Topic: Suddenly getting lots of theses reports

[Drifting]

ID: 3
email.ebuyer.com
rua:    mailto:hostmaster@ebuyer.com
SSL connection failed
   SSL connection failed
delivering message to hostmaster@ebuyer.com, via 127.0.0.1
deleting report 3
deleting report_record_spf rows 3,5
deleting report_record_dkim rows 3,5
deleting report_record_reason rows 3,5
sleeping 5.....done.


Tried to search to see if anyone else was getting these? So hard to read when you are on an iPhone away from home!

[Peasant]

Yes, I'm getting them too. I think it is due to the upgrading of the mail package. I've taken this from the wiki:

Code: [Select]

* DMARCReject (enabled|disabled): Default value is disabled.
If set to enabled, the dmarc plugin can decide to reject an email (if the policy of the sender is to reject on alignment failure)

 * DMARCReporting (enabled|disabled): Default value is enabled.
If set to enabled, enable reporting (which is the **r** in dma**r**c). Reporting is a very important part of the DMARC standard.
When enabled, you'll record information about email you receive from domains which have published a DMARC policy in a local
SQLite database (/var/lib/qpsmtpd/dmarc/reports.sqlite).
Then, once a day, you send the aggregate reports to the domain owner so they have feedback.
You can set this to disabled if you want to disable this feature

 * SPFRejectPolicy (0|1|2|3|4): Default value is 0. Set the policy to apply in case of SPF failure when the sender hasn't published a DMARC policy.
Note: this is only used when no DMARC policy is published by the sender.
If there's a DMARC policy, even a "p=none" one (meaning no reject), then the email won't be rejected, even on failed SPF tests.
   * 0: do not reject anything
   * 1: reject when SPF says fail
   * 2: reject when SPF says softfail
   * 3: reject when SPF says neutral
   * 4: reject when an error occurred (like a syntax error in SPF entry) or if no SPF entry is published
 * Inbound DKIM checks are only used by DMARC. No reject solely based on DKIM is supported
You can get more information at the wiki:

https://wiki.contribs.org/Email#Inbound_DKIM_.2F_SPF_.2F_DMARC

[Drifting]

Thanks Jim

Wonder when that came into force? must admit I am a great believer on leaving SME to do it's own thing, and update when it tells me.
Think I will be disabling until I know how to use the setting properly.

Regards Paul.

[Peasant]

Like you it caught me a bit by surprise, but from what I've read it is a new part of the upgraded qpsmtpd. The bit I posted from the wiki says that the default value for reporting is 'enabled' because 'Reporting is a very important part of the DMARC standard', so I'll leave mine as it is while I read up a bit more about it. From what I can gather, the emails being sent to admin are just letting you know that SME server has sent reports to the domain owners as per the DMARC standard.

[Drifting]

Like you it caught me a bit by surprise, but from what I've read it is a new part of the upgraded qpsmtpd. The bit I posted from the wiki says that the default value for reporting is 'enabled' because 'Reporting is a very important part of the DMARC standard', so I'll leave mine as it is while I read up a bit more about it. From what I can gather, the emails being sent to admin are just letting you know that SME server has sent reports to the domain owners as per the DMARC standard.

Hi Jim
Yes, can see that. But the whole thing falls flat when you start out with myservername.local, then add a few virtual domains. It tries to send out with the .local and fails! I could change the domain name, but all the certificates etc will then need replacing. ARGH.

Paul.

[janet]

Drifting

.... But the whole thing falls flat when you start out with myservername.local, then add a few virtual domains. It tries to send out with the .local and fails! I could change the domain name, but all the certificates etc will then need replacing.

It has NEVER been a good idea to use *.local domain names as external mail servers check for a resolvable domain.
Use a real domain, I suggest you do go through the trouble of changing the domain name & certificates.

[Stefano]

I could change the domain name, but all the certificates etc will then need replacing. ARGH.

since everything is done automagically, I can't see the issue here

[Drifting]

since everything is done automagically, I can't see the issue here

It's not the server, it is the devices connected to it. Outlook being a case in point, real pain with self certificates. Also iPhones of late I have had a few issues with. However, should have put the correct domain in the first place, but then I was moving from Exchange server in my defense

Paul.

[Stefano]

if you use letsencrypt certs you won't have any issue, never..

[Drifting]

if you use letsencrypt certs you won't have any issue, never..

Hi yes, does sound promising, but the parts that would bother me are "A state of flux" and "Beta" Oh and the 3 month renewal. Might be ok for a home server, but would be reluctant to try it on a business one.  I Tend to trust the guys from Koozali, so when I see a tried and tested contrib with their sanction, I will be there!

Regards Paul.

