Failed SSL Cert req...
 
Notifications
Clear all

[Solved] Failed SSL Cert request from Admin UI

32 Posts
6 Users
1 Reactions
3,307 Views
(@uk_simon)
Joined: 1 year ago
Posts: 36
Topic starter  

Firstly, what a joy to be able to retrieve and deploy a letsencrypt cert from the admin console 😎 , great job! (although not yet working for me).

I followed Shariful Islam's useful article https://community.zextras.com/how-to-configure-lets-encrypt-ssl-certificate-for-multiple-domains-in-multi-tenant-carbonio-using-admin-ui-carbonio-ce/

and I change zimbraReverseProxyMailMode to redirect, however certbot tries to download http://my.domain.com/.well-known/acme-challenge/zcmhlMpnWUmK........   and (with UFW & fail2ban disabled) the Connection is refused.

In fact any url that is not https is blocked not redirected.

Could anyone tell me what I have missed


   
Quote
(@anahuac)
Joined: 1 year ago
Posts: 325
 

It is awesome indeed... but there are some considerations... I wrote two articles about it that you may find interesting:

Let’s Encrypt on Carbonio – System Root with ACME.sh

and

Let’s Encrypt on Carbonio – Easy as never before

 

Enjoy

 


   
ReplyQuote
(@uk_simon)
Joined: 1 year ago
Posts: 36
Topic starter  

@anahuac I have read your articles but whilst used acme.sh on my zimbra server, I wanted to use the Admin UI.

Also, I imagine that the acme challenge would still have the same problem

any ideas as to why Ubuntu is rejecting http? 


   
ReplyQuote
(@anahuac)
Joined: 1 year ago
Posts: 325
 

As I explain on my article the problem with certificates generated on Admin UI is that they don't apply to Carbonio's core parts, meaning most e-mail clients will fail to connect complaining about the sefl-signed certificate.

The Admin UI Certificate is handy to virtualdomains and even then you must set a cronjob to renew it.

About port 80 being blocked, I don't think is has nothing todo with Ubuntu but with with Carbonio only enable 443 by default.

try this

zmprov ms `zmhostname` zimbraReverseProxyMailMode redirect
zmcontrol restart

 

 


   
ReplyQuote
(@stefanodavid)
Joined: 3 years ago
Posts: 227
 

Posted by: @anahuac

 

About port 80 being blocked, I don't think is has nothing todo with Ubuntu but with with Carbonio only enable 443 by default.

try this

zmprov ms `zmhostname` zimbraReverseProxyMailMode redirect
zmcontrol restart

This command is also present in the howto written oin the docs: https://docs.zextras.com/carbonio-ce/html/adminpanel/domains.html#procedure-to-install-a-let-s-encrypt-certificate and it is a strict requirement because certbot communicates over port 80, AFAIK.

As a side note, please do not use the bacticks (`zmhostname`) mechanism to retrieve/use the output of a command, but the $(zmhostname) form, because the former may lead to unwanted side-effects itf there are uncommon characters in the hostname (unlikely in the case of a hostname, but you'll never know!).

 

 

 


   
ReplyQuote
(@uk_simon)
Joined: 1 year ago
Posts: 36
Topic starter  

@stefanodavid 

As I said in the origial post, I had set the zimbraReverseProxyMailMode to redirect as I was following the article you referred to above, the problem I think was that I did not notice the output from /opt/zextras/libexec/zmproxyconfgen;

2023-12-11 09:45:03,895 [main] WARN : Invalid value found in 'zimbraReverseProxy AvailableLookupTargets': myhostname

Do you think that zmproxyconfgen is picking up myhostname when it should be picking up myhostname.com(FQDN)?

This post was modified 1 year ago by UK_Simon

   
ReplyQuote
(@stefanodavid)
Joined: 3 years ago
Posts: 227
 

@uk_simon 

No idea, sorry... 😕 I'm going to make some tests as soon as I find some time... it may take a while.

In general the command that you find on the docs have always been tested by me or by my colleagues, so it may be a bit difficult to understand why they fail. And in case the problem is reproducible, we'll add a new troubleshooting element in the docs.

 


   
ReplyQuote
(@sharif)
Admin
Joined: 3 years ago
Posts: 591
 

@uk_simon 

Hi,

Sorry to hear about your trouble.

If I check my test server, I found below configuration and the SSL is working:

zextras@mail:~$ zmprov gs `zmhostname` zimbraReverseProxyAvailableLookupTargets
# name mail.latestserver.xyz
zimbraReverseProxyAvailableLookupTargets: mail.latestserver.xyz

zextras@mail:~$

Could you please share a summarized version of what you have done to install the Let's Encrypt, including your OS version, and Carbonio CE version?

Basically what we do is:

1. Set Virtual Hostname
2. Restart the proxy service
3. Setting the reverse proxy mail mode to redirect by carbonio prov ms $(hostname) zimbraReverseProxyMailMode redirect
4. Upload and verify the certificate
5. Restart proxy service.
 
Reload the browser.

Let's dig into this issue.

Thanks and regards,

Sharif

 


   
ReplyQuote
(@sharif)
Admin
Joined: 3 years ago
Posts: 591
 

@uk_simon 

Hi,

Sorry to hear about your trouble.

