Copy Let'sEncrypt cert to Dovecot/Postfix broke both of them :(

Virtualmin
#1

My wonderful almost-new VirtualMin host just went through its first tough challenge… and something went seriously wrong.

  • My original LetsEncrypt cert timed out because I didn’t have auto-renew, and also didn’t have port 80 properly connecting to the server from the outside world. Fixed that. Whew.
  • The cert request then failed with an error saying there was a live cert for the server already in place. Not sure what the correct solution is… I renamed the /etc/letsencrypt/live/my.dom.ain folder, and then it succeeded, creating /etc/letsencrypt/live/my.dom.ain-0001 (not sure what the 0001 is about, but it worked!)
  • I then set it to auto-renew, and told VirtualMin to copy the cert to Dovecot and Postfix
  • No errors… all seemed well… until I started getting complaints :frowning:

After some testing and sleuthing, here’s what I found:

SYMPTOMS

  • All certs appear to be up to date and no complaints in the VirtualMin GUI
  • All actual cert files are updated
  • Yet neither Dovecot (pop3, imap) nor Postfix (STARTLS incoming) are functioning properly.
    • Incoming connections always fail
    • Typical error is a complaint about SSL mismatch

DIAGNOSIS

  1. Several sets of cert-related files are created by the LetsEncrypt scripts in VirtualMin
    • /home/ServerName/ssl.(ca,cert,key,combined) # these come from LE files (chain,cert,privkey,fullchain).pem
    • /etc/webmin/ServerName.(ca,cert,key) # Same as ssl.(ca,cert,key) above
    • /etc/webmin/miniserv.(ca,cert,pem) # Should be same as (ca,cert,key) above
    • (For those unfamiliar: CA is root Cert Authority, Cert is my cert, Key/PEM is private key.)
  2. Either the /home/ServerName.* or the /etc/webmin/miniserv.* files are referenced in the various Dovecot and Postfix config files.
  3. I don’t know why the following happens, but it did/does.
    • miniserv.cert is NOT my cert. This causes both Postfix STARTLS and Dovecot to fail. My immediate workaround: I pointed all such configs to /home/ServerName/.(cert,key,ca) as needed.*
    • On further examination, miniserv.cert is a copy of miniserv.ca – the Root CA. No wonder everything broke.

Is this a known issue? Hopefully we can get this fixed before my next auto-SSL-renew.

(I’m not in a position to shut down and do further testing for now… we’ve just been through 24+ hours with our primary email server producing a flood of errors, so my people aren’t ready for a shutdown at the moment :)… but happy to do so in a day or three… )

SYSTEM INFORMATION
Operating system Debian Linux 10
Webmin version 1.984
Usermin version 1.834
Virtualmin version 6.17-3
#2

better to just create a new cert from Virtualmin (will probably be domain-0002, that’s how LE names new certs for existing domains…) , and let Virtualmin do all the “cert work”…
had similar issues and had to do a lot of manual renewals, untill i recreated failing certs from within Virtualmin…

copy certs of your MX domain after you recreate them succesfully, and do a services restart to check any errors…

anyway, good luck. :slight_smile:

#3

That’s basically what I did.
We’ve been stable for a day now. Assuming I know what to look for now, I’m going to attempt doing the same thing, and will see if I can replicate the issue. :wink:

#4

I’ve done some more testing, learned a few things, and need a hint :slight_smile:

  • Now, new cert and cert update have no issue. They update the certs for my domain, and all is well.
  • However, miniserv.* are NOT updated at all anymore (and neither dovecot nor postfix point there, since I manually patched them.)
  • Also of note: the system no longer asks about pushing the certs to dovecot and postfix.

THUS, I am thinking:

  • The bug, if any, is in the push code
  • QUESTION: what does it take to re-enable the “push” code?
  • (It is possible I have a backup somewhere :wink: … will have to check.)
#5

If it was done before automaticly by VMIN with the setting, then that “flag” ( config) is set so you don’t see it anymore i guess.

To long ago but the times i “played” i remember some, it could help to copy from aanother virtual server with in the gui that cert and use that one, maybe the orher solution is then come back again.

As kind of workarround , as some more things in vmin can be solved to use a other part in guis to change en get back to the right settings / possible.

BACKUP things before!! soms is in a config file with paths , there was a kind of BUG in the past to wrong path.

I had also a error with limits (diskspace or so) for a domain then not all was done right at the cert renew.

So some brain storming from me, i know it doesn’t help but who knows , sometimes a light is turned on in your head by reading other ones brainies. :wink:

#6

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.