[Stefano]

letsencrypt is in stable release, no more beta
certs are renewed every 3 months automagically, no intervention needed, no advices/messages on the clients
the 3 months limitation is imposed by letsencrypt, but it's not a problem, at all (using it since an year on almost all my servers)

[Drifting]

letsencrypt is in stable release, no more beta
certs are renewed every 3 months automagically, no intervention needed, no advices/messages on the clients
the 3 months limitation is imposed by letsencrypt, but it's not a problem, at all (using it since an year on almost all my servers)

Really? Oh well, that changes it then. Assume the instructions in the How to's still stands good then? will give it a whirl, but as you can imagine the documentation does rather imply it was in Beat.

Thanks for the advice Stefano.

Paul.

[Stefano]

Really? Oh well, that changes it then. Assume the instructions in the How to's still stands good then? will give it a whirl, but as you can imagine the documentation does rather imply it was in Beat.

documentation has been deeply reorganized/rewrote

[Drifting]

Hi.

Just had a re read. Have a question for you? I do not host any websites on this server, they all point to my ISP's webserver. The only thing on here is my email server, and this does resolve straight to the SME 9.2 box. Can I create a certificate just for email? Was a little confused with that part in the documents (Me at fault no the docs)

Paul.

[Stefano]

you just need an externally resolvable hostname (like mail.yourdomain.tld) pointing to your SME and the port 80 open and redirected to your SME

that's all

[Drifting]

Carry on from this, had this come in now? seems I may have missed something to disable. Wish all this was off by default.

Can someone explain what is going on?

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

                   The mail system

<richard@dc.co.uk>: host mail.dc.co.uk[*.*.*.*] said: 552 SPF -
    softfail: uk.co.uk: Sender is not authorized by default to use
    'emma@uk.co.uk' in 'mfrom' identity, however domain is not currently
    prepared for false failures (mechanism '~all' matched) (in reply to end of
    DATA command)

Seem to be getting lots of people telling me the email bounced.

Paul.

[Drifting]

Carry on from this, had this come in now? seems I may have missed something to disable. Wish all this was off by default.

Can someone explain what is going on?

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

                   The mail system

<richard@dc.co.uk>: host mail.dc.co.uk[*.*.*.*] said: 552 SPF -
    softfail: uk.co.uk: Sender is not authorized by default to use
    'emma@uk.co.uk' in 'mfrom' identity, however domain is not currently
    prepared for false failures (mechanism '~all' matched) (in reply to end of
    DATA command)

Seem to be getting lots of people telling me the email bounced.

Paul.

Think I sussed it, was taking the settings on the docs as standard, so have set :- db configuration setprop qpsmtpd DMARCReject disabled SPFRejectPolicy 0
Assume that is what it was.

Paul

[SchulzStefan]

Drifting

It has NEVER been a good idea to use *.local domain names as external mail servers check for a resolvable domain.
Use a real domain, I suggest you do go through the trouble of changing the domain name & certificates.

Janet,

this is a part my domain configuration:

xxx.local    Primary domain   Primary   Resolve locally   Modify   
xxxyyy.de    Domain fuer email   Primary   Internet DNS servers   Modify   Remove

The xxxyyy.de is hosted by ISP. It's used for email.

I understand you suggest to remove the xxx.local domain. In this case do I have to change the xxxyyy.de to "Primary domain   Primary   Resolve locally" ?

Stefano,

you just need an externally resolvable hostname (like mail.yourdomain.tld) pointing to your SME and the port 80 open and redirected to your SME

that's all

The SME is behind an OPNsense-firewall. No public webpages are hosted on the SME. There's no static IP. The SME is reachable through the firewall with dyndns for horde acivesync. Where/how can I point an externally resolvable hostname (xxxyyy.de) to the SME box? I didn't get that. Or is it already done with the dyndns?

Sorry if I missed something not seeing the wood in front of the trees

Thank's for answering.
stefan

[Stefano]

The SME is behind an OPNsense-firewall.

no problem, just forward port 80 to SME

No public webpages are hosted on the SME.

no problem, again, not needed

There's no static IP. The SME is reachable through the firewall with dyndns for horde acivesync. Where/how can I point an externally resolvable hostname (xxxyyy.de) to the SME box? I didn't get that. Or is it already done with the dyndns?

your host is available on something like yourhost.dyndns.org.. just create a CNAME record on your domain DNS pointing to  yourhost.dyndns.org

see this example:

Code: [Select]

stefano@stefano-HP ~ $ dig router.emergo.srl

; <<>> DiG 9.9.5-3ubuntu0.14-Ubuntu <<>> router.emergo.srl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25564
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;router.emergo.srl. IN A

;; ANSWER SECTION:
router.emergo.srl. 1800 IN CNAME router.mysinapsi.net.
router.mysinapsi.net. 600 IN A 83.211.132.11

;; Query time: 565 msec
;; SERVER: 192.168.32.1#53(192.168.32.1)
;; WHEN: Sat May 13 14:49:52 CEST 2017
;; MSG SIZE  rcvd: 96

router.mysinapsi.net is managed on dyndns

[SchulzStefan]

no problem, just forward port 80 to SME

I'm too stupid - why should I open the port 80 in my firewall? I don't get it. IMVHO it's got nothing to do with email?? I actually don't want anybody reaching a server from outside through the http-protocol. What is that good for? I don't get it...

