Topic: letsencrypt and server-manager

[ElFroggio]

Hi,

SME9.1. I have installed the letsencrypt certificate and it works. Almost.

It works with all my domains, it works with the webmail. I have tested my letsencrypt certificate with SSLlabs and I get A- for all the domains covered by the letsencrypt certificate.

It doesn't work with server-manager. I get the webpage, I get the admin/password prompt. The certificate shows OK, but when I enter the username: admin and the password, it just cycles and asks again for the username/password

This happens with Vivaldi, Chromium, Firefox (all on an archlinux), Windows Internet Explorer 10 on Win7 (within the local network).

I can connect to the server-manager only on Chromium, by entering the IP address/server-manager username/password. Vivaldi, Firefox and IE10, just cycle through and keep on asking for the username/password.

I disabled letsencrypt and reinstalled my rapidSSL certificate and the webpage fully-qualified.server-domain.com/server-manager works properly.

Am I the only only one to have that problem?
Is it a settings problem with the browser, with server-manager or a db config?...

I have tested my letsencrypt certificate with SSLlabs and I get A- for all the domains covered by the letsencrypt certificate.

Thanks

Syv

[michelandre]

Hi ElFroggio,

Try clearing all caches for all the browsers and if doesn't resolve the problem then, try disabling the antivirus which is most likely the culprit.

Also, you can try with TOR as it will not go directly to your server but to the Internet then to your server.

Michel-André

[ElFroggio]

Try clearing all caches for all the browsers and if doesn't resolve the problem then, try disabling the antivirus which is most likely the culprit.

• Clearing the cache made no difference
• I don't have any antivirus on either the Linux or the Windows boxes

Thanks

Syv

[michelandre]

Hi again ElFroggio,

What is the ouput of:

Code: [Select]

# config show modSSL

    modSSL=service
    CertificateChainFile=/etc/dehydrated/certs/www.toto.com/chain.pem
    TCPPort=443
    access=public
    crt=/etc/dehydrated/certs/www.toto.com/cert.pem
    key=/etc/dehydrated/certs/www.toto.com/privkey.pem
    status=enabled

For the CertificateChainFile:

Code: [Select]

# ls -ls /etc/dehydrated/certs/www.toto.com/chain.pem
0 lrwxrwxrwx 1 root root 20 13 janv. 02:15 /etc/dehydrated/certs/www.toto.com/chain.pem -> chain-1234567890.pem

Code: [Select]

# ls -ls /etc/dehydrated/certs/www.toto.com/chain-1234567890.pem
4 -rw------- 1 root root 1647 13 janv. 02:15 /etc/dehydrated/certs/www.toto.com/chain-1234567890.pem
Check also for the cert and key.

httpd.conf

Code: [Select]

# cat /etc/httpd/conf/httpd.conf  | grep SSLCertificate
SSLCertificateChainFile /etc/dehydrated/www.toto.com/chain.pem
SSLCertificateFile /etc/dehydrated/certs/www.toto.com/cert.pem
SSLCertificateKeyFile /etc/dehydrated/certs/www.toto.com/privkey.pem
pem file:

Code: [Select]

# ls -ls /home/e-smith/ssl.pem/server-name.toto.com.pem
8 -rw-r--r-- 1 root root 7869 13 janv. 02:15 /home/e-smith/ssl.pem/server-name.toto.com.pem
Hoping it will help,

Michel-André

[michelandre]

I forgot the domains.txt file

Code: [Select]

# cat /etc/dehydrated/domains.txt
www.toto.com toto.com server-name.toto.com mail.toto.com ftp.toto.com wpad.toto.com proxy.toto.com
Michel-André

[michelandre]

Sorry it is late... 

I just remembered that the hook file changed when Let's Encrypt change the name of the client file.
I think that before it was CHAIN=$5 and now it is CHAIN=$6 but I am not sure. I know that one of the variables changed...

Code: [Select]

# cat /etc/dehydrated/dehydrated-hook.sh
#!/bin/bash

if [ $1 = "deploy_cert" ]; then
  KEY=$3
  CERT=$4
  CHAIN=$6
#
  /sbin/e-smith/db configuration setprop modSSL key $KEY
  /sbin/e-smith/db configuration setprop modSSL crt $CERT
  /sbin/e-smith/db configuration setprop modSSL CertificateChainFile $CHAIN
  /sbin/e-smith/signal-event ssl-update
fi
Michel-André

[ElFroggio]

Thanks

I'll look at it tonight. But when I tested the domain on ssllabs I got A-. All browsers reports the certificate as valid, it's only the server-manager that doesn't work.

