search

usmannasir / cyberpanel

Cyber Panel - The hosting control panel for OpenLiteSpeed
GNU General Public License v3.0
1.59k stars 610 forks source link

MailServer SSL does not issue the correct SSL cert #434

Open franciscopaniskaseker opened 4 years ago

franciscopaniskaseker commented 4 years ago

With last cyberpanel version and centos 7 updated, I installed one domain and tried issue the MailServer SSL through "SSL > MailServer SSL", but it always issue a self signed SSL cert.

I had to go to "WEBSITES > List Child Domains" menu, issue the SSL of "mail. child domain" and then go to "SSL > MailServer SSL" to issue the Let's encrypt one. I do not like this steps. They are logical, however mail servers with self cert signed will not be accepted for a lot of mail servers. But ok, let's move on to the main problem.

After I issued the mail server ssl, I received this message:

SSL Issued, your mail server now uses Lets Encrypt!

But when I try to lookup the SSL

openssl s_client -connect mail.mydomain.com:587 -starttls smtp
openssl s_client -connect mail.mydomain.com:25 -starttls smtp
openssl s_client -connect mail.mydomain.com:465 -starttls smtp

All of them return a SSL selfsigned using "www.example.com" as CN.

As I do not have any log about what cyberpanel is doing internally (plase see #416 that was closed with any relevant comment). I have no good way to troubleshoot the problem without have to understand a tons of code to understand why cyberpanel is not issuing the SSL mail right.

franciscopaniskaseker commented 4 years ago

264 probably is related.

franciscopaniskaseker commented 4 years ago

I continue receveing from gmail:

"TLS Negotiation failed, the certificate doesn't match the host., code: 0"

I checked dovecot and postfix configs and they seems to be right, however tge openssl s_client test continue giving self signed "www.example.com" cert.

franciscopaniskaseker commented 4 years ago

Today happened with other server. The SSL cert is not renewed (and I do not know why, there is no logs) and I had to manually renew and manually issue through "mailserver ssl" menu.

I checked postfix and dovecot and they are using correct SSL cert. I checked SSL cert and it is valid. But when someone lookup the MTA, it get the old certificate.

franciscopaniskaseker commented 4 years ago

I tried v.2.0.3 recently released ( https://cyberpanel.net/docs/change-log-for-cyberpanel/ ) because I saw:

but the update not fixed the problem.

franciscopaniskaseker commented 4 years ago

The SSL cert can be fixed with this command:

postmap -F hash:/etc/postfix/vmail_ssl.map
systemctl restart postfix
systemctl restart dovecot
franciscopaniskaseker commented 3 years ago

Same bug happened in another cyberpanel server (v.2.0.3). I applied same commands of https://github.com/usmannasir/cyberpanel/issues/434#issuecomment-699133443 and it fixed.

franciscopaniskaseker commented 3 years ago

Another server using cyberpanel server (v.2.0.3) with same bug. Fixed with same commands. Almost 7 months with this without any answer. And I do not believe there is no one with this bug.

vadikcoma commented 3 years ago

We are having the same issue. Clients had lost email communication multiple times due to this bug. Can this be addressed?

mencargo commented 2 years ago

We have the same issue. Using "MailServer SSL" menu, "Issue SSL", it shows a message "SSL Issued, your mail server now uses Lets Encrypt!". But email clients, remote servers and browsing directly at the https URL, it uses a self signed cert, that is causing problems with email delivery and email clients setup.

mencargo commented 2 years ago

I have found an error:

The log had: /root/.acme.sh/acme.sh --issue -d mail.domain.com -d www.mail.domain.com --cert-file /etc/letsencrypt/live/mail.domain.com/cert.pem --key-file /etc/letsencrypt/live/mail.domain.com/privkey.pem --fullchain-file /etc/letsencrypt/live/mail.domain.com/fullchain.pem -w /home/mail.domain.com/public_html -k ec-256 --force --server letsencrypt

It didn't succeed, even if the panel shows the "SSL Issued", it fails, generates a new self-signed and "succeeds"...

Anyway, two issues with it, the working home directory is wrong, if I test with a browser it shows the content of: /home/domain.com/mail.domain.com/

NOT: /home/mail.domain.com/public_html/

Also, the subdomain www is useless here...

