configs to /home/
Is this a known issue? Hopefully we can get this fixed before my next auto-SSL-renew.
(I’m not in a position to shut down and do further testing for now… we’ve just been through 24+ hours with our primary email server producing a flood of errors, so my people aren’t ready for a shutdown at the moment :)… but happy to do so in a day or three… )
|Operating system||Debian Linux 10|