Topic: letsencrypt and server-manager

[ElFroggio]

Hi,

SME9.1. I have installed the letsencrypt certificate and it works. Almost.

It works with all my domains, it works with the webmail. I have tested my letsencrypt certificate with SSLlabs and I get A- for all the domains covered by the letsencrypt certificate.

It doesn't work with server-manager. I get the webpage, I get the admin/password prompt. The certificate shows OK, but when I enter the username: admin and the password, it just cycles and asks again for the username/password

This happens with Vivaldi, Chromium, Firefox (all on an archlinux), Windows Internet Explorer 10 on Win7 (within the local network).

I can connect to the server-manager only on Chromium, by entering the IP address/server-manager username/password. Vivaldi, Firefox and IE10, just cycle through and keep on asking for the username/password.

I disabled letsencrypt and reinstalled my rapidSSL certificate and the webpage fully-qualified.server-domain.com/server-manager works properly.

Am I the only only one to have that problem?
Is it a settings problem with the browser, with server-manager or a db config?...

I have tested my letsencrypt certificate with SSLlabs and I get A- for all the domains covered by the letsencrypt certificate.

Thanks

Syv

[michelandre]

Hi ElFroggio,

Try clearing all caches for all the browsers and if doesn't resolve the problem then, try disabling the antivirus which is most likely the culprit.

Also, you can try with TOR as it will not go directly to your server but to the Internet then to your server.

Michel-André

[ElFroggio]

Try clearing all caches for all the browsers and if doesn't resolve the problem then, try disabling the antivirus which is most likely the culprit.

• Clearing the cache made no difference
• I don't have any antivirus on either the Linux or the Windows boxes

Thanks

Syv

[michelandre]

Hi again ElFroggio,

What is the ouput of:

Code: [Select]

# config show modSSL

    modSSL=service
    CertificateChainFile=/etc/dehydrated/certs/www.toto.com/chain.pem
    TCPPort=443
    access=public
    crt=/etc/dehydrated/certs/www.toto.com/cert.pem
    key=/etc/dehydrated/certs/www.toto.com/privkey.pem
    status=enabled

For the CertificateChainFile:

Code: [Select]

# ls -ls /etc/dehydrated/certs/www.toto.com/chain.pem
0 lrwxrwxrwx 1 root root 20 13 janv. 02:15 /etc/dehydrated/certs/www.toto.com/chain.pem -> chain-1234567890.pem

Code: [Select]

# ls -ls /etc/dehydrated/certs/www.toto.com/chain-1234567890.pem
4 -rw------- 1 root root 1647 13 janv. 02:15 /etc/dehydrated/certs/www.toto.com/chain-1234567890.pem
Check also for the cert and key.

httpd.conf

Code: [Select]

# cat /etc/httpd/conf/httpd.conf  | grep SSLCertificate
SSLCertificateChainFile /etc/dehydrated/www.toto.com/chain.pem
SSLCertificateFile /etc/dehydrated/certs/www.toto.com/cert.pem
SSLCertificateKeyFile /etc/dehydrated/certs/www.toto.com/privkey.pem
pem file:

Code: [Select]

# ls -ls /home/e-smith/ssl.pem/server-name.toto.com.pem
8 -rw-r--r-- 1 root root 7869 13 janv. 02:15 /home/e-smith/ssl.pem/server-name.toto.com.pem
Hoping it will help,

Michel-André

[michelandre]

I forgot the domains.txt file

Code: [Select]

# cat /etc/dehydrated/domains.txt
www.toto.com toto.com server-name.toto.com mail.toto.com ftp.toto.com wpad.toto.com proxy.toto.com
Michel-André

[michelandre]

Sorry it is late... 

I just remembered that the hook file changed when Let's Encrypt change the name of the client file.
I think that before it was CHAIN=$5 and now it is CHAIN=$6 but I am not sure. I know that one of the variables changed...