Thanks

Syv

[michelandre]

Hi ElFroggio,

Maybe you can also delete all the certificates in the browser.

Michel-André

[ElFroggio]

So I looked into the situation.
I've tried your suggestions and they didn't help.  but, I'm further ahead.
I'm convinced that it has to do with how the browsers handle letsencrypt certificates.

• Linux: Firefox -private: doesn't work
• Linux: Firefox: works
• Linux: Chromium --incognito: works only with the ip address of the server
• Linux: Chromium: works only with the ip address of the server
• Windows: IE10: doesn't work

When I say, doesn't work, I mean that I get the Welcome to SME server, username/password screen but after I enter admin and the password I get again the same screen: Welcome to SME server, username/password screen.

BTW #1, I'm inside the local network.
BTW #2, This is only with my letsencrypt certificate. When I revert back to my rapidssl certificate, no problem.

Thanks

Syv

[michelandre]

Hi ElFroggio,

Do you mean the server is on the local network?

If so then, the certificate is for your main server not for the local server?

If this is the situation and the password for the 2 admin are different, try the password of the main server to see if this works.

If you want a certificate for the local server, you have to configure the main server as a reverse proxy pointing to the local IP of the local server. This is working with Let's Encrypt as I tried it before.

Michel-André

[DanB35]

I wish I had something more substantive to offer, but I can at least confirm that this isn't a universal thing.  I have a Let's Encrypt cert on my SME server, and I'm able to log in to the server-manager (using https://$FQDN/server-manager), on a Mac, using Chrome with normal and incognito windows, Firefox using normal and private windows, and Safari.  With all of those environments, I'm able to log in and go to different pages in the server-manager.  Doesn't help much, I'm sure, but at least it would demonstrate that it can work.

[Stefano]

BTW #2, This is only with my letsencrypt certificate. When I revert back to my rapidssl certificate, no problem.

then something is wrong with your setup and you'd dig into the logs to see what's wrong
try

Code: [Select]

httpd -t
with your letsencrypt certs

[ElFroggio]

then something is wrong with your setup and you'd dig into the logs to see what's wrong
try

Code: [Select]

httpd -t
with your letsencrypt certs

Code: [Select]

************ Welcome to SME Server 9.1 *************

Before editing configuration files, familiarise
yourself with the automated events and templates
systems.

Please take the time to read the documentation
http://wiki.contribs.org/Main_Page

Remember that SME Server is free to download
and use, but it is not free to build

Please help the project :
http://wiki.contribs.org/Donate

****************************************************
[root@ethelbert ~]# httpd -t
Syntax OK
[root@ethelbert ~]#


I've looked through the logs and do not see any problem. (This doesn't mean that I'm right).

Which log should I pay 'extra attention'?

Thanks

Syv

[Stefano]

ok..

Code: [Select]

config show modSSL

about logs: /var/log/http/*admin* are the files to check

[Jean-Philippe Pialasse]

I wish I had something more substantive to offer, but I can at least confirm that this isn't a universal thing.  I have a Let's Encrypt cert on my SME server, and I'm able to log in to the server-manager (using https://$FQDN/server-manager), on a Mac, using Chrome with normal and incognito windows, Firefox using normal and private windows, and Safari.  With all of those environments, I'm able to log in and go to different pages in the server-manager.  Doesn't help much, I'm sure, but at least it would demonstrate that it can work.

I have been able to reproduce this:

https://$FQDN/server-manager : works

https://hostname.$FQDN/server-manager : if a link from a sem9admin alert :cycle but not everytime


also if you connect remotely with open vpn bridge: see bug https://bugs.contribs.org/show_bug.cgi?id=9890

[ElFroggio]

ok..

Code: [Select]

config show modSSL


Code: [Select]

[root@ethelbert ~]# config show modSSL
modSSL=service
    CertificateChainFile=/etc/dehydrated/certs/911networks.com/chain.pem
    CommonName=ethelbert.911networks.com
    TCPPort=443
    access=public
    crt=/etc/dehydrated/certs/911networks.com/cert.pem
    key=/etc/dehydrated/certs/911networks.com/privkey.pem
    status=enabled
[root@ethelbert ~]#


about logs: /var/log/http/*admin* are the files to check

Code: [Select]

View log files
Log file "httpd-admin/current" is empty!

and looking at /var/log/httpd/access_log

All are status code: 200: ok except for this line that is 307 redirect, but no other error.

