1

Topic: Still can't get letsencrypt working

After reinstalling a fresh copy of the latest version from the installer on centos 7 I follow the procedure below and I am pretty sure the webroot is wrong in the newer versions since I don't get an error message from letsencrypt but the certificate is still not working.

https://docs.iredmail.org/letsencrypt.html is the document and it says to use this webroot

certonly --webroot -w /var/www/html -d mail.livesentinel.io 

should I use this one?

/opt/www/roundcubemail-1.3.8/plugins/managesieve/codemirror/mode/sieve/index.html

Thanks,

Kevin

0.9.9 MARIADB edition. on NGinx



==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release):
- Deployed with iRedMail Easy or the downloadable installer?
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====



==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release):
- Deployed with iRedMail Easy or the downloadable installer?
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

2

Re: Still can't get letsencrypt working

What error did you get on console? Please paste the original message here.

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

3

Re: Still can't get letsencrypt working

I am not getting any error messages which is the weird part as you can see below.  I just reread https://docs.iredmail.org/letsencrypt.html and it mentions that you now look at misc.tmpl for the web root.  Mine is commented out which should be the default.  Maybe this is why the document is not working for me.  Please let me know where the webroot is.   I did a find on index.html and I am assuming the webroot should be off of /opt/www/roundcubemail and not var/www/html.  I don't want to screw this up again and have to reinstall.  I am trying to get the mail server out of my basement (which has been running great for many years) to a collocation facility finally.  Thanks, Kevin

[root@vpn templates]# more misc.tmpl
# Allow access to '^/.well-known/'
location ~ ^/.well-known/ {
    allow all;
    access_log off;
    log_not_found off;
    autoindex off;
    #root /var/www/html;
}

# Deny all attempts to access hidden files such as .htaccess.
location ~ /\. { deny all; }

# Handling noisy messages
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
[root@vpn templates]#

[root@vpn ~]# certbot certonly --webroot -w /var/www/html -d mail.livesentinel.io
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/mail.livesentinel.io.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
Resetting dropped connection: acme-v02.api.letsencrypt.org

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/mail.livesentinel.io/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/mail.livesentinel.io/privkey.pem
   Your cert will expire on 2019-06-30. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
- If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

4

Re: Still can't get letsencrypt working

kmoroz1 wrote:

[root@vpn ~]# certbot certonly --webroot -w /var/www/html -d mail.livesentinel.io

This command finished successfully, so you already have the ssl cert.
What's the issue right now? Any error message?

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

5

Re: Still can't get letsencrypt working

https://mail.livesentinel.io/ gives a certificate error.  This site is not secure. 

I think the webroot is wrong.  Last time I did this the certificate error went away but I could not get to the roundcube login page.  Now it is the other way around! 

Thanks,

Kevin

6

Re: Still can't get letsencrypt working

- Did you already get the letsecnrypt ssl cert?
- If yes, just follow our tutorial to link the cert/key files to correct paths: https://docs.iredmail.org/letsencrypt.html

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

7

Re: Still can't get letsencrypt working

kmoroz1,

If you have the certificate, follow this post: https://forum.iredmail.org/topic13400-s … e-how.html

Just creating the symbolic link fixes you right up.

andrew

8

Re: Still can't get letsencrypt working

Yes I got the cert and went through both posts again and now I am back to where I started like last time.  I type in https://mail.livesentinel.io and now it just hangs!  I don't know why browsers keep pushing this crap on us.  I just want the insecure message to go away.

9

Re: Still can't get letsencrypt working

Finally got it working again.  The key was to look in /var/log/letsencrypt/letsencrypt.log  It was a link issue.  Copy and paste bit me!  Close out the post.  Thanks, Kevin

nginx: [emerg] BIO_new_file("/etc/pki/tls/certs/iRedMail.crt") failed (SSL: error:02001002:system li
brary:fopen:No such file or directory:fopen('/etc/pki/tls/certs/iRedMail.crt','r') error:2006D080:BI
O routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/certbot/plugins/disco.py", line 132, in prepare
    self._initialized.prepare()
  File "/usr/lib/python2.7/site-packages/certbot_nginx/configurator.py", line 149, in prepare
    self.config_test()
  File "/usr/lib/python2.7/site-packages/certbot_nginx/configurator.py", line 892, in config_test
    raise errors.MisconfigurationError(str(err))
MisconfigurationError: Error while running nginx -c /etc/nginx/nginx.conf -t.