[Stefano]

letsencrypt need to check your server and so port 80 is needed

nothing harmfull.. if anybody will reach your server on port 80 will see the default white page (index.html you have in /Primary/html folder)

[SchulzStefan]

I really don't like the idea to open (an unsecured) port 80 on a server. Easy to overload apache and break the server down. I mean we take every effort to secure anything with ssl mechanism and a lot more... Right now the email server from the ISP has to handle the risk. Email I don't want to receive remains on this server. It's not beeing fetched to the SME. Don't know what to think about this...

[Stefano]

there are thousands of exposed SME servers out there.. ATM and AFAIR there was no issues..

if you want, you can edit the html file to redirect a surfer to your site (or anywhere you decide)

Letsencrypt will not see/use your page.. it works on an hidden dir .well-known (almost empty)

[DanB35]

I really don't like the idea to open (an unsecured) port 80 on a server.

In order to receive a certificate from Let's Encrypt, you must demonstrate control over the host for which you're seeking the certificate.  There are three ways you can do that:

• Serve a small file from http://$HOSTNAME/.well-known/acme-challenge
• Serve a TLS certificate from https://$HOSTNAME
• Add a DNS TXT record relating to $HOSTNAME

Dehydrated, the client described on the wiki page, supports the first and third methods, but the contrib doesn't support DNS authentication for two reasons: (1) for most SME installations, the first method is much simpler to implement, and (2) everybody's DNS is different.  But if you refuse to open ports 80 or 443 to your SME box, and you can't obtain the cert directly on your firewall (which you could if you were running pfsense, for example), DNS validation is your only remaining option.

Here's some information on using the DNS challenge with dehydrated:
https://github.com/lukas2511/dehydrated/blob/master/docs/dns-verification.md
https://github.com/lukas2511/dehydrated/wiki/Examples-for-DNS-01-hooks

Edit: The OPNSense homepage (https://opnsense.org/) indicates that it's able to obtain Let's Encrypt certs, so you might want to investigate the possibility of obtaining the cert on your firewall and deploying it from there to your SME box.  The deployment could be scripted pretty easily on either the firewall side or the SME side.  In short, it would need to copy the cert, the private key, and the intermediate CA cert to your SME server, set the SSL properties correctly (which would only need to be done once, and thus could be done manually), and then signal the ssl-update event.

[SchulzStefan]

there are thousands of exposed SME servers out there.. ATM and AFAIR there was no issues..

if you want, you can edit the html file to redirect a surfer to your site (or anywhere you decide)

Letsencrypt will not see/use your page.. it works on an hidden dir .well-known (almost empty)

Creating/altering the index.htm in /home/e-smith/files/ibays/Primary/html with a re-direction to an external domain hosted by my ISP results in not beeing able to access the server-manager. I assume also horde (not tested). Content of index.htm:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">

<html>

<head>
  <meta http-equiv="refresh" content="1; URL=http://www.externaldoamin.de"
</head>

</html>

What's wrong with that?

@DanB35:

Thank you for your reply. I'l think about this. Thank you so far.

stefan

[SchulzStefan]

if you use letsencrypt certs you won't have any issue, never..

I followed the https://wiki.contribs.org/Letsencrypt#Installation. Opened the port 80 on my firewall and forwarded to the SME. Removed the domain.local and set up as primary domian a ISP hosted one.

No errors occured,  but it's not working.

These are generated:
/etc/dehydrated/config
/etc/dehydrated/domains.txt

This is empty:
/etc/dehydrated/certs/
rm /etc/dehydrated/accounts/

Do I have to whitelist (in my firewall)

You can now run dehydrated for the first time, and make sure it's able to connect to the Let's Encrypt servers,

Not working out-of-the-box for me.

Some help would be nice.

stefan

[DanB35]

"it's not working" is not very helpful.  What happens when you run "dehydrated -c"?

[guest22]

No errors occured,  but it's not working.

I had this too a few days back on a new server. 'not working' was after issuing 'dehydrated -c' there was no feedback to the console and after a little bit, the prompt was back.