Code: [Select]

# cat /etc/dehydrated/dehydrated-hook.sh
#!/bin/bash

if [ $1 = "deploy_cert" ]; then
  KEY=$3
  CERT=$4
  CHAIN=$6
#
  /sbin/e-smith/db configuration setprop modSSL key $KEY
  /sbin/e-smith/db configuration setprop modSSL crt $CERT
  /sbin/e-smith/db configuration setprop modSSL CertificateChainFile $CHAIN
  /sbin/e-smith/signal-event ssl-update
fi
Michel-André

[ElFroggio]

Thanks

I'll look at it tonight. But when I tested the domain on ssllabs I got A-. All browsers reports the certificate as valid, it's only the server-manager that doesn't work.

Thanks

Syv

[michelandre]

Hi ElFroggio,

Maybe you can also delete all the certificates in the browser.

Michel-André

[ElFroggio]

So I looked into the situation.
I've tried your suggestions and they didn't help.  but, I'm further ahead.
I'm convinced that it has to do with how the browsers handle letsencrypt certificates.

• Linux: Firefox -private: doesn't work
• Linux: Firefox: works
• Linux: Chromium --incognito: works only with the ip address of the server
• Linux: Chromium: works only with the ip address of the server
• Windows: IE10: doesn't work

When I say, doesn't work, I mean that I get the Welcome to SME server, username/password screen but after I enter admin and the password I get again the same screen: Welcome to SME server, username/password screen.

BTW #1, I'm inside the local network.
BTW #2, This is only with my letsencrypt certificate. When I revert back to my rapidssl certificate, no problem.

Thanks

Syv

[michelandre]

Hi ElFroggio,

Do you mean the server is on the local network?

If so then, the certificate is for your main server not for the local server?

If this is the situation and the password for the 2 admin are different, try the password of the main server to see if this works.

If you want a certificate for the local server, you have to configure the main server as a reverse proxy pointing to the local IP of the local server. This is working with Let's Encrypt as I tried it before.

Michel-André

[DanB35]

I wish I had something more substantive to offer, but I can at least confirm that this isn't a universal thing.  I have a Let's Encrypt cert on my SME server, and I'm able to log in to the server-manager (using https://$FQDN/server-manager), on a Mac, using Chrome with normal and incognito windows, Firefox using normal and private windows, and Safari.  With all of those environments, I'm able to log in and go to different pages in the server-manager.  Doesn't help much, I'm sure, but at least it would demonstrate that it can work.

[Stefano]

BTW #2, This is only with my letsencrypt certificate. When I revert back to my rapidssl certificate, no problem.

then something is wrong with your setup and you'd dig into the logs to see what's wrong
try

Code: [Select]

httpd -t
with your letsencrypt certs

[ElFroggio]

then something is wrong with your setup and you'd dig into the logs to see what's wrong
try

Code: [Select]

httpd -t
with your letsencrypt certs

Code: [Select]

************ Welcome to SME Server 9.1 *************

Before editing configuration files, familiarise
yourself with the automated events and templates
systems.

Please take the time to read the documentation
http://wiki.contribs.org/Main_Page

Remember that SME Server is free to download
and use, but it is not free to build

Please help the project :
http://wiki.contribs.org/Donate

****************************************************
[root@ethelbert ~]# httpd -t
Syntax OK
[root@ethelbert ~]#


I've looked through the logs and do not see any problem. (This doesn't mean that I'm right).

Which log should I pay 'extra attention'?

Thanks

Syv

[Stefano]

ok..

Code: [Select]

config show modSSL

about logs: /var/log/http/*admin* are the files to check

[Jean-Philippe Pialasse]

I wish I had something more substantive to offer, but I can at least confirm that this isn't a universal thing.  I have a Let's Encrypt cert on my SME server, and I'm able to log in to the server-manager (using https://$FQDN/server-manager), on a Mac, using Chrome with normal and incognito windows, Firefox using normal and private windows, and Safari.  With all of those environments, I'm able to log in and go to different pages in the server-manager.  Doesn't help much, I'm sure, but at least it would demonstrate that it can work.

I have been able to reproduce this:

https://$FQDN/server-manager : works

https://hostname.$FQDN/server-manager : if a link from a sem9admin alert :cycle but not everytime


also if you connect remotely with open vpn bridge: see bug https://bugs.contribs.org/show_bug.cgi?id=9890