My wonderful almost-new VirtualMin host just went through its first tough challenge… and something went seriously wrong.
- My original LetsEncrypt cert timed out because I didn’t have auto-renew, and also didn’t have port 80 properly connecting to the server from the outside world. Fixed that. Whew.
- The cert request then failed with an error saying there was a live cert for the server already in place. Not sure what the correct solution is… I renamed the /etc/letsencrypt/live/my.dom.ain folder, and then it succeeded, creating /etc/letsencrypt/live/my.dom.ain-0001 (not sure what the 0001 is about, but it worked!)
- I then set it to auto-renew, and told VirtualMin to copy the cert to Dovecot and Postfix
- No errors… all seemed well… until I started getting complaints
After some testing and sleuthing, here’s what I found:
SYMPTOMS
- All certs appear to be up to date and no complaints in the VirtualMin GUI
- All actual cert files are updated
- Yet neither Dovecot (pop3, imap) nor Postfix (STARTLS incoming) are functioning properly.
- Incoming connections always fail
- Typical error is a complaint about SSL mismatch
DIAGNOSIS
- Several sets of cert-related files are created by the LetsEncrypt scripts in VirtualMin
- /home/
ServerName
/ssl.(ca,cert,key,combined) # these come from LE files (chain,cert,privkey,fullchain).pem - /etc/webmin/
ServerName
.(ca,cert,key) # Same as ssl.(ca,cert,key) above - /etc/webmin/miniserv.(ca,cert,pem) # Should be same as (ca,cert,key) above
- (For those unfamiliar: CA is
root Cert Authority
, Cert is mycert
, Key/PEM isprivate key
.)
- /home/
- Either the /home/
ServerName.*
or the/etc/webmin/miniserv.*
files are referenced in the various Dovecot and Postfix config files. - I don’t know why the following happens, but it did/does.
-
miniserv.cert is NOT my cert. This causes both Postfix STARTLS and Dovecot to fail. My immediate workaround: I pointed all such configs to /home/
ServerName
/.(cert,key,ca) as needed.* - On further examination, miniserv.cert is a copy of miniserv.ca – the Root CA. No wonder everything broke.
-
miniserv.cert is NOT my cert. This causes both Postfix STARTLS and Dovecot to fail. My immediate workaround: I pointed all such configs to /home/
Is this a known issue? Hopefully we can get this fixed before my next auto-SSL-renew.
(I’m not in a position to shut down and do further testing for now… we’ve just been through 24+ hours with our primary email server producing a flood of errors, so my people aren’t ready for a shutdown at the moment :)… but happy to do so in a day or three… )
SYSTEM INFORMATION | |
---|---|
Operating system | Debian Linux 10 |
Webmin version | 1.984 |
Usermin version | 1.834 |
Virtualmin version | 6.17-3 |