I ended up removing the contrib and go for a manual install. That worked for me and gave me the nice progress report on screen, so I knew exactly what dehydrated was doing.


HTH

[SchulzStefan]

"it's not working" is not very helpful.  What happens when you run "dehydrated -c"?

I know. But if there's nothing to report and nothing in a log, what should I report?

RequestedDeletion was faster - same with me. I'll try the manual installation and will report.

regards,
stefan

[guest22]

I'll try the manual installation and will report.

Please make sure you remove everything. Uninstalling the contrib does not remove e.g. db config info e.g. 'config show letsencrypt'

[DanB35]

I know. But if there's nothing to report and nothing in a log, what should I report?

Literally nothing happens when you type "dehydrated -c"?  It just returns you to a shell prompt?  Even that would have been helpful, and more than you stated, but it also would be very surprising.

It'd be helpful to try to troubleshoot it, rather than to just blow out the contrib and move to a manual installation.  Or better yet, file a bug against the contrib.  A couple of ideas here:

What's the output of "which dehydrated"?

What are the contents of /etc/dehydrated/config?  Mask your email address if you like; the rest isn't sensitive.

What are the contents of /etc/dehydrated/domains.txt?  Is your hostname listed there?

[DanB35]

Please make sure you remove everything. Uninstalling the contrib does not remove e.g. db config info e.g. 'config show letsencrypt'

Although it's a good idea to keep the database clean, stray entries won't affect a manual installation if there's no template referring to them (which there wouldn't be with a manual installation).

[guest22]

Although it's a good idea to keep the database clean, stray entries won't affect a manual installation if there's no template referring to them (which there wouldn't be with a manual installation).

Correct regarding the contrib specific templates (fragments) The service entry by itself will trigger processing by the default expand-templates engines, in returned called by all kinds of signal-events and actions.


A service entry tagged as 'service' will be processed, where as we could choose to tag an entry with 'uninstalled' which would then bypass all other events.

[DanB35]

Really, there shouldn't be any situation where the dehydrated script produces no output at all, which is what makes me wonder if it's actually running at all.  Hence the request for the output of "which dehydrated", as it would show where it's trying to run from.

If, for example, your PATH were completely bizarre, and looked to /etc/cron.daily/ before it looked to /usr/bin/, it would have that effect.  Or if you were in /etc/cron.daily/, and instead of typing "dehydrated -c", you typed "./dehydrated -c", that would explain it.  Or if you were in /etc/cron.daily/ and your PATH included "." (which it probably never should at all, and certainly never should as root), that would explain it.  But all of these sound pretty far-fetched.

[guest22]

I guess the easiest way to se what is going on is for the author of the contrib to test the contrib on a clean vm. I was installing on a production server under the 'assumption' it was fully tested and 'approved'.

[DanB35]

The contrib has been tested, repeatedly, on a clean VM--I know because I did a lot of the testing.  The easiest way to see what is going on is for those who are having problems to actually try to troubleshoot rather than just saying forget it.

[guest22]

I would if it was a test. This was a scheduled production server, and not available for trouble shooting.

[Stefano]

I guess the easiest way to se what is going on is for the author of the contrib to test the contrib on a clean vm. I was installing on a production server under the 'assumption' it was fully tested and 'approved'.

Installed and working with no issues on at least a dozen of servers

[guest22]

Stefan tried yesterday and I tried 2 days back. Maybe something has changed during the last few days?

[DanB35]

Stefan tried yesterday and I tried 2 days back. Maybe something has changed during the last few days?

Unlikely; I have the current versions installed, and they're working fine.

I'm not saying you aren't having a problem, but it's frustrating (not to mention at least a little insulting) to see you suggest that not even the most basic testing was done on the contrib, especially when you know better--you reported the bug, for heaven's sake, and quite a bit of the discussion and testing took place there.

So, something apparently isn't working as expected for you, or for @SchulzStefan.  That's unfortunate, and the results you're both describing are surprising (at least to me).  Since it is working perfectly for me and for @Stefano (and @ReetP, and I suspect many others), that points to something different in your installation.  Can you test it on a VM?  If so, do you see the same results?

[guest22]

I'm not saying you aren't having a problem, but it's frustrating (not to mention at least a little insulting) to see you suggest that not even the most basic testing was done on the contrib, especially when you know better--you reported the bug, for heaven's sake, and quite a bit of the discussion and testing took place there.ation.  Can you test it on a VM?  If so, do you see the same results?

No insulting intended, just reporting events. As you describe, 'we have it installed' means it was not installed on a new machine/VM during the last few days. Updating and testing already installed contrib is different from installing it on a new machine/VM, especially since we went over to SME Server 9.2. If I have time i will try to test on a VM, but I have so little spare time. Reporting and following this is all I can do for now.

