I also noticed that when building the URL for LE to check, it doesn’t use the domain’s url_host value.
For example, if the domain is fibernetcommunications.net, but my url_host value is webmail.fibernetcommunications.net, it’s not used (as
http://netwinsite.com/surgemail/help/letsencrypt.htm suggests it should be)
mail2:/var/surgemail/www# tellmail ssl_update fibernetcommunications.net
SurgeMail Version 7.3p-21, Built Dec 11 2018 15:09:37, Platform Linux_64
Key N270855 OK, email=fbulk@mypremieronline.com, users=unlimited, flags=48, host=mail2:, prod=surgemail active=19710 updates=1/Aug/2020
Update starting
Update domain fibernetcommunications.net --------------
Existing cert check: fibernetcommunications.net Cannot find file lets/fibernetcommunications.net/surge_cert.pem No such file or directory
Account status: Account created ok https://acme-v02.api.letsencrypt.org/acme/acct/65679052
acme_authorize required for domain fibernetcommunications.net
Challenge http-01 pending
Created www/.well-known/acme-challenge/DSFYeYuhRcNCE0uolhVKk3NbUSUnNhKte61D0N92HfU
Challenge: error: Fetching http://fibernetcommunications.net/.well-known/acme-challenge/DSFYeYuhRcNCE0uolhVKk3NbUSUnNhKte61D0N92HfU: Timeout during connect (likely
firewall problem)
acme_do_auth failed fibernetcommunications.net
ssl_reload:
It should have been
Fetching http://webmail.fibernetcommunications.net/.well-known/acme-challenge/DSFYeYuhRcNCE0uolhVKk3NbUSUnNhKte61D0N92HfU
Frank
From: Frank Bulk
Sent: Tuesday, September 10, 2019 11:13 PM
To: surgemail-list@netwin.co.nz
Subject: RE: tRE: [SurgeMail List] g_ssl_auto feature - how?
Chris,
I tried to turn up LE tonight, but every domain failed, mainly because their url_host didn’t point to Surgemail. No harm done.
But here’s an example of where the domain does point to Surgemail, but fails when I ran “tellmail ssl_update”:
Update domain webmail.schellingconstruction.com
Existing cert check: webmail.schellingconstruction.com Cannot find file lets/webmail.schellingconstruction.com/surge_cert.pem No such file or directory
Account status: Account created ok
https://acme-v02.api.letsencrypt.org/acme/acct/65679052
acme_authorize required for domain webmail.schellingconstruction.com
Challenge http-01 pending
Created www/.well-known/acme-challenge/JZqcQm1d_KyVkC4QWJ3CFLLuozEbe1GQmg2Sp5pGfD8
Challenge: error: Invalid response from
http://webmail.schellingconstruction.com/.well-known/acme-challenge/JZqcQm1d_KyVkC4QWJ3CFLLuozEbe1GQmg2Sp5pGfD8 [96.31.0.20]: "The file you requested does not exist. The url may be incorrect.\r\nRequested File: (JZqcQm1d_KyVkC4QWJ3CFLLuozEbe1GQmg2Sp5pGfD8)\r"
acme_do_auth failed webmail.schellingconstruction.com
Since we use two Surgemail servers behind a load-balancer, when “tellmail ssl_update” runs on server #1, who’s to say which of the two SurgeWeb’s the public LE server is hitting when it runs its authorization? It would seem you need to
make sure the dynamically created challenge file is synced to the other server before the public LE queries. I don’t even see the “.wellknown” directory created on the other server’s /var/Surgemail/www directory.
Also, if I can suggest a speed optimization – before reaching out to LE to start the certificate creation process, make sure that (1) the url_host value resolves to an IP address (2) that it terminates on the SurgeWeb servers.
Frank
On Thursday 06/06/2019 at 3:13 pm, Frank Bulk wrote:
That’s great, thanks!
So does the “G_SSL_LETS_EXCLUDE” need to list each item in “ssl_alias” to prevent a Lets Encrypt certificate being created for that domain?
For example, if I had several domains where I wanted to use Lets Encrypt but wanted to exclude acme.com which had webmail.acme.com with an ssl_alias entry of “pop.acme.com,
smtp.acme.com, mail.acme.com”, do I configure g_ssl_lets_exclude with just “mail.acme.com”, or do I need to list “mail.acme.com, pop.acme.com, smtp.acme.com, webmail.com”?
Yes list every name or alias to exclude.
Note that g_ssl_lets_exclude is not in your online documentation.
I wish I could turn on Let’s Encrypt on a per-domain basis, rather than globally enable and selectively exclude. This would be much safer deployment approach for
us … if we forget to exclude just one domain we may have “lost” its SSL certificate.
FYI, The ssl certificates for g_ssl_auto are placed in /surgemail/lets... not surgemail/ssl... , so there is double protection, it won't over-write any of the old certificates
in the ssl folders, you might just have to copy them again to the lets folder path.
Frank
we don't support wildcard certificates in letsencrypt in surgemail, but we do allow aliases, just add
ssl_alias settings to the domain in question for any needed aliases.
On Saturday 18/05/2019 at 3:56 am, Frank Bulk wrote:
Chris,
I’ve just learned that an SSL certificate is only created with the domain listed in “url_host”.
- We currently have an SSL certificate that includes webmail and SAN (subject alternative names) pop3, smtp, and imap. Is
there support in SM for that? We really can’t stop doing that without creating a huge support nightmare.
https://letsencrypt.org/docs/faq/
- What if we want a wildcarded LE certificate?
https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578
Kind regards,
Frank
On 1/02/2019 11:35 AM, Frank Bulk wrote:
Chris,
Thanks, I had missed your previous response(s).
Two follow up questions:
- What happens if you forget to exclude those certain domains – are the certificates in the SSL directory ignored and those
auto-generated in lets used?
Yes if you forget the setting it will probably over-write the ones you've coppied in with new letsencrypt ones.
- And how do you “recover” if then want to have custom SSL certificates – do you just add them to g_ssl_lets_exclude, copy
the files for that domain from the ssl directory to the lets directory, and execute “tellmail reload”? Or do you have to restart Surgemail?
Yes fix the exclude setting, copy them again from ssl to lets folder, and
tellmail ssl_update
should be sufficient.
ChrisP.
-
Frank
Yes you can but it's a bit tricky.
Step 1) You need a recent build 7.3p at least
Step 2) You copy the ssl directory tree to the lets directory tree (or the relevant domains folders at least)
Step 3) you set G_SSL_LETS_EXCLUDE "mail.xyz.com,mail.fred.com"
On Tuesday 29/01/2019 at 3:42 am, Frank Bulk wrote:
Any feedback on this? Can we turn this on only for those domains we don’t already have a separate certificate in place?
Frank
Thanks, I had been meaning to ask if we could turn this on only for domains that we don't already have a cert in place.
Frank
Sent from my Android phone using TouchDown (www.symantec.com)
-----Original Message-----
From: Jeff Crowe [jeff@wtccommunications.ca]
Received: Wednesday, 31 Oct 2018, 11:35AM
To: surgemail-list@netwinsite.com [surgemail-list@netwinsite.com]
Subject: [SurgeMail List] g_ssl_auto feature - how?
Hi there,
I have been looking for a fix for my broken Chrome SSL certs today and ran across this gem on the surgemail site:
SurgeMail Version 7.3j2 or later
With this version of surgemail ssl certificates are created and signed completely automatically for all domains, with one setting, no certbot
or other external programs are required!
What signing authority is being used?
Is it lets encrypt built into surgemail?
Will it enable add certs for all services like pop3, imap, smtp as well as https?
Will it automatically new certs close to expiration?
and lastly, where do I download this version? the current version on the download site is 7.3i2.
Inquiring minds want to know!