Code: [Select]

911networks.com 192.168.1.71 - - [07/Feb/2017:08:02:54 -0800] "GET /server-manager HTTP/1.1" 307 308 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; Trident/7.0; rv:11.0) like Gecko"
911networks.com 192.168.1.71 - - [07/Feb/2017:08:02:54 -0800] "GET //server-common/cgi-bin/login?back=https%3a%2f%2f192.168.1.14%2fserver-manager HTTP/1.1" 200 468 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; Trident/7.0; rv:11.0) like Gecko"
911networks.com 192.168.1.71 - - [07/Feb/2017:08:02:54 -0800] "GET /favicon.ico HTTP/1.1" 200 601 "https://192.168.1.14//server-common/cgi-bin/login?back=https%3a%2f%2f192.168.1.14%2fserver-manager" "Mozilla/5.0 (Windows; U; Windows NT 5.2; Trident/7.0; rv:11.0) like Geck


[Jean-Philippe Pialasse]

and looking at /var/log/httpd/access_log

All are status code: 200: ok except for this line that is 307 redirect, but no other error.

Code: [Select]

911networks.com 192.168.1.71 - - [07/Feb/2017:08:02:54 -0800] "GET /server-manager HTTP/1.1" 307 308 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; Trident/7.0; rv:11.0) like Gecko"
911networks.com 192.168.1.71 - - [07/Feb/2017:08:02:54 -0800] "GET //server-common/cgi-bin/login?back=https%3a%2f%2f192.168.1.14%2fserver-manager HTTP/1.1" 200 468 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; Trident/7.0; rv:11.0) like Gecko"
911networks.com 192.168.1.71 - - [07/Feb/2017:08:02:54 -0800] "GET /favicon.ico HTTP/1.1" 200 601 "https://192.168.1.14//server-common/cgi-bin/login?back=https%3a%2f%2f192.168.1.14%2fserver-manager" "Mozilla/5.0 (Windows; U; Windows NT 5.2; Trident/7.0; rv:11.0) like Geck


you need to look at the admin_error_log and admin_access_log

[ElFroggio]

you need to look at the admin_error_log and admin_access_log

No error that I can see:

/var/log/httpd/admin_access_log:

Code: [Select]

127.0.0.1 - - [07/Feb/2017:08:02:28 -0800] "GET /server-manager HTTP/1.1" 307 334
127.0.0.1 - - [07/Feb/2017:08:02:28 -0800] "GET /server-common/cgi-bin/login?back=https%3a%2f%2fethelbert.911networks.com%2fserver-manager HTTP/1.1" 200 481
127.0.0.1 - - [07/Feb/2017:08:02:29 -0800] "GET /server-common/cgi-bin/login?redirect=1&back=https%3A%2F%2Fethelbert.911networks.com%2Fserver-manager HTTP/1.1" 200 1522
127.0.0.1 - - [07/Feb/2017:08:02:29 -0800] "GET /server-common/css/tkt.css HTTP/1.1" 200 674
127.0.0.1 - - [07/Feb/2017:08:02:29 -0800] "GET /server-common/smeserver_logo.jpg HTTP/1.1" 200 6447
127.0.0.1 - - [07/Feb/2017:08:02:29 -0800] "GET /server-common/btn_donateCC_LG.gif HTTP/1.1" 200 3592
127.0.0.1 - - [07/Feb/2017:08:02:34 -0800] "POST /server-common/cgi-bin/login HTTP/1.1" 200 440
127.0.0.1 - - [07/Feb/2017:08:02:44 -0800] "POST /server-common/cgi-bin/login HTTP/1.1" 200 440
127.0.0.1 - - [07/Feb/2017:08:02:49 -0800] "POST /server-common/cgi-bin/login HTTP/1.1" 200 440
127.0.0.1 - - [07/Feb/2017:08:02:54 -0800] "GET /server-manager HTTP/1.1" 307 308

and

/var/log/httpd/admin_error_log: Viewed at Tue 07 Feb 2017 08:21:45 AM PST.