[DanB35]

I did install it on clean VMs several times throughout the development process for testing, and it is currently working on my main machine.  I just built a clean test VM with 9.2 and installed it, though, and I'm seeing similar (though not identical) results to what you're reporting:

Code: [Select]

[root@sme92-test ~]# dehydrated -c
# INFO: Using main config file /etc/dehydrated/config
[root@sme92-test ~]#

My apologies.  As penance, I've reported the bug: https://bugs.contribs.org/show_bug.cgi?id=10300

[guest22]

My apologies.  As penance, I've reported the bug: https://bugs.contribs.org/show_bug.cgi?id=10300

No problem, glad we have identified something odd and concur.

[SchulzStefan]

To all:

Switching to https://bugs.contribs.org/show_bug.cgi?id=10300

regards,
stefan

[DanB35]

Switching to https://bugs.contribs.org/show_bug.cgi?id=10300

Replying back here, since the comment you added to the bug really deals with something else.

I can only assume Stefano didn't consider the possibility of your firewall blocking outbound connections from your server; I know I didn't.  Yes, your server must be able to make outbound connections on ports 80 and 443, and the entire Internet needs to be able to reach your server on port 80.  No, you can't whitelist particular inbound IPs for the validation; Let's Encrypt has repeatedly stated that they intend to validate from a wide range of IPs and networks.

You should not have needed to manually edit domains.txt.  Simply set letsencryptSSLcert to enabled for those hostnames and/or domains you want to be named on the cert, and only for those hostnames and/or domains.  Then, a signal-event console-save will generate the files properly.

The problem you're encountering is that xxx.de apparently goes somewhere other than to your SME server, so the challenge doesn't succeed--when the LE servers try to get the challenge file, it gets a 404 error.

[SchulzStefan]

Yes, your server must be able to make outbound connections on ports 80 and 443, and the entire Internet needs to be able to reach your server on port 80.

At this point, letsyencrypt is not for me. That does not meet my security concept for a server, which is not hosting a webpage for the entire world and is "only" fetching and distributing email from ISP in the internal net. This server is meant as a fileserver for internal use, nothing else. Of course with the ability of sending email.

You should not have needed to manually edit domains.txt.  Simply set letsencryptSSLcert to enabled for those hostnames and/or domains you want to be named on the cert, and only for those hostnames and/or domains.  Then, a signal-event console-save will generate the files properly.

In the how-to is said: https://wiki.contribs.org/Letsencrypt#Prerequisites:

The Letsencrypt client and server interact to confirm that the person requesting a certificate for a hostname actually controls that host. For this reason, there are some prerequisites for your configuration. For example, if you're trying to obtain a certificate for www.example.com, the following conditions must be met:

    www.example.com is a valid domain name--the domain has been registered, and DNS records are published for it.
    www.example.com resolves to your SME Server--published DNS records give the external IP address of your SME Server when queried for www.example.com.
    Your SME Server is connected to the Internet.
    Port 80 on your SME Server is open to the Internet--you aren't behind a firewall, or some ISP filtering, that would block it.

Letsencrypt will issue certificates that include multiple hostnames (for example, www.example.com, example.com, and mail.example.com), all of which would be part of the request. All of the conditions above must be true for all of the hostnames you want to include in the certificate.

Make sure you've got this all set up correctly before continuing.

On this server there are a few virtual domains which are not registered. Therefore not valid. Further I understand, that in the case of valid domains every cname should bei altered to point/resolve the IP of the SME. Am I wrong?

As I stated before, for me (maybe only for me) at the first place the SME is for internal use. There is too much around to tweak, what I don't like to do out of several reasons.

regards,
stefan

[SchulzStefan]

FYI

https://community.letsencrypt.org/

Seems to me, that it's not working out-of-the-box.

regards,
stefan

[Stefano]

unfortunately for you, you're wrong..

99% the issues reported by user on forums are about misconfiguration or sort of.. IOW, it's not the tool that doesn't work, it's how it's used.

in any case, if it doesn't work out of the box for you, you 'd know that you'd open a bug giving all the needed info to help us to debug it; "it doesn't work" means nothing and it's useless.

[Jean-Philippe Pialasse]

Having a domain existing and resolvable on the internet, does not mean it should also resolve to the same box on your lan. You can still use your internal dns to modify locally resolution. Also you have few alternatives if a server 80 port is not accessibe from outside. Either using dns to prove you control the donain or use another server to get the certificates and deploy it to your internal server.

While you can also have a proxypass configuration to only redirect the letsencrypt verification to your internal server as a third solution.

[DanB35]

Seems to me, that it's not working out-of-the-box.

Nonsense, and I think you know better than that.  Some people will have problems with any software; the fact that there are people reporting problems in no way shows that the software or system is defective.  I'm reasonably active on the Let's Encrypt forum, and can confirm what Stefano is saying--the large majority of problem posts there (which themselves are a very small fraction of the millions of people who are using Let's Encrypt) are a matter of either (1) people configuring something wrong, or (2) Let's Encrypt itself working just fine, but then they don't know what to do with the cert once they receive it.

But none of that has anything to do with your case.  If you're unwilling to open port 80 of your SME server, things get more complicated for you, but you still have options.

• You can use the DNS challenge; I posted links on this up-thread
• You can use the built-in hook script functionality to copy the challenge files to an Internet-accessible location--this isn't documented very well at this time;
   I'll try to get something added to the wiki page shortly
• You may be able to use some sort of reverse proxy arrangement as JPP mentions
• You can obtain the cert on your firewall and deploy it from there to your SME box

Any of these are going to require some scripting and/or custom template fragments, but they're all options.

[guest22]

Maybe it's all a bit complicated to understand what is under the hood. Maybe the contrib should be more verbose and give advise. Especially as it is targeted as a core part for SME 10.

[DanB35]

Maybe it's all a bit complicated to understand what is under the hood.

That's true of most of SME; it's designed so that users don't need to understand what's under the hood.  What about this contrib, from a user's perspective, do you think is too complicated?

Maybe the contrib should be more verbose and give advise.

What advice do you think the contrib should give that it doesn't?

[guest22]

Well, the reports indicate that the contrib is not verbose at all. So fot he 'I installed SME Server and need a certificate' user, there nothing much to report. Let alone one understands the importance or what it does.

[guest22]

To add to that, the the smeserver-letsencrypt contrib does not work. period. Evidence has been presented by not too stupid guys.


The manual install works perfectly tho and provides feedback.

[guest22]

I have provided enough detailed feedback from a production server, and I will stick to the manual install.

[Drifting]

Well I am confused..

From an end user, with a moderate amount of knowledge, is there any documentation in plain english that I could understand, so that that I may make an informed guess about Dmark etc and if I should implement it. So far all I have seen it do is reject genuine email. Please do not send me to some random FAQ that assumes you understand every part of the mail server system, I don't!

I thank whoever did the document, as I would be in an ever worse state without it, but really need to understand the part about delegate mail server, as this is what I use. I forward external mail to my ISP, they in turn relay mail back to my SME. Could not get my head round the docs on this sequence.

Can I also clarify that it is best to change the domains from .local to the genuine? from what I have read, the answer is yes?

Is this Dmarc going to be a standard all servers will implement? Seems to me it is going to generate a massive amount of of email to postmaster mailboxes around the world? I must point out this is only from my very brief understand of what I have seen leaving my own servers. (Got a stinking cold so not the most coherent at the moment)

Paul.

[DanB35]

I have provided enough detailed feedback from a production server,

You have provided very little feedback, and the most important part of it was wrong--it's simply incorrect that "dehydrated -c" returns you to the shell prompt with no output, and your reporting that sent me on a wild goose chase.  If you (or @ShulzStefan) had indicated that the command did return some output (and better yet, what that output was), that would have saved some time in narrowing down the issue.

To add to that, the the smeserver-letsencrypt contrib does not work. period.

...except for all the servers for which it does work.  period.

There's something about the three curl commands that the contrib adds to the config file that is breaking things on at least some systems.  Why that should be the case is puzzling to me.  My production server is a SME 9.2 VM, on a Proxmox host, in server-only mode, behind a pfSense firewall.  It has the contrib, and the curl commands don't cause any problem at all.  My test box is a SME 9.2 VM, on a Proxmox host, in server-only mode, behind a pfSense firewall, and the curl commands cause it to die.  The curl commands are identical, both machines are running the same version of curl, and they're in identical network configurations.  But one works and the other doesn't.  And when I remove the redirects from the one that doesn't work (so I can see the error it's returning), it starts working.

Yes, there's clearly a problem, and yes, it needs to be fixed.  But it's wrong to say "it does not work. period."

Well, the reports indicate that the contrib is not verbose at all.

You realize that the contrib uses the exact same dehydrated script as the manual installation, right?

[Stefano]

I agree with Dan

most of our contribs are done to add features hiding all the complications.

If something isn't working (but it used to do) the only right approach is to open a bug and start digging/debugging
just coming here saying "it doesn't work" is useless and doesn't help devs (and, above all, other users) to make a better product.

