X-Default-Received-SPF: pass (skip=loggedin (res=PASS)) x-ip-name=115-188-12-240-adsl.sparkbb.co.nz; envelope-from=<surgemail-support@netwinsite.com>;
X-Received: from [192.168.1.75] (115-188-12-240-adsl.sparkbb.co.nz [115.188.12.240])
by netwin.co.nz (SurgeMail 7.4b) with ESMTP (TLS) id 15318262-1391920
for <surgemail-list@netwin.co.nz>; Wed, 18 Sep 2019 00:15:59 +0000
X-Return-Path: surgemail-support
Subject: Re: [SurgeMail List] g_ssl_auto and apache and certbot
To: surgemail-list@netwin.co.nz
References: <5d7ee8c8.19b6.b5844b40.2d4f8e1e@ericvey.com>
<c3dcbf69-8645-3c6e-a362-4c087264081d@netwinsite.com>
<03CCFA87-7E4E-4DAD-B469-FF25A97BE390@ericvey.com>
<2D01DB30-9D1E-4889-B912-BC58151FFA5D@ericvey.com>
From: Surgemail Support
Message-ID: <f4228de4-40d5-37a9-5e49-66176f852a8e@netwinsite.com>
Date: Wed, 18 Sep 2019 12:15:55 +1200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101
Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <2D01DB30-9D1E-4889-B912-BC58151FFA5D@ericvey.com>
Content-Language: en-US
X-Rcpt-To: <surgemail-list@netwin.co.nz>
X-SpamDetect: : 0.000000
X-Info: aspam skipped due to (g_smite_skip_relay)
X-Encryption: SSL encrypted
X-IP-stats: Incoming Last 0, First 0, in=23, out=0, spam=0 ip=115.188.12.240
List-Unsubscribe: <mailto:surgemail-list-leave@netwin.co.nz?subject=unsubscribe>
X-Mailing-List: surgemail-list@netwin.co.nz
List-ID: <surgemail-list@netwin.co.nz>
Precedence: bulk
Reply-To: surgemail-list@netwin.co.nz
Content-Transfer-Encoding: 8bit
Content-Transfer-Encoding: 8bit
I believe It's not needed as the chain file is appended to the
certificate.
chrisP.
On 18/09/2019 11:41 AM, Eric Vey wrote:
What to do with the chain.pem reference?
Cert and pvt work fine, but there is also a chain.pem and include
path in the .conf file.
On September 16, 2019 11:33:16 AM EDT,
Eric Vey
<junker@ericvey.com> wrote:
Ubuntu does not locate apache web pages in the same places as
other installs. I rarely tear into the os, so I have a hard
time remembering what I do from one time to the next.
There is a let's encrypt conf file that directs apache where
to look for the pem files. I may have edited this file when I
installed cert-bot, but I don't recall.
I'm going to document all this when I make the changes, which
conf files I edit and their location. That's for others and me
to look up, next time they make dramatic changes.
Eric Vey
On September 15, 2019 10:06:40 PM
EDT, Surgemail Support
<surgemail-support@netwinsite.com> wrote:
On 16/09/2019 1:43 PM, Eric
Vey wrote:
The location of my web files is:
/var/www/ericvey.com/public_html
so I made a /.well-known/acme-challenge in there,
changed the g_ssl_lets_path to that and the update
completed properly this time.
I'm assuming the apache site is still using the old
certificate. I'll have to google and see if there is
something to do in the apache2.conf file to steer it
to the new path.
You should be able to point it at the files
surge_cert.pem and surge_priv.pem that surgemail uses by
settings in the apache config I think.
ChrisP.
Getting late here. Thanks for your help.
Eric Vey
On Sunday 15/09/2019 at 8:54 pm, Surgemail Support
wrote:
Nope that failed.
This request you can test manually with any web
browser:
http://ericvey.com/.well-known/acme-challenge/c2F60SZQ2829nEsjYX_1p00hA_fpRG_uShesdfHHK0g
And it should work and give you a page with
numbers in it.
It looks like you set the path to:
/home/httpd/html/.well-known/acme-challenge
Check the apache config files to see where the
'html' path for "ericvey.com" maps to, I'm
guessing it is going somewhere else....?
