So I’m stuck and am not sure on what the issue is.
I did a fresh miab setup yesterday on a fresh domain and allowed the miab server to handle the DNS duties for the domain, as per the guide.
On setup I imported the private keys for SSL using the web interface. When I check all was working fine with the domain being used and I could access all the services running on the miab host.
However after having to reboot the proxmox server this is running on nginx will no longer start, it spits out the following error:
I have checked the key and it seems fine. It has not changed since I installed the domain certificates and it contains the private keys in use for all the domains. I checked the CSSR and it too is the onne I used to generate the ssl certs with Gandi and StartSSL.
I have run the following commands to check the Modulus’:
As requested status_check.py output:
sudo python3 management/status_checks.py
System
======
✖ HTTP Web (nginx) is not running ([Errno 111] Connection refused; port 80).
nginx: [emerg] SSL_CTX_use_PrivateKey_file("/home/user-data/ssl/ssl_private_key.pem") failed (SSL: error:0B080074:x509 certificate
routines:X509_check_private_key:key values mismatch)
nginx: configuration file /etc/nginx/nginx.conf test failed
✖ HTTPS Web (nginx) is not running ([Errno 111] Connection refused; port 443).
nginx: [emerg] SSL_CTX_use_PrivateKey_file("/home/user-data/ssl/ssl_private_key.pem") failed (SSL: error:0B080074:x509 certificate
routines:X509_check_private_key:key values mismatch)
nginx: configuration file /etc/nginx/nginx.conf test failed
✖ The SSH server on this machine permits password-based login. A more secure way to log in is using a public key. Add your SSH public key to
$HOME/.ssh/authorized_keys, check that you can log in without a password, set the option 'PasswordAuthentication no' in /etc/ssh/sshd_config, and then
restart the openssh via 'sudo service ssh restart'.
✖ There are 1 software packages that can be updated.
linux-firmware (1.127.16)
✓ System administrator address exists as a mail alias. [administrator@xxxxxxxx ↦ xxxx@xxxxxxx]
✓ The disk has 950.2 GB space remaining.
Network
=======
✓ Outbound mail (SMTP port 25) is not blocked.
✓ IP address is not blacklisted by zen.spamhaus.org.
<Server Host>
================
✓ Nameserver glue records are correct at registrar. [xxxxxxxxxxx ↦ 176.x.x.x]
✓ Domain resolves to box's IP address. [xxxxxxxxxxxxxx ↦ 176.x.x.x]
✓ Reverse DNS is set correctly at ISP. [176.x.x.x ↦ xxxxxxxxxxxxxxxxxx]
✓ The DANE TLSA record for incoming mail is correct (_25._tcp.xxxxxxxxxxxxxxxxxx).
✓ Hostmaster contact address exists as a mail alias. [hostmaster@xxxxxxxxxxxxx ↦ administrator@xxxxxxxxxxxxxxxx]
✓ Domain's email is directed to this domain. [xxxxxxxxxxxxxxxxx ↦ 10 xxxxxxxxxxxxxxxxxxxxxx]
✓ Postmaster contact address exists as a mail alias. [postmaster@xxxxxxxxxxxxx ↦ administrator@xxxxxxxxxxxxxxxx]
✓ Domain is not blacklisted by dbl.spamhaus.org.
✓ SSL certificate is signed & valid. The certificate expires in 365 days on 10/28/16.
Domain1
============
✓ DNSSEC 'DS' record is set correctly at registrar.
✓ Nameservers are set correctly at registrar. [ns1.xxxxxxxxxxxxxxxx; ns2.xxxxxxxxxxxxxxxx]
✓ Domain's email is directed to this domain. [Domain1 ↦ 10 xxxxxxxxxxxxxxxx]
✓ Postmaster contact address exists as a mail alias. [postmaster@xxxxxxxxxxx ↦ administrator@xxxxxxxxxxxxx]
✓ Domain is not blacklisted by dbl.spamhaus.org.
✓ Domain resolves to this box's IP address. [xxxxxxxxxxxxxx ↦ 176.x.x.x]
✓ SSL certificate is signed & valid. The certificate expires in 364 days on 10/28/16.
www.Domain1
================
✓ Domain resolves to this box's IP address. [www.xxxxxxxxxxxxxxxxx ↦ 176.x.x.x]
✓ SSL certificate is signed & valid. Using multi/wildcard certificate of Dommain1. The certificate expires in 364 days on 10/28/16.
Dommain2
============
✓ DNSSEC 'DS' record is set correctly at registrar.
✖ The nameservers set on this domain are incorrect. They are currently [Not Set]. Use your domain name registrar's control panel to set the nameservers to
ns1.xxxxxxxxxxx; ns2.xxxxxxxxxxxxxxxxxxxxxxxx.
✖ This domain's DNS MX record is not set. It should be '10 box.xxxxxxxxxxxxxxx'. Mail will not be delivered to this box. It may take several hours for public DNS
to update after a change. This problem may result from other issues listed here.
✓ Postmaster contact address exists as a mail alias. [postmaster@xxxxxxxxxxxxxxxx ↦ administrator@xxxxxxxxxxxxxxxxxxxx]
✓ Domain is not blacklisted by dbl.spamhaus.org.
✖ This domain should resolve to your box's IP address (176.x.x.x) if you would like the box to serve webmail or a website on this domain. The domain
currently resolves to [Not Set] in public DNS. It may take several hours for public DNS to update after a change. This problem may result from other issues
listed here.
✓ SSL certificate is signed & valid. The certificate expires in 364 days on 10/28/16.
www.Domain2
================
✖ This domain should resolve to your box's IP address (176.x.x.x) if you would like the box to serve webmail or a website on this domain. The domain
currently resolves to [Not Set] in public DNS. It may take several hours for public DNS to update after a change. This problem may result from other issues
listed here.
✓ SSL certificate is signed & valid. Using multi/wildcard certificate of Domain2. The certificate expires in 364 days on 10/28/16.
I can also confirm that I have made no manual changes to the SSL certs.
I think that means nginx is already configured the way it should be.
I don’t know. Maybe there is something wrong with the certificate, even though the box’s status checks don’t think so.
I would back up /home/user-data/ssl, delete the whole directory, and then run sudo mailinbox to have it re-create all of the basic SSL things, and then try the control panel’s instructions again — possibly using a different SSL certificate provider (folks here have suggested Wosign).
I copied the old ssl folder to ssl_old then deleted everything in the /home/user-data/ssl folder and then copied mmy original private key from my ssl_old backup to the ssl folder.
I then cd’d to ~/mailinabox/setup and ran sudo mailinabox
This regenerated the certs and it seemss that some of my certs are now working, others it reports are self signed, so I neeed to re-import them later when I get a chance.
Will connfirm if this this fixes my issue later tonight.