1 Topic by shaady

  • shaady
  • Member
  • Offline
  • Registered: 2018-04-03
  • Posts: 63

Topic: Certificate renew issue

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release):
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
======== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): Latest
- Linux/BSD distribution name and version: debian 9
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): mysql
- Web server (Apache or Nginx):Nginx
- Manage mail accounts with iRedAdmin-Pro? Yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hi there,

I'll received some mails that my cert's need to be renewed so I tried but then it says;
What can I do to force renew the certificates?

root@easyvoicemail-nl:~# sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/easyvoicemail.nl.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/easyvoicemail.nl-0001.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/mail.easyvoicemail.nl.conf
-------------------------------------------------------------------------------
expected /etc/letsencrypt/live/mail.easyvoicemail.nl/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/mail.easyvoicemail.nl.conf is broken. Skipping.

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/easyvoicemail.nl/fullchain.pem (skipped)
  /etc/letsencrypt/live/easyvoicemail.nl-0001/fullchain.pem (skipped)
No renewals were attempted.

Additionally, the following renewal configuration files were invalid:
  /etc/letsencrypt/renewal/mail.easyvoicemail.nl.conf (parsefail)
0 renew failure(s), 1 parse failure(s)

Thanks

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by shaady

  • shaady
  • Member
  • Offline
  • Registered: 2018-04-03
  • Posts: 63

Re: Certificate renew issue

Sorry for flooding I did get this error after posting a topic;

Sorry! The page could not be loaded.

Unable to send e-mail.
Please contact the forum administrator with the following error message reported by the SMTP server: "450 4.1.2 : Recipient address rejected: Domain not found "

The error occurred on line 124 in /opt/www/vhosts/forum.iredmail.org/include/email.php

3 Reply by shaady

  • shaady
  • Member
  • Offline
  • Registered: 2018-04-03
  • Posts: 63

Re: Certificate renew issue

Hello anyone here?

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,787

Re: Certificate renew issue

shaady wrote:

I'll received some mails that my cert's need to be renewed so I tried but then it says;

Did you request other certs before? I think the email notification you received are for other certs, because the certs on your server is not yet due. It's safe to ignore them if it's not used.

5 Reply by shaady (edited by shaady 2018-07-11 22:41:03)

  • shaady
  • Member
  • Offline
  • Registered: 2018-04-03
  • Posts: 63

Re: Certificate renew issue

Hi there, Thanks for your replay;

The mail is about the certs of the mail domain; easyvoicemail.nl and easyvoiceonline.nl they wil expire today on around 1:30 pm.

Sow I now need to renew them but they don't want to get renewed..

Kind regards,

PS> I tried;


root@easyvoicemail-nl:~# sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log


EDIT;

I preformed:  certbot certonly --webroot it says congratulations but still no effect.

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/easyvoicemail.nl.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for easyvoicemail.nl
http-01 challenge for easyvoiceonline.nl
http-01 challenge for imap.easyvoicemail.nl
http-01 challenge for mail.easyvoicemail.nl
http-01 challenge for mail.easyvoiceonline.nl
http-01 challenge for secure.easyvoicemail.nl
http-01 challenge for secure.easyvoiceonline.nl
http-01 challenge for smtp.easyvoicemail.nl
http-01 challenge for www.easyvoicemail.nl
http-01 challenge for www.easyvoiceonline.nl
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0010_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0010_csr-certbot.pem

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/easyvoicemail.nl-0001.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for easyvoicemail.nl
http-01 challenge for easyvoiceonline.nl
http-01 challenge for imap.easyvoicemail.nl
http-01 challenge for imap.easyvoiceonline.nl
http-01 challenge for mail.easyvoicemail.nl
http-01 challenge for mail.easyvoiceonline.nl
http-01 challenge for secure.easyvoicemail.nl
http-01 challenge for smtp.easyvoicemail.nl
http-01 challenge for smtp.easyvoiceonline.nl
http-01 challenge for www.easyvoicemail.nl
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0011_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0011_csr-certbot.pem