If I check my test server, I found below configuration and the SSL is working:

zextras@mail:~$ zmprov gs `zmhostname` zimbraReverseProxyAvailableLookupTargets
# name mail.latestserver.xyz
zimbraReverseProxyAvailableLookupTargets: mail.latestserver.xyz

zextras@mail:~$

Could you please share a summarized version of what you have done to install the Let's Encrypt, including your OS version, and Carbonio CE version?

Basically what we do is:

1. Set Virtual Hostname
2. Restart the proxy service
3. Setting the reverse proxy mail mode to redirect by carbonio prov ms $(hostname) zimbraReverseProxyMailMode redirect
4. Upload and verify the certificate
5. Restart proxy service.
 
Reload the browser.

Let's dig into this issue.

Thanks and regards,

Sharif

 


   
ReplyQuote
(@uk_simon)
Joined: 1 year ago
Posts: 36
Topic starter  

@sharif I have the latest version of carbonio which includes letsencrypt and certbot.

 

Here is the output, somewhat confirming my theory;

zextras@mydomain:~$ zmprov gs `zmhostname` zimbraReverseProxyAvailableLookupTargets
# name mydomain.com
zimbraReverseProxyAvailableLookupTargets: mydomain (not FQDN)


   
ReplyQuote
(@imsilsa)
Joined: 3 years ago
Posts: 5
 

@uk_simon 

Hi,

You can change the value of zimbraReverseProxyAvailableLookupTargets by

zextras@mail:~$ carbonio prov ms `zmhostname` zimbraReverseProxyAvailableLookupTargets mail.latestserver.xyz
zextras@mail:~$

But frankly, it should be set automatically, so we must understand what we missed. Also, the server hostname (FQDN) is set as a value to a few other fields like:

zextras@mail:~$ carbonio prov gs `zmhostname` | grep -i mail.zextras.xyz
# name mail.zextras.xyz
cn: mail.zextras.xyz
zimbraReverseProxyUpstreamEwsServers: mail.zextras.xyz
zimbraServiceHostname: mail.zextras.xyz
zextras@mail:~$

zextras@mail:~$ carbonio prov gacf | grep -i mail.zextras.xyz
zimbraPublicServiceHostname: mail.zextras.xyz
zimbraReverseProxyAvailableLookupTargets: mail.zextras.xyz
zimbraReverseProxyUpstreamEwsServers: mail.zextras.xyz
zextras@mail:~$

So, changing it manually is not the best way.

Is it a fresh installation or degradation?

 

Thanks and regards,

Sharif


   
ReplyQuote
(@uk_simon)
Joined: 1 year ago
Posts: 36
Topic starter  

Fresh install;

Distributor ID: Ubuntu
Description: Ubuntu 20.04.6 LTS
Release: 20.04
Codename: focal
Carbonio Release 23.11.0


   
ReplyQuote
(@uk_simon)
Joined: 1 year ago
Posts: 36
Topic starter  

OK the output of carbonio prov gs `zmhostname` | grep -i mail.zextras.xyz looks good

# name mail.zextras.xyz
cn: mail.zextras.xyz
zimbraServiceHostname: mail.zextras.xyz

 

however carbonio prov gacf | grep -i mail.zextras.xyz returns just one line

zimbraPublicServiceHostname: mail.zextras.xyz

wheras yours had three

zimbraPublicServiceHostname: mail.zextras.xyz
zimbraReverseProxyAvailableLookupTargets: mail.zextras.xyz
zimbraReverseProxyUpstreamEwsServers: mail.zextras.xyz

   
ReplyQuote
(@sharif)
Admin
Joined: 3 years ago
Posts: 591
 

@uk_simon 

Hi,

Could you please look at this video and try to understand what we missed?

Carbonio CE 23.11.0 Installation Steps

Thanks and regards,

Sharif


   
ReplyQuote
(@uk_simon)
Joined: 1 year ago
Posts: 36
Topic starter  

@sharif I went throgh the video and could not see anything I missed except removing any IPV6 lines from /etc/hosts which I have done now.

I also re-ran /opt/zextras/libexec/zmproxyconfgen
2023-12-13 21:54:29,735 [main] WARN : Invalid value found in 'zimbraReverseProxyAvailableLookupTargets': mailgate-bkm-5
Please correct and run zmproxyconfgen again
2023-12-13 21:54:29,742 [main] WARN : No available nginx lookup handlers could be found
Exception in thread "main" java.lang.NullPointerException: Cannot invoke "com.zimbra.cs.account.Server.getBooleanAttr(String, boolean)" because "server" is null
at com.zimbra.cs.util.proxyconfgen.ProxyConfVar.isValidUpstream(ProxyConfVar.java:281)
at com.zimbra.cs.util.proxyconfgen.WebEwsSSLUpstreamServersVar.update(WebEwsSSLUpstreamServersVar.java:29)
at com.zimbra.cs.util.proxyconfgen.ProxyConfGen.updateDefaultVars(ProxyConfGen.java:2099)
at com.zimbra.cs.util.proxyconfgen.ProxyConfGen.createConf(ProxyConfGen.java:2289)
at com.zimbra.cs.util.proxyconfgen.ProxyConfGen.main(ProxyConfGen.java:2818)


   
ReplyQuote
Page 1 / 3