1 Topic by wghay

  • wghay
  • Member
  • Offline
  • Registered: 2012-03-12
  • Posts: 8

Topic: Letsencrypt can't install certificate

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release):
1.0
- Deployed with iRedMail Easy or the downloadable installer?
Downloadable installer
- Linux/BSD distribution name and version:
Ubuntu 18.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
MySQL
- Web server (Apache or Nginx):
Nginx
- Manage mail accounts with iRedAdmin-Pro?
No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

I've installed iRedMail 1.0 on a fresh Ubuntu 18.04 64-bit system.  All went well, and the system is working fine with its default self-signed certificate.  But I encountered a problem trying to install a Letsencrypt certificate.  The Certbot script first said:

    No names were found in your configuration files. Please enter in your domain
    name(s) (comma and/or space separated) (Enter 'c' to cancel):

I entered my domain names (haywired.org, packet.haywired.org, mail.haywired.org), and it continued OK, ending with this:
    Could not automatically find a matching server block for haywired.org. Set the `server_name` directive to use the Nginx installer.

    IMPORTANT NOTES:
    - Unable to install the certificate
    - Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/haywired.org/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/haywired.org/privkey.pem
    Your cert will expire on 2020-03-30. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the "certonly" option. To non-interactively renew *all* of
    your certificates, run "certbot renew"

I haven't used nginx before, so am struggling to understand where the "matching server block for haywired.org" should be found.
/etc/nginx/sites-available contains only 00-default.conf and 00-default-ssl.conf and I see no reference anywhere to my domains.

Should something have been set up as part of iRedMail's installation of nginx?
Can you suggest what I should do to fix this?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Letsencrypt can't install certificate

FYI: https://docs.iredmail.org/letsencrypt.html

3 Reply by wghay

  • wghay
  • Member
  • Offline
  • Registered: 2012-03-12
  • Posts: 8

Re: Letsencrypt can't install certificate

ZhangHuangbin wrote:

FYI: https://docs.iredmail.org/letsencrypt.html

I'm embarrassed that I didn't see that doc...

I've followed its instructions now, but nginx won't start.  If I revert to the IredMail self-signed certificate all is well again. 

Of course my original attempt included using the command "certbot nginx" so presumably that's messed things up.

Is it worth trying to dig myself out of this, or would it be simpler to start again and reinstall?  Properly...

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Letsencrypt can't install certificate

Don't run certbot with the "nginx" argument, it will modify Nginx config files under /etc/nginx/, and it will mess up the (Nginx) configuration done by iRedMail.

Please check files under /etc/nginx/sites-enabled/, restore the files generated by iRedMail, make sure letsencrypt cert files have been correctly linked, restart nginx service, then it should work.

5 Reply by wghay

  • wghay
  • Member
  • Offline
  • Registered: 2012-03-12
  • Posts: 8

Re: Letsencrypt can't install certificate

ZhangHuangbin wrote:

Don't run certbot with the "nginx" argument, it will modify Nginx config files under /etc/nginx/, and it will mess up the (Nginx) configuration done by iRedMail.

Please check files under /etc/nginx/sites-enabled/, restore the files generated by iRedMail, make sure letsencrypt cert files have been correctly linked, restart nginx service, then it should work.

Thanks for this.
/etc/nginx/sites-enabled contains
00-default.conf
00-default-ssl.conf

Where can I find the files generated by iRedMail?  /etc/nginx/sites-enabled.bak just contains
"default" with a broken link to /etc/nginx/sites-available/default

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Letsencrypt can't install certificate

- Check file /etc/nginx/templates/ssl.tmpl, which ssl cert/key files does it load?
- Please make sure /etc/letsencrypt/archive and "live" directories are accessible by Nginx daemon user.

7 Reply by wghay

  • wghay
  • Member
  • Offline
  • Registered: 2012-03-12
  • Posts: 8

Re: Letsencrypt can't install certificate

ZhangHuangbin wrote:

- Check file /etc/nginx/templates/ssl.tmpl, which ssl cert/key files does it load?
- Please make sure /etc/letsencrypt/archive and "live" directories are accessible by Nginx daemon user.

I think I've messed things up more than I thought.  I'll waste no more of your time, and I'll start over again.  Apologies, and thanks for your patience.