Letsencrypt expired, and dns errors


#1

HI Guys,

Two issues just experienced.

  1. I suddenly can not access https interface due to a note that says my “letsencrypt” expired on 12/12. What do I do?

  2. I was able to upgrade to one version up to new one and it popped up the following message. What do I do?

I marked out my domain name with XXXXX; however, email client working, but not the WEB Client due to TLS…

Thanks in advance.

web updated
No TLS certificates could be provisoned at this time:

box.xxxx.com: DNS isn’t configured properly for this domain: DNS resolution failed (A: All nameservers failed to answer the query box.f2f10.com. IN A: Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered SERVFAIL).
xxxx.com: DNS isn’t configured properly for this domain: DNS resolution failed (A: All nameservers failed to answer the query f2f10.com. IN A: Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered SERVFAIL).


Your Mail-in-a-Box is running.


#2

Hello miabatf2f10,

I have seen something similar to this when I was building a new MiaB VM last weekend. Here are the things I did to resolve it.

First, I checked with the company that hosts my dedicated server to see if they block port 53 UDP and TCP. In my case they did not, and ran a test to see where the block was, and found it on my VM.

Second. (this is where I found my issue) For some reason the DNS server that ran on my new MiaB VM was running on the wrong port, something in the 2000+ range. I ran sudo netstat -lp on the VM to see what was running on port 53, and found nothing. To correct it I had to remove the installed DNS server using apt-get uninstall (service) and then rerun the MiaB install to reinstall . I’m not sure what DNS server MiaB at the moment, and can’t check from work (SSH is blocked), but after doing that these errors went away.

I suspect your SSL issues all come back to your DNS issues. If Letsencrypt can’t resolve your domain name it can’t create an SSL cert for you.

Let me know if that helps, or if you need more assistance.
Chess


#3

THanks cwilkins for the reply…

however, the following is my output… do you see it is what it should be?

@box:~$ sudo netstat -plnt | grep named
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 7654/named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 7654/named
@box:~$ sudo netstat -plnu | grep named
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
udp 0 0 127.0.0.1:53 0.0.0.0:* 7654/named


#4

here’s another output…
@box:~$ sudo mailinabox/management/status_checks.py

System

:heavy_multiplication_x: SSH Login (ssh) is running but is not publicly accessible at xxxxxxx:22.
:heavy_multiplication_x: Public DNS (nsd4) is not running (port 53).
:heavy_multiplication_x: Incoming Mail (SMTP/postfix) is running but is not publicly accessible at xxxx:25.
:heavy_multiplication_x: Outgoing Mail (SMTP 587/postfix) is running but is not publicly accessible at xxxxxxx:587.
:heavy_multiplication_x: IMAPS (dovecot) is running but is not publicly accessible at xxxxx:993.
:heavy_multiplication_x: Mail Filters (Sieve/dovecot) is running but is not publicly accessible at xxxxx:4190.
:heavy_multiplication_x: HTTP Web (nginx) is running but is not publicly accessible at xxxxxxx:80.
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
:heavy_multiplication_x: HTTPS Web (nginx) is running but is not publicly accessible at xxxxxx:443.
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Network

✓ Firewall is active.
✓ Outbound mail (SMTP port 25) is not blocked.
✓ IP address is not blacklisted by zen.spamhaus.org.


#5

@miabatf2f10 - Please confirm ufw is NOT installed and if it is disable it (ufw disable) and reboot.

Also check iptables is not denying inbound connections to those ports.


#6

sudo ufw status
Status: active

To Action From


22 ALLOW Anywhere
53 ALLOW Anywhere
25/tcp ALLOW Anywhere
587 ALLOW Anywhere
993 ALLOW Anywhere
995 ALLOW Anywhere
4190/tcp ALLOW Anywhere
80 ALLOW Anywhere
443 ALLOW Anywhere


#7

So, murgero, I have to have ufw disabled? ???


#8

I temporarily tried diabling ufw and rebooted; however, it seems still…

udo mailinabox/management/status_checks.py

System

:heavy_multiplication_x: SSH Login (ssh) is running but is not publicly accessible at 76.10.176.225:22.
:heavy_multiplication_x: Public DNS (nsd4) is not running (port 53).


#9

That is your issue. Now how we fix it is another matter. I compared your netstat to mine, and it is very similar to mine, so we know it is running and on the proper port.

Ok time for a few questions.

  1. Is there another firewall between this server and the internet?
  2. Does this server have a Public IP or a NAT/Private IP?
  3. Did this setup ever work, or has this error been there for quite awhile.

From what the list of errors show, I am suspecting this is a NAT/Firewall issue and not an issue on the MiaB server.


#10

hi cwilkins,

It has been working for so long… the setup is like this…

Firewall at my house with OpnSense allowing all necessary ports back from public ip to my MAIB private IP. MAIB is running in a LXC container on 14.04; the host of LXC is ubuntu 16.04.

It just showed that CERT Expired on Dec 12 and it then shows this dns things…


#11

SSH Login (ssh) is running but is not publicly accessible at 76.10.176.225:22.

Ok, are you able to SSH into the server? I could not hit that I using SSH, so this is looking more and more like a firewall issue.

I can get to the webpage for your MaiB server (76.10.176.225) so port 80 is up on the web, but when I do an nslookup no DNS server is responding to that request.

When I try to ping your domain, I get the proper IP, but no reply,

Where is this server hosted?


#12

I also have my ISP statically set up two namer servers pointing back to my BOX as well…for reverse record…


#13

it’s intended for no ssh from public (my OpnSense firewall setting)…


#14

Ok. Stop working on the MiaB. That is not the issue. Lets go and take a look at your openSense Firewall. This is a fork of pfSense if I recall correctly. Could be the other way around. I use pfSense on my dedicated server with MiaB behind it.

Your port 80 rule is correct. So show me your rules for SSH and DNS.


#15

@box:~$ sudo netstat -plnt | grep ‘:53’
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 4511/named
tcp 0 0 192.168.140.253:53 0.0.0.0:* LISTEN -
@box:~$ sudo netstat -plnt | grep ‘:53’
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 4511/named
tcp 0 0 192.168.140.253:53 0.0.0.0:* LISTEN -
@box:~$ sudo mailinabox/management/status_checks.py

System

:heavy_multiplication_x: SSH Login (ssh) is running but is not publicly accessible at 76.10.176.225:22.
:heavy_multiplication_x: Public DNS (nsd4) is not running (port 53).
:heavy_multiplication_x: Incoming Mail (SMTP/postfix) is running but is not publicly accessible at 76.10.176.225:25.
:heavy_multiplication_x: Outgoing Mail (SMTP 587/postfix) is running but is not publicly accessible at 76.10.176.225:587.
:heavy_multiplication_x: IMAPS (dovecot) is running but is not publicly accessible at 76.10.176.225:993.
:heavy_multiplication_x: Mail Filters (Sieve/dovecot) is running but is not publicly accessible at 76.10.176.225:4190.
:heavy_multiplication_x: HTTP Web (nginx) is running but is not publicly accessible at 76.10.176.225:80.
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
:heavy_multiplication_x: HTTPS Web (nginx) is running but is not publicly accessible at 76.10.176.225:443.
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
✓ SSH disallows password-based login.
✓ System software is up to date.
? Mail-in-a-Box version check disabled by privacy setting.
✓ System administrator address exists as a mail alias. [administrator@box.f2f10.com ↦ co-traveler@f2f10.com]
✓ The disk has 166.28 GB space remaining.
✓ System memory is 98% free.


#16

it seems that we have service running on 53 port, why the status message shows that no NSD is running on port 53?


#17
	*	RFC 1918 networks	*	*	*	*	 	Block private networks	
	*	Reserved/not assigned by IANA	*	*	*	*	 	Block bogon networks	
	IPv4 TCP	*	*	192.168.140.253	80 (HTTP)	*		NAT	 
	IPv4 TCP	*	*	192.168.140.253	443 (HTTPS)	*		NAT	 
	IPv4 TCP/UDP	*	*	192.168.140.250	1194 (OpenVPN)	*		NAT	 
	IPv4 TCP	*	*	192.168.140.253	53 (DNS)	*		NAT	 
	IPv4 TCP	*	*	192.168.140.253	25 (SMTP)	*		NAT	 
	IPv4 UDP	*	*	192.168.140.253	53 (DNS)	*		NAT

#18

these are my OpnSense rules for WAN traffic coming to this MAIB box on internal IP…


#19

Is nsd4 and named, same thing? if so, why one piece of message from netstat shows it works, however, with status checking script, it says not running on port 53?/


#20

That looks ok too.

Ok, I can understand why you’d block SSH. I’d do it if I could too.

It looks like I can see something on port 53 when I telnet to it. Ok, if you are running this virtually, take a snapshot of the box, and then remove the DNS server from the MiaB setup. Then check to see if anything is running on port 53 before rerunning the MiaB setup so that it sets it up again. Lets see if that gets us back to a running config.