I also noticed that when building the URL
for LE to check, it doesn’t use the domain’s url_host value.
For example, if the domain is
fibernetcommunications.net, but my url_host value is
webmail.fibernetcommunications.net, it’s not used (as
http://netwinsite.com/surgemail/help/letsencrypt.htm
suggests it should be)
mail2:/var/surgemail/www#
tellmail ssl_update fibernetcommunications.net
SurgeMail
Version 7.3p-21, Built Dec 11 2018 15:09:37, Platform
Linux_64
Key N270855
OK, email=fbulk@mypremieronline.com, users=unlimited,
flags=48, host=mail2:, prod=surgemail active=19710
updates=1/Aug/2020
Update
starting
Update domain
fibernetcommunications.net --------------
Existing cert
check: fibernetcommunications.net Cannot find file
lets/fibernetcommunications.net/surge_cert.pem No such file
or directory
Account
status: Account created ok
https://acme-v02.api.letsencrypt.org/acme/acct/65679052
acme_authorize
required for domain fibernetcommunications.net
Challenge
http-01 pending
Created
www/.well-known/acme-challenge/DSFYeYuhRcNCE0uolhVKk3NbUSUnNhKte61D0N92HfU
Challenge:
error: Fetching
http://fibernetcommunications.net/.well-known/acme-challenge/DSFYeYuhRcNCE0uolhVKk3NbUSUnNhKte61D0N92HfU:
Timeout during connect (likely firewall problem)
acme_do_auth
failed fibernetcommunications.net
ssl_reload:
It should have been
Fetching
http://webmail.fibernetcommunications.net/.well-known/acme-challenge/DSFYeYuhRcNCE0uolhVKk3NbUSUnNhKte61D0N92HfU
Frank
From: Frank Bulk
Sent: Tuesday, September 10, 2019 11:13 PM
To: surgemail-list@netwin.co.nz
Subject: RE: tRE: [SurgeMail List] g_ssl_auto
feature - how?
Chris,
I tried to turn up LE tonight, but every
domain failed, mainly because their url_host didn’t point to
Surgemail. No harm done.
But here’s an example of where the domain
does point to Surgemail, but fails when I ran “tellmail
ssl_update”:
Update domain
webmail.schellingconstruction.com
Existing cert
check: webmail.schellingconstruction.com Cannot find file
lets/webmail.schellingconstruction.com/surge_cert.pem No
such file or directory
Account
status: Account created ok
https://acme-v02.api.letsencrypt.org/acme/acct/65679052
acme_authorize
required for domain webmail.schellingconstruction.com
Challenge
http-01 pending
Created
www/.well-known/acme-challenge/JZqcQm1d_KyVkC4QWJ3CFLLuozEbe1GQmg2Sp5pGfD8
Challenge:
error: Invalid response from
http://webmail.schellingconstruction.com/.well-known/acme-challenge/JZqcQm1d_KyVkC4QWJ3CFLLuozEbe1GQmg2Sp5pGfD8
[96.31.0.20]: "The file you requested does not exist. The
url may be incorrect.\r\nRequested File:
(JZqcQm1d_KyVkC4QWJ3CFLLuozEbe1GQmg2Sp5pGfD8)\r"
acme_do_auth
failed webmail.schellingconstruction.com
Since we use two Surgemail servers behind a
load-balancer, when “tellmail ssl_update” runs on server #1,
who’s to say which of the two SurgeWeb’s the public LE server
is hitting when it runs its authorization? It would seem you
need to make sure the dynamically created challenge file is
synced to the other server before the public LE queries. I
don’t even see the “.wellknown” directory created on the other
server’s /var/Surgemail/www directory.
Also, if I can suggest a speed optimization
– before reaching out to LE to start the certificate creation
process, make sure that (1) the url_host value resolves to an
IP address (2) that it terminates on the SurgeWeb servers.
Frank
On
Thursday 06/06/2019 at 3:13 pm, Frank Bulk wrote:
That’s
great, thanks!
So
does the “G_SSL_LETS_EXCLUDE” need to list each item
in “ssl_alias” to prevent a Lets Encrypt certificate
being created for that domain?