[SchulzStefan]

I did install it on clean VMs several times throughout the development process for testing, and it is currently working on my main machine.  I just built a clean test VM with 9.2 and installed it, though, and I'm seeing similar (though not identical) results to what you're reporting:

Code: [Select]

[root@sme92-test ~]# dehydrated -c
# INFO: Using main config file /etc/dehydrated/config
[root@sme92-test ~]#

My apologies.  As penance, I've reported the bug: https://bugs.contribs.org/show_bug.cgi?id=10300

If you (or @ShulzStefan) had indicated that the command did return some output (and better yet, what that output was), that would have saved some time in narrowing down the issue.

Dan Brown 2017-05-15 14:59:53 CEST

Thought I'd added this last night, but I don't see it.

Obviously the issue has something to do with the curl commands added to config.  So, rolled the VM back to where the certs hadn't been successfully issued yet.  Ran dehydrated -c, and it behaved as I reported--gave a message that it was using the default config file, then returned to the shell prompt. Changed the curl commands to remove the redirect (the "2>&1 > /dev/null" at the end of each line) so I could see what was happening.  Ran "dehydrated -c" again, and (unsurprisingly) the curl commands generated some ugly output, but issuing the certs succeeded without any further issues.

Rolled back to a pre-issuance state again.  Ran dehydrated -c, and it again behaved as reported.  Edited config to only remove the 2>&1 part of the redirect--this should send stdout to /dev/null, but stderr still to the console.  Ran "dehydrated -c" again, and once again a cert was issued without errors.

This isn't helping--no error output is being generated.

Rolled back again.  Ran dehydrated -c.  It behaved as reported.  Changed nothing, and ran dehydrated -c again.  It completed without issues.  This didn't work last night--repeated invocations of dehydrated -c had the same results as the first invocation.

Rolled back again.  Edited config (without running dehydrated -c first) to remove the 2>&1 from each of the curl commands.  Ran dehydrated -c, and it behaved as reported, with no further errors from curl.  Ran dehydrated -c again, and it completed without issues.

Opening port 80 was not enough, after opening 443, I reported in the bugtracker:

Here is what I tried so far:

I opened my firewall. @stefano: BTW it's not only port 80, for curl the https port also needs to be opened. And, another point - I have to allow in my LAN *any* to *any* which I do not really understand... Usually my firewall is configured with the last rule to deny everything what is not allowed. (Default deny LAN to any rule).

First of all I followed the advice from janet and changed the primary doamin to a registered domain. In my case from *.local to *.de. The *.de domain is a registered domain. Altering the cname I am able to reach over dyndns my server.

Secondly I re-installed the contrib after clearing all pre-installed fragments (of this contrib - smeserver-letsencrypt) and reboot with signal-event post.....

Then I altered the domain.txt to the *one* registered domain, I'd like to have a cert for email. There are a few more, but I don't want certs for them. "ftp.xxx.de mail.xxx.de www.xxx.de xxx.de"

Running dehydrated -c results in:

# INFO: Using main config file /etc/dehydrated/config
+ Generating account key...
+ Registering account key with ACME server...
Processing ftp.xxx.de with alternative names: mail.xxx.de www.xxx.de xxx.de
 + Signing domains...
 + Creating new directory /etc/dehydrated/certs/ftp.xxx.de ...
 + Generating private key...
 + Generating signing request...
 + Requesting challenge for ftp.xxx.de...
 + Requesting challenge for mail.xxx.de...
 + Requesting challenge for www.xxx.de...
 + Requesting challenge for xxx.de...
 + Responding to challenge for ftp.xxx.de...
 + Responding to challenge for mail.xxx.de...
 + Responding to challenge for www.xxx.de...
 + Challenge is valid!
 + Responding to challenge for xxx.de...
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:acme:error:unauthorized",
    "detail": "Invalid response from http://xxx.de/.well-known/acme-challenge/BRZHc8cpXjpj7_gjYaiJmDnKJ_-QOPxv_sNic0SMXEw: \"\u003c!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\"\u003e\n\u003chtml\u003e\u003chead\u003e\n\u003ctitle\u003e404 Not Found\u003c/title\u003e\n\u003c/head\u003e\u003cbody\u003e\n\u003ch1\u003eNot Found\u003c/h1\u003e\n\u003cp\"",
    "status": 403
  },
  "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/-xYqKSs8_ndFiuQdpCaAR6OP3MfcZ_xD_pnKwL-rUj4/38745745",
  "token": "BRZHc8cpXjpj7_gjYaiJmDnKJ_-QOPxv_sNic0SMXEw",
  "keyAuthorization": "BRZHc8cpXjpj7_gjYaiJmDnKJ_-QOPxv_sNic0SMXEw.ajQV71Epgz6e1zvfNQd7npQs17GuYvYWjQmuqNxcBCc",
  "validationRecord": [
    {
      "url": "http://xxx.de/.well-known/acme-challenge/BRZHc8cpXjpj7_gjYaiJmDnKJ_-QOPxv_sNic0SMXEw",
      "hostname": "xxx.de",
      "port": "80",
      "addressesResolved": [
        "UUU.169.145.68",
        "UUUU:238:20a:202:1068::"
      ],
      "addressUsed": "UUUU:238:20a:202:1068::",
      "addressesTried": []
    }
  ]
})

Per default the firewall is blocking IP6.

