Installed SSL Certificate causing errors in admin area


#10

MiaB needs a certificate issued for the domain that the mail server is on which in your case is box.dobom.website. (Assuming no websites are being hosted from within MiaB)

Go to https://box.dobom.website/admin in your browser. The padlock showing the site is secured by SSL will be there. Click on the padlock and then the right arrow, and then the more information tab at the bottom. I am using FireFox, so a different browser may behave differently. Once you are there, you will be able to review all of the certificate information.


#11

Yes, other TLS checkers like digicert also showed that all is well. The thing I don’t understand is, why MiaB admin has these lines of error, when the earlier cert gave no errors, even though the process was exactly the same.


#12

Having never used an externally generated SSL certificate for MiaB personally, I am not the one who can answer that …

But let me make a broad assumption … when using External DNS, the MiaB admin area gives several error messages - all of which can be safely ignored. Perhaps the same is true with the SSL certificate? I do not know.
I would think though, if you installed the certificate from the admin area SSL Certificate page, MiaB would know this and account for it. Is this how you ‘installed’ it? So far, I have been assuming so,

At this point I can only suggest changing the title of this thread to something like “Installed SSL Certificate causing errors in admin area” to catch the attention of someone with more knowledge of the back end development such as one of the developers.


#13

Thanks @alento,

Though I don’t understand how you do not use an external SSL, don’t you need one for MiaB to work?
I appreciate your effort!
I modified the title according to your suggestion.
We will see if anyone catches on.


#14

Let me clarify my bad usage of the term “external SSL” … by that I am referring to a SSL certificate issued by a different certificate authority and installed to MiaB
INSTEAD OF
using the Let’s Encrypt SSL certificate that is generated by Let’s Encrypt with the certbot client that is integrated within MiaB.

As mentioned earlier in this thread - a SSL certificate is absolutely required for proper hassle free functioning. It is however not required that the certificate be issued utilizing the certbot client within MiaB.


#15

OK, thanks for the clarification.
I regenerated the certificate once more, but get the same error in the admin.
I’ll just leave it for now, and hope everything will work properly.

All the best to you!


#16

Just out of curiosity, are you using external DNS?


#17

Yes I am using external DNS


#18

That is not what a WHOIS lookup says that Gandi is telling the internet…
the name servers are listed as:
ns1 & ns2.box.dobom.website


#19

I thought the question was do I use external DNS at all, for any of the handled domains, to that the answer is yes. But for box.dobom.website I use ns1/ns2.box.dobom.website


#20

I just realised that maybe I am facing this issue because I created the csr from the command line with this command (because this is what Gandi.net requires to generate the cert):

`openssl req -nodes -newkey rsa:2048 -sha256 -keyout myserver.key -out server.csr`

and installed the key and cert manually.

So I tried the installation via the MIAB admin, but I wasn’t able to generate the cert with the csr provided by MIAB. Gandi didn’t accept the csr.

Could anyone suggest a solution, so I can generate a csr with MIAB that Gandi accepts?
Then maybe the intermediate cert will be evaluated by MIAB correctly, and the error will disappear…


#21

I am still struggling to understand what the issue is exactly. Could you post a screen shot perhaps?
Again, as mentioned before you have a certificate issued by Gandi which is valid for another 11 months.

ETA: The suggested solution is to use the installed certificate provisioning through Let’s Encrypt and not attempt to use a certificate issued by a 3rd party (Gandi).


#22

Hi Alento,

I’m sorry, but I probably don’t understand the situation thoroughly enough to answer in a straight forward manner.

So I’ll ask.
Is it not a minimal requirement for MIAB to use a paid 3rd party SSL cert for MIAB to function correctly?
The reason I’m using a 3rd party cert is because I was convinced that it’s a must.

If it’s not, or it is, but not implemented the way I’m using it, then could you help me understand how to implement it correctly.

Thanks!


#23

No … well, yes … let me explain: A SSL certificate is required to secure the admin area and the webmail pages. The SSL certificate is also used by (my knowledge is weak here) either Postfix or Dovecot for secure connections to the mail server.

