1 Topic by ikewinski (edited by ikewinski 2016-03-26 22:56:04)

  • ikewinski
  • Member
  • Offline
  • Registered: 2016-03-26
  • Posts: 8

Topic: Let's Encrypt and SOGo libffi version conflict on CentOS 6.7

======== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.4
- Linux/BSD distribution name and version: CentOS 6.7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? No
- Related log if you're reporting an issue:
====

The Let's Encrypt client is not playing nice with these libraries from SOGo:

libffi.x86_64                      3.0.10-1                            @SOGo
libffi-devel.x86_64                3.0.10-1                            @SOGo

I have a working Let's Encrypt client installed on a similar CentOS6.7 machine which has these versions:

libffi.x86_64                        3.0.5-3.2.el6                      @anaconda-CentOS-201508042137.x86_64/6.7
libffi-devel.x86_64                  3.0.5-3.2.el6                      @base

The specific error when running letsencrypto-auto client references libffi during installation of virtual environment:

c/_cffi_backend.c:13:17: error: ffi.h: No such file or directory

I think I can temporarily remove SOGo version, get a certificate and then switch back. Obviously this isn't a long term solution since the certificates need to be renewed every 90 days. A script that restarts various services as needed after renewal is fine (if less than perfect), but I don't think I'm willing to automate the library downgrade.

That is, if I can make this work. I have removed sogo with yum but that doesn't remove the libraries. When I do 'yum remove libffi libffi-devel' I end up at:

Error: Trying to remove "yum", which is protected

Post's attachments

irm1.txt 11.12 kb, 1 downloads since 2016-03-26 

You don't have the permssions to download the attachments of this post.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ikewinski

  • ikewinski
  • Member
  • Offline
  • Registered: 2016-03-26
  • Posts: 8

Re: Let's Encrypt and SOGo libffi version conflict on CentOS 6.7

I've been pointed to an alternative client written in bash only. I'm going to give this a try:

https://github.com/Neilpang/le

3 Reply by ikewinski (edited by ikewinski 2016-03-27 13:34:20)

  • ikewinski
  • Member
  • Offline
  • Registered: 2016-03-26
  • Posts: 8

Re: Let's Encrypt and SOGo libffi version conflict on CentOS 6.7

This client by Neil Pang works with just minor shortcomings compared to the official client (the tradeoff in hassle is worth it).

Mainly there isn't a prompt to require email registration or agree to the ToS. I also don't see revocation facilities yet.

I created a regular system account to install the client and do the key registration, as I really wanted to avoid running this as root. No sudo privileges were required, which is another benefit it has over the official LE client.

Initially I tried copying the cert and keyfiles over the existing iRedMail ones, but it seems OK to just repoint apache, dovecot and postfix to the new certs in my non-priv user account right where the client creates them. This has some advantages and little downside I can see, but I'm welcome to be corrected.

Now the only remaining task I have is to ensure the services are all reloaded when keys are actually renewed. For this I think the key management user should get a sudo entry permitting just the specific 'service postfix/httpd/dovecot reload' commands with no passwd.

I can envision other ways to do this, by periodically running script as root to check the age on the certificates and expect key updates at certain intervals. These seem like relatively low risks either way

I will be a new iRedadmin-Pro customer soon, and I would love to see it built into the platform so that when I add new domains in the interface and check a box to set it up, the Neil Pang le bash client installs the certificate for me. I'll be doing it by hand for every domain until then...