Installed SSL Certificate causing errors in admin area


#21

I am still struggling to understand what the issue is exactly. Could you post a screen shot perhaps?
Again, as mentioned before you have a certificate issued by Gandi which is valid for another 11 months.

ETA: The suggested solution is to use the installed certificate provisioning through Let’s Encrypt and not attempt to use a certificate issued by a 3rd party (Gandi).


#22

Hi Alento,

I’m sorry, but I probably don’t understand the situation thoroughly enough to answer in a straight forward manner.

So I’ll ask.
Is it not a minimal requirement for MIAB to use a paid 3rd party SSL cert for MIAB to function correctly?
The reason I’m using a 3rd party cert is because I was convinced that it’s a must.

If it’s not, or it is, but not implemented the way I’m using it, then could you help me understand how to implement it correctly.

Thanks!


#23

No … well, yes … let me explain: A SSL certificate is required to secure the admin area and the webmail pages. The SSL certificate is also used by (my knowledge is weak here) either Postfix or Dovecot for secure connections to the mail server.

That said, yes a SSL certificate must be acquired from a third party - a certificate authority. There are MANY different certificate authorities out there. It so happens that Gandi is one. There are so many others such as DigiCert, Amazon, etc.

A few years ago a non-profit initiative called Let’s Encrypt was formed with the purpose of making securing websites both easy and inexpensive. There have been many different clients created which work with Let’s Encrypt (which is a certificate authority) to issue SSL certificates simply and without cost. This has revolutionized SSL certificate issuance and usage. Anyways, that is a bit off track but some background information.

Back to Mail-in-a-Box - as a SSL certificate is required, the developers of this project have implemented one of the many Let’s Encrypt clients for the purpose of issuing the required SSL certificate. When Mail-in-a-Box is first installed, the installation procedure will automatically connect to Let’s Encrypt and request and install a SSL certificate. MOST of the time this happens flawlessly, but some times it fails. The usual reason that it fails is because of lack of propagation of DNS. There was also a time period that some changes were made within Let’s Encrypt which caused certificate issuance to fail in MiaB. I am not sure what (if any) reason existed that a LE SSL certificate was not issued for you … or if perhaps, you may have simply replaced it manually.

My personal recommendation would be to ignore the warning in the admin area, and then sometime shortly before the expiration of the Gandi certificate, replace it. The Gandi certificate is good for another 11 months. If the warning (more on the warning itself later) bothers you, then you could replace the certificate now … but again, that would not be something I would do - but you are certainly free to do so. If you are so inclined, please be certain that you are using one of the two most recent versions of MiaB. v0.29 is of course preferred.

To replace the certificate, I think that I would SSH into the VPS, and delete the contents of the /home/user-data/ssl/ directory. The rerun the command line sudo mailinabox. This will run through the installation process and when it reaches the SSL certificate part, will request and install a SSL certificate from Let’s Encrypt. There is a method to replace the SSL certificate from the admin area web-page, but I think that I would not do it that way with the possible uncertainty of any lingering issues from using the Gandi certificate.

Lastly, regarding the error message that you are seeing - that appears to me to be a bug within Mail-in-a-Box. I would suggest posting the details to the GitHub page for the project. When you look at the details of the certificate, the certificate is indeed issued for box.dobom.website. The error message is reporting that the certificate is issued for the issuer of the certificate - I do not know why, but I suspect that using a certificate from an outside provider is behind this. As MaiB provisions a certificate automatically through LE, I would imagine that this possibly has not been encountered before.


#24

Wow, thanks for the detailed and helpful reply!

A was ashamed to admit, that I was running MIAB version 0.16 because earlier upgrades I tried always turned into a complete mess that I wasn’t able to fix. But I ran the upgrade now with no problems (after deleting contents of ssl folder, as you suggested)
I now have a beautiful, all green status for the box, thanks to you!

So does this mean that I don’t need to purchase another ssl certificate to use MIAB?

The only problem I’m having after upgrade is when I try to login to one of the nine mailboxes in roundcube.
I get a 504 bad gateway error, while all of the other mailboxes login immediately and work fine.
I understand that this is an issue for another topic, but wanted to put it in for the record.


A note for future upgraders:
I ran:
sudo mailinabox
then
sudo /etc/init.d/nginx reload
on v0.16 before running:
curl -s https://mailinabox.email/setup.sh | sudo bash

It may not make a difference, but thought I’d mention it just to make sure.


504 Gateway timeout when logging into RoundCube - Murgero?
#25

IF the System Status Checks page is no longer showing the error that you were talking about and now shows something like
|✓|TLS (SSL) certificate is signed & valid. The certificate expires in 89 days on 04/05/19.|
you are good to go! Let’s Encrypt should attempt to renew the certificate about 2 weeks before expiration.


#26

Yes, this is an unrelated issue to this topic … but I should ask you on the 9 email accounts did you use the calendar or contacts function on any of them or perhaps ONLY on the one that you cannot log in to?


#27

Uhm, I did only import contacts to that one account, does that count as “using the contacts function”?


#28

Let’s take this to the other thread. :slight_smile: I do have a theory. If you will repost your comment about importing contacts there so others can follow along … :slight_smile:


#29

OK, thanks!
:grinning: