Letsencrypt issues

Help with Setup/Upgrade
1

Hi, I have been reading and researching for an answer to this issue.

I am running mailinabox on a standalone, clean install. Its an old IBM eServer xSeries 306, (686 chipset). Updated from Ubuntu 16 server to ubuntu 18.04.
I do have it setup to run 2 domains.

I have rerun the install, and I have tried to register with Letsencrypt. (confirmed a cert account with update; so I know it has my email on file)

Nginx plugin :should be the installer (I think) as that is the webserver.

A TLS certificate can be automatically provisioned from Let’s Encrypt, a free TLS certificate provider, for: (the two domains, with sub domains of Autodiscover, autoconfigure, mail, mta-sts. = A records)

But when I try to “Provision” I get this:

Log:

Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None You should register before running non-interactively, or provide --agree-tos and --email <email_address> flags.

Log:

Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None You should register before running non-interactively, or provide --agree-tos and --email <email_address> flags.

the Tail command provides this: tail /var/log/letsencrypt/letsencrypt.log
return config.func(config, plugins)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1234, in certonly le_client =_init_le_client(config, auth, installer)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 605, in _init_le_client
acc, acme = _determine_account(config)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 518, in _determine_account
config.email = display_ops.get_email()
File “/usr/lib/python3/dist-packages/certbot/display/ops.py”, line 57, in get_email
raise errors.MissingCommandlineFlag(msg)
certbot.errors.MissingCommandlineFlag: You should register before running non-interactively, or provide --agree-tos and --email <email_address> flags.

===
How can I get the mailinbaox to realize I have registered with letsencrypt;
and
get an installer so the auto renew will work?

The mail in a box does appear to be working, I have ben able to setup a email account on windows 10, and I have been able to get the mail webserver to work, (but that says its insecure).

Suggestions welcome.

2

Upgrade in place, or complete clean OS install?

How have you registered with Let’s Encrypt? Have you installed Certbot or Acme.sh outside of MiaB by any chance?

Run this command:

certbot register --register-unsafely-without-email --agree-tos --config-dir $STORAGE_ROOT/ssl/lets_encrypt

If you did not use a custom STORAGE_ROOT location the command will be:

certbot register --register-unsafely-without-email --agree-tos --config-dir /home/user-data/ssl/lets_encrypt

This will register a new account and your certificate provisioning should work as expected. I am not a pro with the commands for certbot, but I do believe that you can replace --register-unsafely-without-email with --email user@domain, however you would need to check with Let’s Encrypt to confirm that.

3

To create the mail in a box, I started with a completly wiped hard drive, installed ubuntu 16 server, updated it fully, then did the “do release upgrade”. Completed the updates for 18.04.
then followed Mail In a Box setup instructions to create it.

4

Running this command gives this result.:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
There is an existing account; registration of a duplicate account with this command is currently unsupported.

So, it looks like LetsEncrypt knows I have an account, but mail in a box does not seem to think so.

5

Upgrading in place has historically created unpredictable issues, and not just for MiaB.

1 Like
6

Agreed. Is there any reason that you did not just install Ubuntu 18.04 Server edition directly, OP? @TribalDragon

7

You’re probably going to have to delete the existing account and try again.

But first, the OS issue is more important. I am going to strongly suggest that you start over and install Ubuntu 18.04 LTS Server edition directly rather than doing the in place upgrade path.

One thing that is not clear to me though … is this a new install? Or are you having issues with cert renewals?

8

A few years ago when I decided to keep the old servers around to use for smaller tasks Ubuntu 18 did not install well on the chipset. If 18.04 has a 32 bit server install that works with the servers I may very well do a full wipe and clean install.
It was a clean install for mail in the box, from 16 up to 18, then just mail in the box installed. very minimal packages. Openssh server, npt time, are the only things added.

The Box runs, other than the lets encrypt issue. So was expecting to just need to sort out those issues.

System Status Checks

No reboot is necessary.

[Disable New-Version Check]