That said, yes a SSL certificate must be acquired from a third party - a certificate authority. There are MANY different certificate authorities out there. It so happens that Gandi is one. There are so many others such as DigiCert, Amazon, etc.

A few years ago a non-profit initiative called Let’s Encrypt was formed with the purpose of making securing websites both easy and inexpensive. There have been many different clients created which work with Let’s Encrypt (which is a certificate authority) to issue SSL certificates simply and without cost. This has revolutionized SSL certificate issuance and usage. Anyways, that is a bit off track but some background information.

Back to Mail-in-a-Box - as a SSL certificate is required, the developers of this project have implemented one of the many Let’s Encrypt clients for the purpose of issuing the required SSL certificate. When Mail-in-a-Box is first installed, the installation procedure will automatically connect to Let’s Encrypt and request and install a SSL certificate. MOST of the time this happens flawlessly, but some times it fails. The usual reason that it fails is because of lack of propagation of DNS. There was also a time period that some changes were made within Let’s Encrypt which caused certificate issuance to fail in MiaB. I am not sure what (if any) reason existed that a LE SSL certificate was not issued for you … or if perhaps, you may have simply replaced it manually.

My personal recommendation would be to ignore the warning in the admin area, and then sometime shortly before the expiration of the Gandi certificate, replace it. The Gandi certificate is good for another 11 months. If the warning (more on the warning itself later) bothers you, then you could replace the certificate now … but again, that would not be something I would do - but you are certainly free to do so. If you are so inclined, please be certain that you are using one of the two most recent versions of MiaB. v0.29 is of course preferred.

To replace the certificate, I think that I would SSH into the VPS, and delete the contents of the /home/user-data/ssl/ directory. The rerun the command line sudo mailinabox. This will run through the installation process and when it reaches the SSL certificate part, will request and install a SSL certificate from Let’s Encrypt. There is a method to replace the SSL certificate from the admin area web-page, but I think that I would not do it that way with the possible uncertainty of any lingering issues from using the Gandi certificate.

Lastly, regarding the error message that you are seeing - that appears to me to be a bug within Mail-in-a-Box. I would suggest posting the details to the GitHub page for the project. When you look at the details of the certificate, the certificate is indeed issued for box.dobom.website. The error message is reporting that the certificate is issued for the issuer of the certificate - I do not know why, but I suspect that using a certificate from an outside provider is behind this. As MaiB provisions a certificate automatically through LE, I would imagine that this possibly has not been encountered before.


#24

Wow, thanks for the detailed and helpful reply!

A was ashamed to admit, that I was running MIAB version 0.16 because earlier upgrades I tried always turned into a complete mess that I wasn’t able to fix. But I ran the upgrade now with no problems (after deleting contents of ssl folder, as you suggested)
I now have a beautiful, all green status for the box, thanks to you!

So does this mean that I don’t need to purchase another ssl certificate to use MIAB?

The only problem I’m having after upgrade is when I try to login to one of the nine mailboxes in roundcube.
I get a 504 bad gateway error, while all of the other mailboxes login immediately and work fine.
I understand that this is an issue for another topic, but wanted to put it in for the record.


A note for future upgraders:
I ran:
sudo mailinabox
then
sudo /etc/init.d/nginx reload
on v0.16 before running:
curl -s https://mailinabox.email/setup.sh | sudo bash

It may not make a difference, but thought I’d mention it just to make sure.


504 Gateway timeout when logging into RoundCube - Murgero?
#25

IF the System Status Checks page is no longer showing the error that you were talking about and now shows something like
|✓|TLS (SSL) certificate is signed & valid. The certificate expires in 89 days on 04/05/19.|
you are good to go! Let’s Encrypt should attempt to renew the certificate about 2 weeks before expiration.


#26

Yes, this is an unrelated issue to this topic … but I should ask you on the 9 email accounts did you use the calendar or contacts function on any of them or perhaps ONLY on the one that you cannot log in to?


#27

Uhm, I did only import contacts to that one account, does that count as “using the contacts function”?


#28

Let’s take this to the other thread. :slight_smile: I do have a theory. If you will repost your comment about importing contacts there so others can follow along … :slight_smile:


#29

OK, thanks!
:grinning: