search

msimerson / Mail-Toaster-6

Mail Toaster 6
https://github.com/msimerson/Mail-Toaster-6/wiki
BSD 3-Clause "New" or "Revised" License
46 stars 16 forks source link

New MT6 install: Let's Encrypt cert installed, but not shown in webmail #197

Closed johannes73 closed 7 years ago

johannes73 commented 7 years ago

Expected behavior

https to server without "invalid cert" warning.

Observed behavior

The self-signed cert from the initial steps of the install is used, which renders a "invalid cert" warning in the browser. The letsencrypt cert seems not to be sent to the browser.

During the install I used the "provision letsencrypt".

[Fri Feb 10 19:01:05 CET 2017] Pending
[Fri Feb 10 19:01:07 CET 2017] Success
[Fri Feb 10 19:01:07 CET 2017] Verify finished, start to sign.
[Fri Feb 10 19:01:08 CET 2017] Cert success.
[... cert is echoed...]
[Fri Feb 10 19:01:08 CET 2017] Your cert is in  /root/.acme.sh/mail1.smartnet.se/mail1.smartnet.se.cer 
[Fri Feb 10 19:01:08 CET 2017] Your cert key is in  /root/.acme.sh/mail1.smartnet.se/mail1.smartnet.se.key 
[Fri Feb 10 19:01:08 CET 2017] The intermediate CA cert is in  /root/.acme.sh/mail1.smartnet.se/ca.cer 
[Fri Feb 10 19:01:08 CET 2017] And the full chain certs is there:  /root/.acme.sh/mail1.smartnet.se/fullchain.cer 
deploying haraka
Files /tmp/mail1.smartnet.se.pem and /data/haraka/config/tls_cert.pem differ
Stopping jails: haraka.
Starting jails: haraka.
deploying haproxy
diff: /data/haproxy/ssl.d/mail1.smartnet.se.pem: No such file or directory
Waiting for PIDS: 85497, 85497.
Starting haproxy.
deploying dovecot
Files /tmp/dovecot-cert-mail1.smartnet.se.pem and /data/dovecot/etc/ssl/certs/dovecot.pem differ
Stopping dovecot.
Waiting for PIDS: 83246.
Starting dovecot.
[Fri Feb 10 19:01:21 CET 2017] Success
it worked
[ ...here it exits... ]

Testing a bit: less /root/.acme.sh/mail1.smartnet.se/fullchain.cer

When I take the contents (two certs) and enter them om https://tools.keycdn.com/ssl, the chain looks great. But it does not seem to be sent to the browser?

Problem persists after restart of server and client.

Steps to reproduce

Fresh FreeBSD 10.3 + MT6 install (all steps, excluding manual install of bought certs, as we use "provision letsencrypt")

msimerson commented 7 years ago

Check the haproxy certificate directory. I think you'll find there's two certs. Delete the one that is not /data/haproxy/ssl.d/mail1.smartnet.se.pem, as that's your self-signed one. Restart haproxy and try again.

johannes73 commented 7 years ago

When I check in /data/haproxy/ssl.d/ there is only one file, mail1.smartnet.se.pem, with 4 parts.

First part is the private key, then follows 3 certs (1-3). Cert 1 and 2 are identical (CN of the mail server, issuer Let's Encrypt). Cert 3 is the Let's Encrypt cert with issuer DST Root CA X3.

When checking this file on https://tools.keycdn.com/ssl, it complains about chain issues. But when I test with only certs 2 and 3, is says the chain is fine.

Hm... not sure how best to proceed. 

root@mail1:/usr/home/johannes # cd /data/haproxy/ssl.d/
root@mail1:/data/haproxy/ssl.d # ls
mail1.smartnet.se.pem
root@mail1:/data/haproxy/ssl.d # less mail1.smartnet.se.pem 
-----BEGIN RSA PRIVATE KEY-----
[...]
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
[ cert 1 ]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[ cert 2 ]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[ cert 3 ]
-----END CERTIFICATE-----
msimerson commented 7 years ago

Ahah, closing in on the problem.

Check the haproxy config and look at the directory configured for SSL certs.

frontend http-in
        bind *:80
        bind *:443 ssl crt /etc/ssl/private

Change /etc/ssl/private, the default location, to /data/ssl.d

msimerson commented 7 years ago

Update, I fixed the target path in the above comment to /data/ssl.d

johannes73 commented 7 years ago

Thank you, Matt. Works fine now.