I
also noticed that when building the URL for LE to
check, it doesn’t use the domain’s url_host value.
For
example, if the domain is
fibernetcommunications.net, but my url_host value is
webmail.fibernetcommunications.net, it’s not used
(as
http://netwinsite.com/surgemail/help/letsencrypt.htm suggests it
should be)
mail2:/var/surgemail/www#
tellmail ssl_update fibernetcommunications.net
SurgeMail
Version 7.3p-21, Built Dec 11 2018 15:09:37,
Platform Linux_64
Key
N270855 OK,
email=fbulk@mypremieronline.com,
users=unlimited, flags=48, host=mail2:,
prod=surgemail active=19710 updates=1/Aug/2020
Update
starting
Update
domain fibernetcommunications.net --------------
Existing
cert check: fibernetcommunications.net Cannot find
file lets/fibernetcommunications.net/surge_cert.pem
No such file or directory
Account
status: Account created ok
https://acme-v02.api.letsencrypt.org/acme/acct/65679052
acme_authorize
required for domain fibernetcommunications.net
Challenge
http-01 pending
Created
www/.well-known/acme-challenge/DSFYeYuhRcNCE0uolhVKk3NbUSUnNhKte61D0N92HfU
Challenge:
error: Fetching
http://fibernetcommunications.net/.well-known/acme-challenge/DSFYeYuhRcNCE0uolhVKk3NbUSUnNhKte61D0N92HfU:
Timeout during connect (likely firewall problem)
acme_do_auth
failed fibernetcommunications.net
ssl_reload:
It
should have been
Fetching
http://webmail.fibernetcommunications.net/.well-known/acme-challenge/DSFYeYuhRcNCE0uolhVKk3NbUSUnNhKte61D0N92HfU
Frank
From:
Frank Bulk
Sent: Tuesday, September 10, 2019 11:13
PM
To: surgemail-list@netwin.co.nz
Subject: RE: tRE: [SurgeMail List]
g_ssl_auto feature - how?
Chris,
I
tried to turn up LE tonight, but every domain
failed, mainly because their url_host didn’t point
to Surgemail. No harm done.
But
here’s an example of where the domain does point to
Surgemail, but fails when I ran “tellmail
ssl_update”:
Update
domain webmail.schellingconstruction.com
Existing
cert check: webmail.schellingconstruction.com Cannot
find file
lets/webmail.schellingconstruction.com/surge_cert.pem
No such file or directory
Account
status: Account created ok
https://acme-v02.api.letsencrypt.org/acme/acct/65679052
acme_authorize
required for domain
webmail.schellingconstruction.com
Challenge
http-01 pending
Created
www/.well-known/acme-challenge/JZqcQm1d_KyVkC4QWJ3CFLLuozEbe1GQmg2Sp5pGfD8
Challenge:
error: Invalid response from
http://webmail.schellingconstruction.com/.well-known/acme-challenge/JZqcQm1d_KyVkC4QWJ3CFLLuozEbe1GQmg2Sp5pGfD8
[96.31.0.20]: "The file you requested does not
exist. The url may be incorrect.\r\nRequested File:
(JZqcQm1d_KyVkC4QWJ3CFLLuozEbe1GQmg2Sp5pGfD8)\r"
acme_do_auth
failed webmail.schellingconstruction.com
Since
we use two Surgemail servers behind a load-balancer,
when “tellmail ssl_update” runs on server #1, who’s
to say which of the two SurgeWeb’s the public LE
server is hitting when it runs its authorization? It
would seem you need to make sure the dynamically
created challenge file is synced to the other server
before the public LE queries. I don’t even see the
“.wellknown” directory created on the other server’s
/var/Surgemail/www directory.
Also,
if I can suggest a speed optimization – before
reaching out to LE to start the certificate creation
process, make sure that (1) the url_host value
resolves to an IP address (2) that it terminates on
the SurgeWeb servers.
Frank