Don't know why there's an invalid response?

In /etc/dehydrated the directory "accounts" and "certs" have been created. In "certs" is the directory "ftp.xxx.de", and in this dir are the files cert-1494796583.csr  cert-1494796583.pem  privkey-1494796583.pem.

That's it. No luck so far.

Server is a production server - no virtual box.

Before there was nothing to report, I'm sorry.

Nonsense, and I think you know better than that.  Some people will have problems with any software; the fact that there are people reporting problems in no way shows that the software or system is defective.  I'm reasonably active on the Let's Encrypt forum, and can confirm what Stefano is saying--the large majority of problem posts there (which themselves are a very small fraction of the millions of people who are using Let's Encrypt) are a matter of either (1) people configuring something wrong, or (2) Let's Encrypt itself working just fine, but then they don't know what to do with the cert once they receive it.

But none of that has anything to do with your case.  If you're unwilling to open port 80 of your SME server, things get more complicated for you, but you still have options.

• You can use the DNS challenge; I posted links on this up-thread
• You can use the built-in hook script functionality to copy the challenge files to an Internet-accessible location--this isn't documented very well at this time;
   I'll try to get something added to the wiki page shortly
• You may be able to use some sort of reverse proxy arrangement as JPP mentions
• You can obtain the cert on your firewall and deploy it from there to your SME box

Any of these are going to require some scripting and/or custom template fragments, but they're all options.

I'm sorry. I installed a contrib following the how-to. It didn't work as expected. As a matter of fact, it's not only the port 80 to open. If I knew that also port 443 has to be opened, I could have reported earlier the output which I gave in the bugtracker.

After opening my firewall (besides a modification of an internal deny rule) it still didn't work as expected. I got the hint to alter the domain.txt file. I didn't try this yet.

I reported that I changed my primary domain from *.local to a verfied one (*.de). I understood altering the cname of the hosted domain to dyndns (pointing as a result on the SME), will show letsencrypt that I have fully control over the server. Doing this brings a few other problems on the table. Of course depending on your firewall/network configuration. But for me, not so easy to manage. At least there's some work and re-configuration to do.

If millions of people are using letsencrypt without having problems, that's great for them. I didn't judge letsencrypt, dehydrated nor the contrib. And I am not going to do this.

Personally I think everybody should cool down. Every contrib is a great work and more then appreciated. It helps in any way.

My 2c

regards,
stefan

[DanB35]

You can use the built-in hook script functionality to copy the challenge files to an Internet-accessible location--this isn't documented very well at this time;
 I'll try to get something added to the wiki page shortly

I've added something--could probably use some clean-up, but it may help:
https://wiki.contribs.org/Letsencrypt#Obtaining_certificates_for_a_private_SME_Server

[DanB35]

I'm sorry. I installed a contrib following the how-to. It didn't work as expected. As a matter of fact, it's not only the port 80 to open. If I knew that also port 443 has to be opened, I could have reported earlier the output which I gave in the bugtracker.

Neither Stefano nor I was considering that your firewall might block outbound connections as well.  The wiki has now been updated to more clearly describe the requirements at https://wiki.contribs.org/Letsencrypt#Prerequisites.

[SchulzStefan]

I agree with Dan

most of our contribs are done to add features hiding all the complications.

If something isn't working (but it used to do) the only right approach is to open a bug and start digging/debugging
just coming here saying "it doesn't work" is useless and doesn't help devs (and, above all, other users) to make a better product.

Pardon me - I don't remember saying/acting like this?

regards,
stefan

[Stefano]

Pardon me - I don't remember saying/acting like this?

regards,
stefan

mine was not a direct answer to you, I apologize.

the main rule is "if something doesn't work out of the box it's likely a bug, so open a bug in bugzilla"

I'd love not to have bugs in our product.. this is impossible, indeed, and all of us will be glad to help everyone.. we just need a good bug report and good feedback.. spending time here ranting about something that doesn't work won't help anybody.

I'm really sorry you had these problems: letsencrypt is working fine for me but I agree that this is not enough.

let's work together to solve your problem