Multiple issues after a fresh install

deepakdhingra · October 15, 2025, 1:18pm

Thank you for your reply.

This error is related to email. It’s what I see when I run journalctl -f

This is the entire error -

dovecot[136760]: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:0A000416:SSL routines::sslv3 alert certificate unknown: SSL alert number 46 (no auth attempts in 0 secs): user=<>, rip=152.58.43.214, lip=72.60.203.205, TLS handshaking: SSL_accept() failed: error:0A000416:SSL routines::sslv3 alert certificate unknown: SSL alert number 46, session=<b+qNTzJBkdKYOivW>

Ilia · October 15, 2025, 1:57pm

@Jamie, why are we using the SSLCACertificateFile directive to provide the intermediate certificate to clients!? That directive is meant only for client certificate authentication, not for serving intermediates.

Besides, we don’t need to include the intermediate certificate these days, and definitely not via SSLCACertificateFile. Older Apache versions used SSLCertificateChainFile, but modern ones (version 2.4.8 and up) expect both the certificate and the chain to be in SSLCertificateFile, like in ssl.combined.

We definitely need to fix this!

If anyone is seeing this issue, just remove those directives by running:

sudo find /etc/apache2 /etc/httpd -type f -name '*.conf' 2>/dev/null -exec sed -i '/^[[:space:]]*SSLCACertificateFile/d' {} +

deepakdhingra · October 15, 2025, 2:26pm

It’s gone, finally. I don’t know how many hours I spent trying to get rid of that error.
With that code, it’s gone.

Thank you very much. I can sleep tonight.

Ilia · October 15, 2025, 2:35pm

I’m very glad to hear it got fixed for you! Sorry about that!! We will fix it for Virtualmin 7.50.0 release shortly!

Joe · October 15, 2025, 2:48pm

No, we need separate topics about completely unrelated issues. Apache obviously cannot have anything to do with Dovecot. Make a new topic for your Dovecot issue.

deepakdhingra · October 15, 2025, 6:03pm

Glad to hear that.

Jamie · October 15, 2025, 9:28pm

Yeah, we should probably switch to using a single file for the combined cert and CA cert for Apache. I’ll look into this ..

Ilia · October 16, 2025, 8:46am

Jamie, here is what we should do, in my perspective to make things work correctly.

We do not set SSLCertificateChainFile at all, if we already have set or can set ssl.combined for SSLCertificateFile.
If we don’t and SSLCertificateFile is already set to ssl.cert only, we should set SSLCertificateChainFile which will work perfectly fine on old and new Apache.

Some users reported that they don’t have SSLCertificateFile set to ssl.combined.

deepakdhingra · October 16, 2025, 11:11am

BTW, the error has come back -
dovecot[3703]: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:0A000416:SSL routines::sslv3 alert certificate unknown: SSL alert number 46 (no auth attempts in 0 secs): user=<>, rip=103.186.198.165, lip=72.60.203.205, TLS handshaking: SSL_accept() failed: error:0A000416:SSL routines::sslv3 alert certificate unknown: SSL alert number 46, session=

The above error simply goes on and on.

Ilia · October 16, 2025, 11:34am

I dug into all this more, and surprisingly, the SSLCACertificateFile directive, even though it’s meant for client auth, still works well for serving intermediate certificates, just like SSLCertificateChainFile.

@Joe, and now, I don’t understand the fuss around it. Yes, it’s recommended to use SSLCertificateFile with ssl.combined, but either SSLCertificateChainFile or the currently incorrectly used SSLCACertificateFile works fine with ssl.ca on multiple distros I tried.

Can anyone reading this provide useful analytical info? What isn’t working and when? What settings do you have in the Apache config when it works and when it doesn’t? Please don’t just say it doesn’t work or it stopped working after an upgrade—it’s not really helpful.

While testing this on a number of different distros, I found another serious bug where Apache breaks configs when SSL for the host domain fails, and it’s 100% reproducible on my Debian 12 local instance. I think the Webmin Apache API isn’t meant to handle adding and deleting a domain in the same call. This is the only part of the code that does it.

@Jamie, I’m looking into fixing it right now, but can you make sure we’re not setting either SSLCACertificateFile or SSLCertificateChainFile and instead just use SSLCertificateFile with ssl.combined? I think we should remove both of those unnecessary directives and make sire we handle this properly during restore as well—agreed?

If we do need to set a CA file for manually installed certificates, then it should definitely be SSLCertificateChainFile, not SSLCACertificateFile—agreed?

Ilia · October 16, 2025, 11:36am

Really, is that all the info we get? Could you please share the full VirtualHost block from your Apache config for the domain in question?