Code: [Select]

[Thu Feb 02 07:14:01 2017] [notice] Digest: generating secret for digest authentication ...
[Thu Feb 02 07:14:01 2017] [notice] Digest: done
[Thu Feb 02 07:14:01 2017] [notice] Apache/2.2.15 (Unix) mod_auth_tkt/2.1.0 configured -- resuming normal operations
[Thu Feb 02 07:14:15 2017] [notice] caught SIGTERM, shutting down
[Thu Feb 02 07:16:06 2017] [notice] Digest: generating secret for digest authentication ...
[Thu Feb 02 07:16:06 2017] [notice] Digest: done
[Thu Feb 02 07:16:07 2017] [notice] Apache/2.2.15 (Unix) mod_auth_tkt/2.1.0 configured -- resuming normal operations


[michelandre]

Hi ElFroggio,

https://www.ethelbert.911networks.com/
WARNING: This site is trying to identify itself with invalid informations. (my translation)

Alternative names for the certificate:
Non critique
Nom DNS: 911networks.com
Nom DNS: ethelbert.911networks.com
Nom DNS: ethelbert.sritch.com
Nom DNS: mail.911networks.com
Nom DNS: mail.sritch.com
Nom DNS: www.sritch.com

Try to use a TEST cerficate (so you will not overun the 5/7 limit) and add a www.ethelbert.911networks.com in the file /etc/dehydrated/domains.txt

I will also check the definition of domain ethelbert.911networks.com in Server Manager of both servers. How did ethelbert.911networks.com answered the challenge? There is a redirection somewhere because he is local?

My 2 cents

Michel-Andeé

[Stefano]

michelandre, seeing the modSSL setup I'd guess that ElFroggio is using smeserver-letsencrypt contrib, not the dehydrated script alone..

using the domains.txt file, AFAIK, will result in many certs, one for each domain (and its hosts)

so, ElFroggio, please tell us how are you using dehydrated/letsencrypt and hod did you install it

thank you

[michelandre]

Hi Stefano,

I will issue only one certificate if the domains are all in one line only and separated by space. Limit is around 100 domains +/-.
I will issue one certificate for each line if the domains are all on different lines.

I do not know the contrib but my Let's Encrypt client uses the same path as above.

Michel-André

[Stefano]

doh, I learned something new, my bad
thank you

[ElFroggio]

https://www.ethelbert.911networks.com/
WARNING: This site is trying to identify itself with invalid informations. (my translation)

There is no www.ethlebert.911networks.com, just ethelbert.911networks.com

I will also check the definition of domain ethelbert.911networks.com in Server Manager of both servers. How did ethelbert.911networks.com answered the challenge? There is a redirection somewhere because he is local?

There's a redirection but not on 911networks.com, just on sritch.com

Thanks

Syv

[ElFroggio]

michelandre, seeing the modSSL setup I'd guess that ElFroggio is using smeserver-letsencrypt contrib, not the dehydrated script alone..

using the domains.txt file, AFAIK, will result in many certs, one for each domain (and its hosts)

so, ElFroggio, please tell us how are you using dehydrated/letsencrypt and hod did you install it

I used dehydrated and not the contrib. It's not even installed. I just followed https://wiki.contribs.org/Letsencrypt part 3 and 4.

[michelandre]

Hi ElFroggio,

As a last hope I would try this.
Using Reverse Rroxy on the main server to redirect Internet traffic to the local server.

At your Register, add a CNAME record for ethelbert that point to the public IP of 911networks.com

In Server Manager on local server, create domain: ethelbert.911networks.com with the DNS Servers: from the Internet.

Configuration of the main server 911networks.com as a Reverse Proxy

Code: [Select]

# db domains set ethelbert.911networks.com domain
# db domains setprop ethelbert.911networks.com Nameservers internet
# db domains setprop ethelbert.911networks.comt ProxyPassTarget http://LOCAL_IP_OF_ethelbert.911networks.com
# db domains setprop ethelbert.911networks.com TemplatePath ProxyPassVirtualHosts
# signal-event domain-create micronator-101.ddns.net
On main server, check with Server Manager and the domain ethelbert.911networks.com should be there.

Code: [Select]

# db domains show
...
ethelbert.911networks.com=domain
    Nameservers=internet
    ProxyPassTarget=http://LOCAL_IP_OF_ethelbert.911networks.com/
    TemplatePath=ProxyPassVirtualHosts
...

Code: [Select]

# ping -c 2 ethelbert.911networks.com
INSTALL "TOR" AND GOTO: https://www.ethelbert.911networks.com

Install Let's Encrypt on the local machine and ask for a TEST certificate.
Let's Encrypt will send the challenge to ethelbert.911networks.com and the local server will answer.

*** UNINSTALLING ***
On main server: 911networks.com

Code: [Select]

# db domains delete ethelbert.911networks.com
# signal-event domain-modify
# db domains show | grep ethelbert.911networks.com
I tried this scenario before on a local server to test certificate from Let's Encrypt and it worked.

Michel-André