For
example, if I had several domains where I wanted to
use Lets Encrypt but wanted to exclude acme.com which
had webmail.acme.com with an ssl_alias entry of
“pop.acme.com, smtp.acme.com, mail.acme.com”, do I
configure g_ssl_lets_exclude with just
“mail.acme.com”, or do I need to list “mail.acme.com,
pop.acme.com, smtp.acme.com, webmail.com”?
Yes
list every name or alias to exclude.
Note
that g_ssl_lets_exclude is not in your online
documentation.
I
wish I could turn on Let’s Encrypt on a per-domain
basis, rather than globally enable and selectively
exclude. This would be much safer deployment approach
for us … if we forget to exclude just one domain we
may have “lost” its SSL certificate.
FYI,
The ssl certificates for g_ssl_auto are placed in
/surgemail/lets... not surgemail/ssl... , so there is
double protection, it won't over-write any of the old
certificates in the ssl folders, you might just have to
copy them again to the lets folder path.
Frank
we
don't support wildcard certificates in letsencrypt
in surgemail, but we do allow aliases, just add
ssl_alias
settings to the domain in question for any needed
aliases.
On
Saturday 18/05/2019 at 3:56 am, Frank Bulk wrote:
Chris,
I’ve
just learned that an SSL certificate is only
created with the domain listed in “url_host”.
- We
currently have an SSL certificate that
includes webmail and SAN (subject alternative
names) pop3, smtp, and imap. Is there support
in SM for that? We really can’t stop doing
that without creating a huge support
nightmare.
https://letsencrypt.org/docs/faq/
- What
if we want a wildcarded LE certificate?
https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578
Kind
regards,
Frank
On
1/02/2019 11:35 AM, Frank Bulk wrote:
Chris,
Thanks,
I had missed your previous response(s).
Two
follow up questions:
- What
happens if you forget to exclude those
certain domains – are the certificates in
the SSL directory ignored and those
auto-generated in lets used?
Yes
if you forget the setting it will probably
over-write the ones you've coppied in with new
letsencrypt ones.
- And
how do you “recover” if then want to have
custom SSL certificates – do you just add
them to g_ssl_lets_exclude, copy the files
for that domain from the ssl directory to
the lets directory, and execute “tellmail
reload”? Or do you have to restart
Surgemail?
Yes
fix the exclude setting, copy them again from
ssl to lets folder, and
tellmail ssl_update
should
be sufficient.
ChrisP.
-
Frank
Yes
you can but it's a bit tricky.
Step
1) You need a recent build 7.3p at least
Step
2) You copy the ssl directory tree to the
lets directory tree (or the relevant domains
folders at least)
Step
3) you set G_SSL_LETS_EXCLUDE
"mail.xyz.com,mail.fred.com"
On
Tuesday 29/01/2019 at 3:42 am, Frank Bulk
wrote:
Any
feedback on this? Can we turn this on
only for those domains we don’t already
have a separate certificate in place?
Frank
Thanks,
I had been meaning to ask if we could
turn this on only for domains that we
don't already have a cert in place.
Frank
Sent from my Android phone using
TouchDown (www.symantec.com)
-----Original Message-----
From: Jeff Crowe [jeff@wtccommunications.ca]
Received: Wednesday, 31 Oct 2018,
11:35AM
To: surgemail-list@netwinsite.com
[surgemail-list@netwinsite.com]
Subject: [SurgeMail List]
g_ssl_auto feature - how?
Hi
there,
I
have been looking for a fix for my
broken Chrome SSL certs today and
ran across this gem on the surgemail
site:
SurgeMail
Version 7.3j2 or later
With
this version of surgemail ssl
certificates are created and signed
completely automatically for all
domains, with one setting, no
certbot or other external programs
are required!
What
signing authority is being used?
Is
it lets encrypt built into
surgemail?
Will
it enable add certs for all
services like pop3, imap, smtp as
well as https?
Will
it automatically new certs close
to expiration?
and
lastly, where do I download this
version? the current version on
the download site is 7.3i2.
Inquiring
minds want to know!