Ilia · October 16, 2025, 11:37am

Oh Lord, no questions about Dovecot here!

deepakdhingra · October 16, 2025, 12:00pm

“Could you please share the full VirtualHost block from your Apache config for the domain in question?”

Please tell me where to get this exactly from and I will.

deepakdhingra · October 16, 2025, 12:01pm

I’ll create another thread for that.

Ilia · October 16, 2025, 12:12pm

Those are in the /etc/apache2/sites-enabled directory on Debian systems.

deepakdhingra · October 16, 2025, 1:51pm

<VirtualHost *:80>
    SuexecUserGroup "#1097" "#1026"
    ServerName effezascience.com
    ServerAlias www.effezascience.com
    ServerAlias mail.effezascience.com
    ServerAlias webmail.effezascience.com
    ServerAlias admin.effezascience.com
    ServerAlias autoconfig.effezascience.com
    ServerAlias autodiscover.effezascience.com
    DocumentRoot /home/effezascience.com/public_html
    ErrorLog /var/log/virtualmin/effezascience.com_error_log
    CustomLog /var/log/virtualmin/effezascience.com_access_log combined
    ScriptAlias /cgi-bin/ /home/effezascience.com/cgi-bin/
    ScriptAlias /AutoDiscover/AutoDiscover.xml /home/effezascience.com/cgi-bin/autoconfig.cgi
    ScriptAlias /Autodiscover/Autodiscover.xml /home/effezascience.com/cgi-bin/autoconfig.cgi
    ScriptAlias /autodiscover/autodiscover.xml /home/effezascience.com/cgi-bin/autoconfig.cgi
    DirectoryIndex index.php index.htm index.html
    <Directory /home/effezascience.com/public_html>
        Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch
        Require all granted
        AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    </Directory>
    <Directory /home/effezascience.com/cgi-bin>
        Require all granted
        AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    </Directory>
    ProxyPass /.well-known !
    RewriteEngine on
    RewriteCond %{HTTP_HOST} =webmail.effezascience.com
    RewriteRule ^/(?!.well-known)(.*)$ https://effezascience.com:20000/ [R]
    RewriteCond %{HTTP_HOST} =admin.effezascience.com
    RewriteRule ^/(?!.well-known)(.*)$ https://effezascience.com:10000/ [R]
    Redirect /mail/config-v1.1.xml /cgi-bin/autoconfig.cgi
    Redirect /.well-known/autoconfig/mail/config-v1.1.xml /cgi-bin/autoconfig.cgi
    Redirect /mail/config-v1.1.xml /cgi-bin/autoconfig.cgi
    Redirect /.well-known/autoconfig/mail/config-v1.1.xml /cgi-bin/autoconfig.cgi
    RemoveHandler .php
    RemoveHandler .php7.4
    RemoveHandler .php8.2
    RemoveHandler .php8.4
    RewriteRule ^/(?!.well-known)(.*)$ https://%{HTTP_HOST}/$1 [R]
    RewriteCond %{HTTP_HOST} =webmail.effezascience.com
    RewriteRule ^/(?!.well-known)(.*)$ https://effezascience.com:20000/ [R]
    RewriteCond %{HTTP_HOST} =admin.effezascience.com
    RewriteRule ^/(?!.well-known)(.*)$ https://effezascience.com:10000/ [R]
    RewriteCond %{HTTP_HOST} =webmail.effezascience.com
    RewriteRule ^(?!/.well-known)(.*) https://effezascience.com:20000/ [R]
    RewriteCond %{HTTP_HOST} =admin.effezascience.com
    RewriteRule ^(?!/.well-known)(.*) https://effezascience.com:10000/ [R]
    <FilesMatch \.php$>
        SetHandler proxy:unix:/run/php/169225344617803.sock|fcgi://127.0.0.1
    </FilesMatch>
</VirtualHost>
<VirtualHost *:443>
    SuexecUserGroup "#1097" "#1026"
    ServerName effezascience.com
    ServerAlias www.effezascience.com
    ServerAlias mail.effezascience.com
    ServerAlias webmail.effezascience.com
    ServerAlias admin.effezascience.com
    ServerAlias autoconfig.effezascience.com
    ServerAlias autodiscover.effezascience.com
    DocumentRoot /home/effezascience.com/public_html
    ErrorLog /var/log/virtualmin/effezascience.com_error_log
    CustomLog /var/log/virtualmin/effezascience.com_access_log combined
    ScriptAlias /cgi-bin/ /home/effezascience.com/cgi-bin/
    ScriptAlias /AutoDiscover/AutoDiscover.xml /home/effezascience.com/cgi-bin/autoconfig.cgi
    ScriptAlias /Autodiscover/Autodiscover.xml /home/effezascience.com/cgi-bin/autoconfig.cgi
    ScriptAlias /autodiscover/autodiscover.xml /home/effezascience.com/cgi-bin/autoconfig.cgi
    DirectoryIndex index.php index.htm index.html
    <Directory /home/effezascience.com/public_html>
        Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch
        Require all granted
        AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    </Directory>
    <Directory /home/effezascience.com/cgi-bin>
        Require all granted
        AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    </Directory>
    ProxyPass /.well-known !
    RewriteEngine on
    RewriteCond %{HTTP_HOST} =webmail.effezascience.com
    RewriteRule ^/(?!.well-known)(.*)$ https://effezascience.com:20000/ [R]
    RewriteCond %{HTTP_HOST} =admin.effezascience.com
    RewriteRule ^/(?!.well-known)(.*)$ https://effezascience.com:10000/ [R]
    Redirect /mail/config-v1.1.xml /cgi-bin/autoconfig.cgi
    <FilesMatch \.php$>
        SetHandler proxy:unix:/run/php/169225344617803.sock|fcgi://127.0.0.1
    </FilesMatch>
    Redirect /.well-known/autoconfig/mail/config-v1.1.xml /cgi-bin/autoconfig.cgi
    Redirect /mail/config-v1.1.xml /cgi-bin/autoconfig.cgi
    Redirect /.well-known/autoconfig/mail/config-v1.1.xml /cgi-bin/autoconfig.cgi
    RemoveHandler .php
    RemoveHandler .php7.4
    RemoveHandler .php8.2
    RemoveHandler .php8.4
    SSLEngine on
    SSLCertificateFile /etc/ssl/virtualmin/169225344617803/ssl.cert
    SSLCertificateKeyFile /etc/ssl/virtualmin/169225344617803/ssl.key
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    RewriteCond %{HTTP_HOST} =webmail.effezascience.com
    RewriteRule ^/(?!.well-known)(.*)$ https://effezascience.com:20000/ [R]
    RewriteCond %{HTTP_HOST} =admin.effezascience.com
    RewriteRule ^/(?!.well-known)(.*)$ https://effezascience.com:10000/ [R]
    RewriteCond %{HTTP_HOST} =webmail.effezascience.com
    RewriteRule ^(?!/.well-known)(.*) https://effezascience.com:20000/ [R]
    RewriteCond %{HTTP_HOST} =admin.effezascience.com
    RewriteRule ^(?!/.well-known)(.*) https://effezascience.com:10000/ [R]
    SSLCACertificateFile /etc/ssl/virtualmin/169225344617803/ssl.ca
</VirtualHost>