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/mail.easyvoicemail.nl.conf
-------------------------------------------------------------------------------
expected /etc/letsencrypt/live/mail.easyvoicemail.nl/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/mail.easyvoicemail.nl.conf is broken. Skipping.
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/easyvoicemail.nl/fullchain.pem (success)
  /etc/letsencrypt/live/easyvoicemail.nl-0001/fullchain.pem (success)

Additionally, the following renewal configuration files were invalid:
  /etc/letsencrypt/renewal/mail.easyvoicemail.nl.conf (parsefail)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
0 renew failure(s), 1 parse failure(s)
root@easyvoicemail-nl:~#

But it doesn't seem to take any effect;
(see screenshot) I highlighted the expiration date:

6 Reply by shaady (edited by shaady 2018-07-12 06:15:40)

  • shaady
  • Member
  • Offline
  • Registered: 2018-04-03
  • Posts: 63

Re: Certificate renew issue

I decided to start over again, fresh install iv'e taken all steps but now there is an issue with the certbot first time certification, How to fix this?

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA … -2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: a
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel):mail.easyvoicemail.nl, www.easyvoicemail.nl, secure.easyvoicemail.nl, easyvoicemail.nl, imap.easyvoicemail.nl, smtp.easyvoicemail.nl, secure.easyvoiceonline.nl, easyvoiceonline.nl, imap.easyvoiceonline.nl, smtp.easyvoiceonline.nl, mail.easyvoiceonline.nl, secure.easyvoiceonline.nl
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mail.easyvoicemail.nl
http-01 challenge for www.easyvoicemail.nl
http-01 challenge for secure.easyvoicemail.nl
http-01 challenge for easyvoicemail.nl
http-01 challenge for imap.easyvoicemail.nl
http-01 challenge for smtp.easyvoicemail.nl
http-01 challenge for secure.easyvoiceonline.nl
http-01 challenge for easyvoiceonline.nl
http-01 challenge for imap.easyvoiceonline.nl
http-01 challenge for smtp.easyvoiceonline.nl
http-01 challenge for mail.easyvoiceonline.nl
http-01 challenge for secure.easyvoiceonline.nl

Select the webroot for mail.easyvoicemail.nl:
-------------------------------------------------------------------------------
1: Enter a new webroot
-------------------------------------------------------------------------------
Press 1 [enter] to confirm the selection (press 'c' to cancel): 1
Input the webroot for mail.easyvoicemail.nl: (Enter 'c' to cancel):1

-------------------------------------------------------------------------------
1 does not exist or is not a directory
-------------------------------------------------------------------------------
Input the webroot for mail.easyvoicemail.nl: (Enter 'c' to cancel):/var/www

Select the webroot for www.easyvoicemail.nl:
-------------------------------------------------------------------------------
1: Enter a new webroot
2: /var/www
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Select the webroot for secure.easyvoicemail.nl:
-------------------------------------------------------------------------------
1: Enter a new webroot
2: /var/www
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Select the webroot for easyvoicemail.nl:
-------------------------------------------------------------------------------
1: Enter a new webroot
2: /var/www
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Select the webroot for imap.easyvoicemail.nl:
-------------------------------------------------------------------------------
1: Enter a new webroot
2: /var/www
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Select the webroot for smtp.easyvoicemail.nl:
-------------------------------------------------------------------------------
1: Enter a new webroot
2: /var/www
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Select the webroot for secure.easyvoiceonline.nl:
-------------------------------------------------------------------------------
1: Enter a new webroot
2: /var/www
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Select the webroot for easyvoiceonline.nl:
-------------------------------------------------------------------------------
1: Enter a new webroot
2: /var/www
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Select the webroot for imap.easyvoiceonline.nl:
-------------------------------------------------------------------------------
1: Enter a new webroot
2: /var/www
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Select the webroot for smtp.easyvoiceonline.nl:
-------------------------------------------------------------------------------
1: Enter a new webroot
2: /var/www
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Select the webroot for mail.easyvoiceonline.nl:
-------------------------------------------------------------------------------
1: Enter a new webroot
2: /var/www
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Waiting for verification...
Cleaning up challenges
An unexpected error occurred:
OSError: [Errno 2] No such file or directory: '/var/www/.well-known/acme-challenge/8ED-n96c3mDsqsLx0YK2PxTgqK3f-q3aF08i9beCTD0'
Please see the logfiles in /var/log/letsencrypt for more details.