System
All system services are running.
:heavy_multiplication_x: The SSH server on this machine permits password-based login. A more secure way to log in is using a public key. Add your SSH public key to $HOME/.ssh/authorized_keys, check that you can log in without a password, set the option ‘PasswordAuthentication no’ in /etc/ssh/sshd_config, and then restart the openssh via ‘sudo service ssh restart’.
System software is up to date.
Mail-in-a-Box is up to date. You are running version v0.54.
System administrator address exists as a mail alias.
The disk has 429.33 GB space remaining.
System memory is 76% free.
Network
Firewall is active.
Outbound mail (SMTP port 25) is not blocked.
IP address is not blacklisted
domain 1
? Nameserver glue records (ns1.mail.domain 1 and ns2.mail.domain 1) should be configured at your domain name registrar as having the IP address of this box (########). They currently report addresses of [Not Set]/[Not Set]. If you have set up External DNS, this may be OK.
Domain resolves to box’s IP address.
Reverse DNS is set correctly at ISP.
Hostmaster contact address exists as a mail alias.
Domain’s email is directed to this domain.
Postmaster contact address exists as a mail alias.
Domain is not blacklisted by
:heavy_multiplication_x: The TLS (SSL) certificate for this domain is currently self-signed. You will get a security warning when you check or send email and when visiting this domain in a web browser (for webmail or static site hosting).
domain 1
? The nameservers set on this domain at your domain name registrar should be ns1.mail.domain1; ns2.mail.domain1 They are currently at… If you are using External DNS, this may be OK.
Domain’s email is directed to this domain.
:heavy_multiplication_x: MTA-STS policy is missing: STSFetchResult.NONE
Postmaster contact address exists as a mail alias.
Domain is not blacklisted
Domain resolves to this box’s IP address.
? No TLS (SSL) certificate is installed for this domain. Visitors to a website on this domain will get a security warning. If you are not serving a website on this domain, you do not need to take any action. Use the TLS Certificates page in the control panel to install a TLS certificate.
? This domain’s DNSSEC DS record is not set. The DS record is optional. The DS record activates DNSSEC. See below for instructions.

[show more]
|✓|www.domain1: Domain resolves to this box’s IP address.
|?|www.domain1: No TLS (SSL) certificate is installed for this domain. Visitors to a website on this domain will get a security warning. If you are not serving a website on this domain, you do not need to take any action. Use the TLS Certificates page in the control panel to install a TLS certificate.|
|✓|autoconfig.domain1: Domain resolves to this box’s IP address.
|?|autoconfig.domain1: No TLS (SSL) certificate is installed for this domain. Visitors to a website on this domain will get a security warning. If you are not serving a website on this domain, you do not need to take any action. Use the TLS Certificates page in the control panel to install a TLS certificate.|
|✓|autodiscover.domain1: Domain resolves to this box’s IP address.
|?|autodiscover.domain1: No TLS (SSL) certificate is installed for this domain. Visitors to a website on this domain will get a security warning. If you are not serving a website on this domain, you do not need to take any action. Use the TLS Certificates page in the control panel to install a TLS certificate.|
||domain2|
|?|The nameservers set on this domain at your domain name registrar should be ns1.mail.domain1; ns2.mail.domain1. They are currently … If you are using External DNS, this may be OK.|
|✓|Domain’s email is directed to this domain.
|✖|MTA-STS policy is missing: STSFetchResult.NONE|
|✓|Postmaster contact address exists as a mail alias.
|✓|Domain is not blacklisted
|✓|Domain resolves to this box’s IP address.
|?|No TLS (SSL) certificate is installed for this domain. Visitors to a website on this domain will get a security warning. If you are not serving a website on this domain, you do not need to take any action. Use the TLS Certificates page in the control panel to install a TLS certificate.|
|?|This domain’s DNSSEC DS record is not set. The DS record is optional. The DS record activates DNSSEC. See below for instructions.

|✓|www.domain2: Domain resolves to this box’s IP address.
|?|www.domain2: No TLS (SSL) certificate is installed for this domain. Visitors to a website on this domain will get a security warning. If you are not serving a website on this domain, you do not need to take any action. Use the TLS Certificates page in the control panel to install a TLS certificate.|
|✓|autoconfig.domain2: Domain resolves to this box’s IP address.
|?|autoconfig.domain2: No TLS (SSL) certificate is installed for this domain. Visitors to a website on this domain will get a security warning. If you are not serving a website on this domain, you do not need to take any action. Use the TLS Certificates page in the control panel to install a TLS certificate.|
|✓|autodiscover.domain2: Domain resolves to this box’s IP address.
|?|autodiscover.domain2: No TLS (SSL) certificate is installed for this domain. Visitors to a website on this domain will get a security warning. If you are not serving a website on this domain, you do not need to take any action. Use the TLS Certificates page in the control panel to install a TLS certificate.|

===
I will continue to configure the mta-sts once I know the ssl certs are in working order. and deal with the “glue” , and DNSSEC as well.

so it should be just a case of getting LetsEncrypt to install the ssl certs and auto renew for the box to work just fine.

9

I have 3 of these old servers, almost identical other than a bit less memory in #3
I am trying the “net install” iso for ubuntu 18.04 on #3 to see if there are any differences in installation.

10

Good morning.
I used the 3rd server to do a full fresh install of Ubuntu 18.04, I found the “net install” iso on the archived 18.04 server page.
It happily went and found a very minimal install script that I followed.
Added openssh-server so I could remote log in.
added curl (it was not installed by default)
grabed a wget of mailnabox.
followed the installation instructions.
Once the A records propagated everything came online.
Hit the provision button to install the ssl certs.

Everything worked as expected this time, certs last 89 days, and the button reads “replace certificate” (grey)

thanks for the suggestions.

1 Like
11

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.