ChrisP.
On 16/09/2019 12:48 PM,
Eric Vey wrote:
Okay I did it. The certificates were created
and the apache server seems to be fine. I tested
using Ssl Labs and they like the configuration.
They only saw one certificate.
I still got this error though when I ran the
update:
Account status: Account created ok
https://acme-v02.api.letsencrypt.org/acme/acct/65983680
acme_authorize required for domain ericvey.com
Challenge http-01 pending
Created
www/.well-known/acme-challenge/c2F60SZQ2829nEsjYX_1p00hA_fpRG_uShesdfHHK0g
Created
/home/httpd/html/.well-known/acme-challenge/c2F60SZQ2829nEsjYX_1p00hA_fpRG_uShesdfHHK0g
Challenge: error: Invalid response from
http://ericvey.com/.well-known/acme-challenge/c2F60SZQ2829nEsjYX_1p00hA_fpRG_uShesdfHHK0g
[142.197.114.27]: "<!DOCTYPE HTML PUBLIC
\"-//IETF//DTD HTML
2.0//EN\">\n<html><head>\n<title>404
Not
Found</title>\n</head><body>\n<h1>Not
Found</h1>\n<p"
HINT: Check your setting url_host points to your
mail server for this domain!!
acme_do_auth failed ericvey.com
Update finished, 0 good, 2 bad
ssl_reload:
This means I can remove the certbot generated
certificate and remove the chron job that
updates it every three months?
On Sunday 15/09/2019 at 7:56 pm, Surgemail
Support wrote:
On 16/09/2019
11:53 AM, Eric Vey wrote:
So I must state the path before I
run tellmail ssl_update?
Yes.
How does apache know to look there?
It's the path apache is going to use for
any html files, you are telling surgemail
where apache is going to look, so you have
to start from knowing the apache path to
html files...
ChrisP.
Eric Vey
On September 15,
2019 6:56:11 PM EDT, Surgemail Support
<surgemail-support@netwinsite.com>
wrote:
If you have a web server then you
must use g_ssl_lets_path to tell
surgemail to create the file in the
webserver path, it should be pointing
at
/home/httpd/html/.well-known/acme-challenge
which as you mention must be
writable by user 'mail'...
What happens when you try that?
chrisp.
On
16/09/2019 3:33 AM, Eric Vey wrote:
Hi,
So I have a single ubuntu server
for mail and web. Port 80 is for web
and port 7080 is for webmail.
g_webmail_port is set to 7080 only.
All requests come to ericvey.com
and I let the router do the work.
There is no mail.ericvey.com, just
ericvey.com. Let's encrypt certbot
automagically set up the apache
putting the certificate in
/etc/letsencrypyt/live ... )you know
the rest)
Right now, I am back to
g_ssl_lets_path because when I
remove it and set g_ssl_auto to
"true" I get this error when I run
tellmail ssl_update. I don't really
need to update the certificate, nor
do I need (or want) a second one.
Stars indicate info removed for
privacy.
SurgeMail Version
7.3o4-4, Built Oct 14 2018
22:20:57, Platform Linux
Key ******* OK, email=****@ericvey.com,
users=10, flags=48,
host=ubuntu-server-2:127.0.1.1,
prod=surgemail active=4
updates=27/Dec/2016
Update starting
Update domain
ericvey.com
Existing cert check:
ericvey.com Self signed
certificate /CN=ericvey.com
acme_authorize required
for domain ericvey.com
Challenge http-01
pending
Created
www/.well-known/acme-challenge/VRzjGR2QkMm_WgmaoKmx7Lt1qvhFe6RYCiJXQhi4vHM
HINT: Check your
setting url_host points to your
mail server for this domain!!
acme_do_auth failed
ericvey.com
Update finished, 0
good, 1 bad
ssl_reload:
It appears to be trying to
pull a page from my public web
server on port 80. It didn't
create
/home/httpd/html/.well-known/acme-challenge,
so I did and give the user mail
permission to write.
Am I doing something wrong
here?
Eric Vey
--
Sent from my Android device with K-9 Mail.
Please excuse my brevity.
--
Sent from my Android device with K-9 Mail. Please excuse my
brevity.