1

Topic: NET::ERR_CERT_AUTHORITY_INVALID on Chrome

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.2.1 MARIADB edition
- Deployed with iRedMail Easy or the downloadable installer?downloadable installer
- Linux/BSD distribution name and version: freebsd
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): mysql
- Web server (Apache or Nginx):nginx
- Manage mail accounts with iRedAdmin-Pro?no
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
I'm planning a server hw upgrade from an old 2010 running iRedMail 1.0.
I finished installing 1.2.1 on the newer server and could access https://IP/mail and https://IP/iredamdin. I have valid letsencrypt certs, which are also working with the old server.

DNS is resolved, only the not-secure keeps showing, and even after the respective iRedMail Certs/Key are linked to letsencrypt according to letsencrypt in freebsd.

The 'not secure' to the left side of the URL, where it is normally a green padlock, says some invalid root certificate that expires on 26 April 2030, not the letsencrypt ones that are linked.

If I put this,

openssl x509 -noout -dates -in /usr/local/etc/letsencrypt/live/domain.com/cert.pem


I get

notBefore=Mar 20 21:02:25 2020 GMT
notAfter=Jun 18 21:02:25 2020 GMT

Do you know why they can't latch properly to the iRedMail certs/keys?

Thank you.

2

Re: NET::ERR_CERT_AUTHORITY_INVALID on Chrome

letsencrypt certificate certifies a domain, not an IP address, use the FQDN of your server, eg: mail.server.tld/iredadmin

3

Re: NET::ERR_CERT_AUTHORITY_INVALID on Chrome

MuPp3t33r wrote:

letsencrypt certificate certifies a domain, not an IP address, use the FQDN of your server, eg: mail.server.tld/iredadmin

Oh. I was trying to say there, that the installation was successful, and I was able to get a connection with just IP address to /mail and /iredadmin.

After linking the letsencrypt certs to iRedMail crt and key in /etc/ssl/, it does not latch on to the letsencrypt certs at all, and the browsers tell it.

On Safari browser, I could get a connection, to fully-qualified-domain-name/mail, and but it wants me to accept the (self-signed) cert and trust it, following that, I could use it.

On Android Chrome, it wants me to accept the risk after I click on the advance button, then I could proceed on to the site.

On Chrome desktop, it fails completely to load, no advance button, just messages like these:

Your connection is not private
Attackers might be trying to steal your information from test.example.com (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_AUTHORITY_INVALID

and just below

test.example.com normally uses encryption to protect your information. When Google Chrome tried to connect to test.example.com this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be test.example.com, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Google Chrome stopped the connection before any data was exchanged.

You cannot visit test.example.com right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.

If say somehow the letsencrypt certs are 'damaged' and become invalid, does it fall back to the backup certs, like in iRedMail.crt.bak and iRedMail.key.bak?

Thanks.

4

Re: NET::ERR_CERT_AUTHORITY_INVALID on Chrome

hunkiat wrote:

After linking the letsencrypt certs to iRedMail crt and key in /etc/ssl/, it does not latch on to the letsencrypt certs at all. If say somehow the letsencrypt certs are 'damaged' and become invalid, does it fall back to the backup certs, like in iRedMail.crt.bak and iRedMail.key.bak?

No, the software does not know what certs are available to use, it will use explicitly the certificate that is defined in the configuration, if you have correctly linked the certificates as instructed HERE then that must mean you have not restarted the services for it to start using the new certificate, therefore you're still on the self signed.

If you try openssl x509 -noout -dates -in /etc/ssl/certs/iRedMail.crt and get the same result as your letsencrypt cert then you've linked it right, otherwise you're still using your selfsigned

5 (edited by hunkiat 2020-05-23 21:20:31)

Re: NET::ERR_CERT_AUTHORITY_INVALID on Chrome

MuPp3t33r wrote:
hunkiat wrote:

After linking the letsencrypt certs to iRedMail crt and key in /etc/ssl/, it does not latch on to the letsencrypt certs at all. If say somehow the letsencrypt certs are 'damaged' and become invalid, does it fall back to the backup certs, like in iRedMail.crt.bak and iRedMail.key.bak?

No, the software does not know what certs are available to use, it will use explicitly the certificate that is defined in the configuration, if you have correctly linked the certificates as instructed HERE then that must mean you have not restarted the services for it to start using the new certificate, therefore you're still on the self signed.

If you try openssl x509 -noout -dates -in /etc/ssl/certs/iRedMail.crt and get the same result as your letsencrypt cert then you've linked it right, otherwise you're still using your selfsigned

I have confirmed that the letsencrypt certs are invalid... not because they originally were, but because when I copied them over from the original server... something to do with semblinks and renewal within it and that it will expire under 30 days time. The certs are wildcard ones, and still running fine on the earlier server.

I don't hv Certbot on the new server... because to install it requires python 3.7, which was not the default, in its place was the default Python 2.7 and 3.8. After finally getting it installed and running the command "certbot certificates", did it say they were invalid.

My apologies if I sent anyone on a go-around, and thank you for your replies, MuPp3t33r. :-)

6

Re: NET::ERR_CERT_AUTHORITY_INVALID on Chrome

Ah yes, I assumed you had installed certbot and generated keys, not just copied them over smile