IMPORTANT NOTES:
- If you lose your account credentials, you can recover through
   e-mails sent to shaady@e-mailadres.fake.
- The following errors were reported by the server:

   Domain: mail.easyvoicemail.nl
   Type:   unauthorized
   Detail: Invalid response from
   http://mail.easyvoicemail.nl/.well-know … Sk-FuJYVE:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   Domain: secure.easyvoicemail.nl
   Type:   unauthorized
   Detail: Invalid response from
   http://secure.easyvoicemail.nl/.well-kn … 8sqM-xPkM:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   Domain: easyvoiceonline.nl
   Type:   unauthorized
   Detail: Invalid response from
   http://easyvoiceonline.nl/.well-known/a … EPQEkwsjU:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   Domain: smtp.easyvoiceonline.nl
   Type:   unauthorized
   Detail: Invalid response from
   http://smtp.easyvoiceonline.nl/.well-kn … twG8oaSXE:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   Domain: smtp.easyvoicemail.nl
   Type:   unauthorized
   Detail: Invalid response from
   http://smtp.easyvoicemail.nl/.well-know … LASitllYg:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   Domain: www.easyvoicemail.nl
   Type:   unauthorized
   Detail: Invalid response from
   http://www.easyvoicemail.nl/.well-known … qdOc1EICM:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   Domain: imap.easyvoicemail.nl
   Type:   unauthorized
   Detail: Invalid response from
   http://imap.easyvoicemail.nl/.well-know … h1SSHFX9Q:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   Domain: imap.easyvoiceonline.nl
   Type:   unauthorized
   Detail: Invalid response from
   http://imap.easyvoiceonline.nl/.well-kn … P1rAiCaKY:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   Domain: mail.easyvoiceonline.nl
   Type:   unauthorized
   Detail: Invalid response from
   http://mail.easyvoiceonline.nl/.well-kn … eaE5bCErA:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   Domain: easyvoicemail.nl
   Type:   unauthorized
   Detail: Invalid response from
   http://easyvoicemail.nl/.well-known/acm … SivF_r43I:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   Domain: secure.easyvoiceonline.nl
   Type:   unauthorized
   Detail: Invalid response from
   http://secure.easyvoiceonline.nl/.well- … 8i9beCTD0:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.
- Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

7 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,787

Re: Certificate renew issue

Make sure you specify correct web document root for each domain name.
You can run 'certbot' with -d and -w arguments like below for this purpose:

certbot certonly --webroot -w /var/www/html -d mail.mydomain.com

- it means web document root for domain name 'mail.mydomain.com' is /var/www/html.
- If you have multiple domains, just add more -w and -d pairs like "-w /path1 -d domain1 -w /path2 -d domain2".
- If one web document root is used by multiple domains, use one -w with multiple -d like: "-w /path1 -d domain1 -d domain2"

8 Reply by shaady

  • shaady
  • Member
  • Offline
  • Registered: 2018-04-03
  • Posts: 63

Re: Certificate renew issue

ZhangHuangbin wrote:

Make sure you specify correct web document root for each domain name.
You can run 'certbot' with -d and -w arguments like below for this purpose:

certbot certonly --webroot -w /var/www/html -d mail.mydomain.com

- it means web document root for domain name 'mail.mydomain.com' is /var/www/html.
- If you have multiple domains, just add more -w and -d pairs like "-w /path1 -d domain1 -w /path2 -d domain2".
- If one web document root is used by multiple domains, use one -w with multiple -d like: "-w /path1 -d domain1 -d domain2"

Hi thanks, just to be sure;

This is right, right?

certbot certonly --webroot -w /var/www/html -d mail.easyvoicemail.nl, www.easyvoicemail.nl, secure.easyvoicemail.nl, easyvoicemail.nl, imap.easyvoicemail.nl, smtp.easyvoicemail.nl, secure.easyvoiceonline.nl, easyvoiceonline.nl, imap.easyvoiceonline.nl, smtp.easyvoiceonline.nl, mail.easyvoiceonline.nl, secure.easyvoiceonline.nl

9 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,787

Re: Certificate renew issue

shaady wrote:

This is right, right?

you just didn't read my reply ...
Use '-d' for each domain name.