Ilia · October 16, 2025, 2:18pm

I can see that your website is working and the original problem is the solved now, right?

Joe · October 16, 2025, 3:35pm

Still referencing an SSLCACertificateFile, which is harmless as long as the ssl.ca file exists, but it is unnecessary.

Ilia · October 16, 2025, 5:02pm

Well, in this case, it’s necessary because SSLCertificateChainFile doesn’t reference the interm CA cert in the ssl.cert file, ssl.combined does. So, some clients like curl will refuse to work correctly. As the Apache documentation clearly states that:

SSLCertificateChainFile became obsolete with version 2.4.8, when SSLCertificateFile was extended to also load intermediate CA certificates from the server certificate file.

This means ideally we shouldn’t use either SSLCertificateChainFile or SSLCACertificatePath. But I assume Jamie just picked it as a quick fix over old SSLCertificateChainFile code logic.

The latest patches still use the SSLCACertificatePath directive, meaning they use all three ssl.cert, ssl.key, and ssl.ca for ACME providers. I assume changing it without potentially breaking anything won’t be straightforward. So, we should probably just leave it as is.

@Jamie, the only confusing thing about the current code is that the self-signed certificate is generated with ssl.combined rather than ssl.cert. Is this intentional? Because later, in the LE request, it’s replaced with ssl.cert for SSLCertificateFile.

To clarify for any future readers — we’re currently using SSLCACertificatePath to provide the interm CA cert, similar to how SSLCertificateChainFile was used in the past.

It’s a bit confusing since the main purpose of SSLCACertificatePath is for client-cert auth trust, but according to the Apache documentation, it can also be used to send interm CA as we’re doing now.

deepakdhingra · October 16, 2025, 5:27pm

Yes, the original problem is solved. We can close this thread.

Thank you.