I also noticed that when building the URL for LE to check, it doesn’t use the domain’s url_host value.
For example, if the domain is fibernetcommunications.net, but my url_host value is webmail.fibernetcommunications.net, it’s not used (as
http://netwinsite.com/surgemail/help/letsencrypt.htm suggests it should be)
mail2:/var/surgemail/www# tellmail ssl_update fibernetcommunications.net
SurgeMail Version 7.3p-21, Built Dec 11 2018 15:09:37, Platform Linux_64
Key N270855 OK,
email=fbulk@mypremieronline.com, users=unlimited, flags=48, host=mail2:, prod=surgemail active=19710 updates=1/Aug/2020
Update starting
Update domain fibernetcommunications.net --------------
Existing cert check: fibernetcommunications.net Cannot find file lets/fibernetcommunications.net/surge_cert.pem No such file or directory
Account status: Account created ok
https://acme-v02.api.letsencrypt.org/acme/acct/65679052
acme_authorize required for domain fibernetcommunications.net
Challenge http-01 pending
Created www/.well-known/acme-challenge/DSFYeYuhRcNCE0uolhVKk3NbUSUnNhKte61D0N92HfU
Challenge: error: Fetching
http://fibernetcommunications.net/.well-known/acme-challenge/DSFYeYuhRcNCE0uolhVKk3NbUSUnNhKte61D0N92HfU: Timeout during connect (likely firewall problem)
acme_do_auth failed fibernetcommunications.net
ssl_reload:
It should have been
Fetching
http://webmail.fibernetcommunications.net/.well-known/acme-challenge/DSFYeYuhRcNCE0uolhVKk3NbUSUnNhKte61D0N92HfU
Frank
From: Frank Bulk
Sent: Tuesday, September 10, 2019 11:13 PM
To: surgemail-list@netwin.co.nz
Subject: RE: tRE: [SurgeMail List] g_ssl_auto feature - how?
Chris,
I tried to turn up LE tonight, but every domain failed, mainly because their url_host didn’t point to Surgemail. No harm done.
But here’s an example of where the domain does point to Surgemail, but fails when I ran “tellmail ssl_update”:
Update domain webmail.schellingconstruction.com
Existing cert check: webmail.schellingconstruction.com Cannot find file lets/webmail.schellingconstruction.com/surge_cert.pem No such file or directory
Account status: Account created ok
https://acme-v02.api.letsencrypt.org/acme/acct/65679052
acme_authorize required for domain webmail.schellingconstruction.com
Challenge http-01 pending
Created www/.well-known/acme-challenge/JZqcQm1d_KyVkC4QWJ3CFLLuozEbe1GQmg2Sp5pGfD8
Challenge: error: Invalid response from
http://webmail.schellingconstruction.com/.well-known/acme-challenge/JZqcQm1d_KyVkC4QWJ3CFLLuozEbe1GQmg2Sp5pGfD8 [96.31.0.20]: "The file you requested does not exist. The url may be incorrect.\r\nRequested File: (JZqcQm1d_KyVkC4QWJ3CFLLuozEbe1GQmg2Sp5pGfD8)\r"
acme_do_auth failed webmail.schellingconstruction.com
Since we use two Surgemail servers behind a load-balancer, when “tellmail ssl_update” runs on server #1, who’s to say which of the two SurgeWeb’s the public LE
server is hitting when it runs its authorization? It would seem you need to make sure the dynamically created challenge file is synced to the other server before the public LE queries. I don’t even see the “.wellknown” directory created on the other server’s
/var/Surgemail/www directory.
Also, if I can suggest a speed optimization – before reaching out to LE to start the certificate creation process, make sure that (1) the url_host value resolves
to an IP address (2) that it terminates on the SurgeWeb servers.
Frank