10 Reply by shaady (edited by shaady 2018-07-12 18:01:11)

  • shaady
  • Member
  • Offline
  • Registered: 2018-04-03
  • Posts: 63

Re: Certificate renew issue

ZhangHuangbin wrote:
shaady wrote:

This is right, right?

you just didn't read my reply ...
Use '-d' for each domain name.


Sorry I missed that, how about?

certbot certonly --webroot -w /var/www/html -d mail.easyvoicemail.nl, -d www.easyvoicemail.nl, -d secure.easyvoicemail.nl, -d easyvoicemail.nl, -d imap.easyvoicemail.nl, -d smtp.easyvoicemail.nl, -d secure.easyvoiceonline.nl, -d easyvoiceonline.nl, -d imap.easyvoiceonline.nl, -d smtp.easyvoiceonline.nl, -d mail.easyvoiceonline.nl, -d secure.easyvoiceonline.nl

it says "Requested domain  is not a FQDN because it contains an empty label."

Whoops forgot to remove the "," After that it seemed fine moved the file's to /etc/ssl/ but still no luck..

11 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,787

Re: Certificate renew issue

What do you mean "no luck"? What's the error message?

12 Reply by shaady

  • shaady
  • Member
  • Offline
  • Registered: 2018-04-03
  • Posts: 63

Re: Certificate renew issue

ZhangHuangbin wrote:

What do you mean "no luck"? What's the error message?


With no luck I meant that I had no luck with the ssl certification, although it says:

Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/mail.easyvoicemail.nl/fullchain.pem. Your
   cert will expire on 2018-10-10. To obtain a new or tweaked version
   of this certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew

When I go to one of the domains like https://easyvoicemail.nl it keeps saying unsafe connection.


Kind regards,

13 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,787

Re: Certificate renew issue

- Did you still run the 'certbot renew' command with '--dry-run' argument? With '--dry-run', it just verify the whole procedure is ok, but will NOT actually renew the cert.
- Did you update Nginx config files to use new cert?

14 Reply by shaady

  • shaady
  • Member
  • Offline
  • Registered: 2018-04-03
  • Posts: 63

Re: Certificate renew issue

ZhangHuangbin wrote:

- Did you still run the 'certbot renew' command with '--dry-run' argument? With '--dry-run', it just verify the whole procedure is ok, but will NOT actually renew the cert.
- Did you update Nginx config files to use new cert?


Hi, I didn’t preform a dry run.

Can you please sent me de documentation to update the nginx config?

Thanks!

15 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,787

Re: Certificate renew issue

Check file /etc/nginx/templates/ssl.tmpl, do you have correct ssl certs in this file?

16 Reply by shaady (edited by shaady 2018-07-13 04:24:34)

  • shaady
  • Member
  • Offline
  • Registered: 2018-04-03
  • Posts: 63

Re: Certificate renew issue

ZhangHuangbin wrote:

Check file /etc/nginx/templates/ssl.tmpl, do you have correct ssl certs in this file?

So I should run these codes right?
rm -f /etc/ssl/private/iRedMail.key
rm -f /etc/ssl/certs/iRedMail.crt
ln -s /etc/letsencrypt/live/mail.easyvoicemail.nl/privkey.pem /etc/ssl/private/iRedMail.key
ln -s /etc/letsencrypt/live/mail.easyvoicemail.nl/fullchain.pem /etc/ssl/certs/iRedMail.crt

YES! I did ran the codes above and done! Thanks for your help again!