So I ran the following command: /root/.acme.sh/acme.sh --issue -d mail.domain.com --cert-file /etc/letsencrypt/live/mail.domain.com/cert.pem --key-file /etc/letsencrypt/live/mail.domain.com/privkey.pem --fullchain-file /etc/letsencrypt/live/mail.domain.com/fullchain.pem -w /home/domain.com/mail.domain.com -k ec-256 --force --server letsencrypt

And it worked

VJ-Ranga commented 2 years ago

I had the same problem. However, I was able to fix it. I do not know if it is the right step, but it works fine

I use Cyberpanel(ubuntu 20.04) and Cloudflare DNS I issue SSL using DNS API

  1. connect DNS using an API key
export CF_Key="API Key"
export CF_Email="Email"

more details:- github.com/acmesh-official/acme.sh/wiki/dnsapi#1-cloudflare-option

  1. issue SSL main domain and mail domain(replace domain.com with your domain)
/root/.acme.sh/acme.sh --issue --dns dns_cf -d domain.com -d www.domain.com
/root/.acme.sh/acme.sh --issue --dns dns_cf -d mail.domain.com
  1. copy the file letsencrypt/live folder(replace domain.com with your domain)
cp /root/.acme.sh/domain.com/domain.com.key /etc/letsencrypt/live/domain.com/privkey.pem 
cp /root/.acme.sh/domain.com/fullchain.cer /etc/letsencrypt/live/domain.com/fullchain.pem
cp /root/.acme.sh/domain.com/domain.com.cer /etc/letsencrypt/live/domain.com/cert.pem

cp /root/.acme.sh/mail.domain.com/mail.domain.com.key /etc/letsencrypt/live/mail.domain.com/privkey.pem
cp /root/.acme.sh/mail.domain.com/fullchain.cer /etc/letsencrypt/live/mail.domain.com/fullchain.pem
cp /root/.acme.sh/mail.domain.com/mail.domain.com.cer /etc/letsencrypt/live/mail.domain.com/cert.pem

Then I created a cronJob to renew SSL.

  1. create a bash script file

nano sslnew.sh

  1. Add all commands to the file (replace domain.com with your domain)
#!/bin/sh

/root/.acme.sh/acme.sh --renew --force --dns dns_cf -d domain.com -d www.domain.com
/root/.acme.sh/acme.sh --renew --force --dns dns_cf -d mail.domain.com

cp /root/.acme.sh/domain.com/domain.com.key /etc/letsencrypt/live/domain.com/privkey.pem 
cp /root/.acme.sh/domain.com/fullchain.cer /etc/letsencrypt/live/domain.com/fullchain.pem
cp /root/.acme.sh/domain.com/domain.com.cer /etc/letsencrypt/live/domain.com/cert.pem

cp /root/.acme.sh/mail.domain.com/mail.domain.com.key /etc/letsencrypt/live/mail.domain.com/privkey.pem
cp /root/.acme.sh/mail.domain.com/fullchain.cer /etc/letsencrypt/live/mail.domain.com/fullchain.pem
cp /root/.acme.sh/mail.domain.com/mail.domain.com.cer /etc/letsencrypt/live/mail.domain.com/cert.pem

  1. convert file to executable chmod +x sslnew.sh

  2. Add cronJob. If you are running for the first time, you will need to select a text editor(use a familiar one)

crontab -e 0 0 * * 7 /root/sslnew.sh more details:- crontab.guru

I test it on my personal site and it is worked

jeremylugros commented 2 years ago

Hi @franciscopaniskaseker So far, after couple weeks looking everywhere, this is the only solution that has worked, even if it is temporary. I've signed in here just to thank you

franciscopaniskaseker commented 1 year ago

@jeremylugros thank you. today I had other server that was not applying the mail certificate.

I had to execute the /root/.acme.sh/acme.sh @mencargo command (https://github.com/usmannasir/cyberpanel/issues/434#issuecomment-1034365721) and then the 3 commands that I sent here https://github.com/usmannasir/cyberpanel/issues/434#issuecomment-699133443

so the problem is still happening :(

perekhodovilya commented 1 year ago

SSL-сертификат можно исправить с помощью этой команды: > > ``оболочка > postmap -F хэш:/etc/postfix/vmail_ssl.map > systemctl перезапуск постфикс > systemctl перезапустить dovecot >

The SSL cert can be fixed with this command:

postmap -F hash:/etc/postfix/vmail_ssl.map
systemctl restart postfix
systemctl restart dovecot

работает!

essaund commented 1 year ago

This bug seems not to go away. I encountered it around January this year. Then it happened again 6 days ago. CyberPanel shows the mail server was issued with an SSL. But Gmail shows the SSL is invalid. While Checktls Mail SSL expired 6 days ago.

Thankfully, this works.

The SSL cert can be fixed with this command:

postmap -F hash:/etc/postfix/vmail_ssl.map
systemctl restart postfix
systemctl restart dovecot
Amsal1 commented 1 year ago

This bug seems not to go away. I encountered it around January this year. Then it happened again 6 days ago. CyberPanel shows the mail server was issued with an SSL. But Gmail shows the SSL is invalid. While Checktls Mail SSL expired 6 days ago.

Thankfully, this works.

The SSL cert can be fixed with this command:

postmap -F hash:/etc/postfix/vmail_ssl.map
systemctl restart postfix
systemctl restart dovecot

I was facing this from last few weeks, finally these commands fixed it!!