Koozali.org formerly Contribs.org

Let's Encrypt on sub-domain only - possible?

Offline stabilys

  • ***
  • 76
  • Ah din't do it!!
    • Stabilys Ltd
Let's Encrypt on sub-domain only - possible?
« on: January 28, 2020, 05:31:30 PM »
I have a question about setting up Let’s Encrypt *just* on a sub-domain, ie on mail.xxx.xxx 

I know everyone is busy with the updates to Let’s Encrypt, and don’t know if any changes in the script will affect this question. I suspect the issues I raise may be relevant to others: my expertise in this area is sadly lacking, so I am asking here. I have two systems with similar set-ups, I expect others do similar things too. I have substituted “example” for the actual domain name below. Question is at end under “Summary”, necessary background info follows..

Background

1. There’s an SME-Server v9 in server-only mode doing file- and mail-server duties, with a large iSCSI-mounted filesystem from a storage server
2. It is behind an OPNSense firewall which does multi-wan, IP-Sec VPN duties, and other tasks that can’t readily be done by the SME-Server
3. Email is further filtered and forwarded by a Barracuda email filter (the SME-Server spam filter was unable to handle the sheer weight of spam, due to the three-letter domain name having previously been owned by a spammer, unbeknownst to the client when they bought it)
4. Users, especially i-Device users, are now having lots of issues with self-signed certificates from the SME-Server as Apple have really tightened up permissions on this (Android too)
5. So the plan is to add a non-self-signed SSL certificate, and the first choice is Let’s Encrypt.

But, I don’t know if it will work using the dehydrated script. I think it will but I am asking for advice.

DNS Configuration
- The client’s web site is served by a third-party site developer on Digital Ocean
- The web site has a Let’s Encrypt SSL certificate for that root domain only (not for www. even), see report:

example.co.uk resolves to nnn.128.47.228
Server Type: nginx/1.10.3
The certificate should be trusted by all major web browsers (all the correct intermediate certificates are installed).
The certificate was issued by Let's Encrypt.    
The certificate will expire in 48 days.   
None of the common names in the certificate match the name that was entered (example.co.uk). You may receive an error when accessing this site in a web browser. It looks like you just need to add the "www." when accessing the site with SSL.


- the mail. A record is pointed at the SME-Server’s external address which is in a DSL domain
- there’s port forwards for the mail and web ports but only mail is served to external users @ home or on mobiles
- the server has two mail. A records as there are two WAN addresses, one primary and one fail-over
- reverse records etc all set up and working for years
- fail2ban is in use on the server additionally to the Barracuda filter
- it’s using a self signed cert, see report:
   
mail.example.co.uk resolves to nnn.32.218.9
 Server Type: Apache
 The certificate will expire in 18 days.   
 The certificate is self-signed. Users will receive a warning when accessing this site unless the certificate is manually added as a trusted certificate to their web browser. You can fix this error by buying a trusted SSL certificate
 None of the common names in the certificate match the name that was entered (mail.example.co.uk). You may receive an error when accessing this site in a web browser.


The server is set up as follows

server name          serv1

Domains are all resolved locally

Hostnames:
ftp.example.co.uk      Self   172.17.7.10           
mail.example.co.uk      Self   172.17.7.10           
proxy.example.co.uk      Self   172.17.7.10           
serv1.example.co.uk      Self   172.17.7.10               
server1.example.co.uk   Self   172.17.7.10               
wpad.example.co.uk      Self   172.17.7.10           
www.example.co.uk      Self    172.17.7.10



Summary

What I want to do is set up Let’s Encrypt for the mail.example.co.uk name on the SME-Server (and presumably for the server web interface and other services etc) while not touching (or breaking!) the top level example.co.uk which is pointed at another IP, not under our direct control, and already using Let’s Encrypt.

So to the question: if I set up Let’s Encrypt with the domain name mail.example.co.uk is this likely to work?

Sorry this is long, hope it is clear. Any advice or clues given much appreciated. I can set up and test – but if I’m barking up the wall and it just won’t work I would like to know in advance so I do something else that does have a chance of working :)
This, too, will pass ;)

Offline ReetP

  • *
  • 2,259
Re: Let's Encrypt on sub-domain only - possible?
« Reply #1 on: January 28, 2020, 07:41:06 PM »
I think, in a word, yes.

Just make sure that whatever name/domain/host you want to use ONLY resolves to your SME.

Be that.

domain.com
host.domain.com

or whatever

Note you can set individual Hosts, or complete Domains. The choice is yours :-)

Also note, there is a hack I have used for years allowing subdomains so you can jigger apache a bit and that is fine.

eg I have two domains setup.

somedomain.com - enabled hosts mail/www and enabled domain

chat.somedomain.com - no hosts and JUST enabled domain

Currently we do not do separate certs for different domains by putting things on different lines - just one cert for all the enabled hosts & domains. My /etc/dehydrated/domains.txt looks like this:

somedomain.info chat.somedomain.info mail.somedomain.info www.somedomain.info

Just make sure the .well-know/acme-challenge dir can resolve eg

http://somedomain.com/.well-known/acme-challenge/

http://host.somedomain.com/.well-known/acme-challenge/

You should be good if your DNS records point the right way.

E&OE :-)
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline stabilys

  • ***
  • 76
  • Ah din't do it!!
    • Stabilys Ltd
Re: Let's Encrypt on sub-domain only - possible?
« Reply #2 on: January 28, 2020, 09:05:44 PM »
I think, in a word, yes.
...
E&OE :-)

Thanks for the reply ReetP - I know you are busy.

I'll have a play with testing then :)

MeJ


This, too, will pass ;)

Offline ReetP

  • *
  • 2,259
Re: Let's Encrypt on sub-domain only - possible?
« Reply #3 on: January 29, 2020, 01:57:44 AM »
Thanks for the reply ReetP - I know you are busy.

We're ALL busy!! But yes I am at the minute.

Quote
I'll have a play with testing then :)

Cool. Let us know how you get along and ask if you get stuck.

We are on Rocket too if you want to chat/help......
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline stabilys

  • ***
  • 76
  • Ah din't do it!!
    • Stabilys Ltd
Re: Let's Encrypt on sub-domain only - possible?
« Reply #4 on: February 15, 2020, 10:50:58 AM »
We're ALL busy!! But yes I am at the minute.

Cool. Let us know how you get along and ask if you get stuck.

We are on Rocket too if you want to chat/help......

Hi all

so far it didn't work. I've skimmed https://forums.contribs.org/index.php/topic,53147.0.html and also done all the checks listed in the fault finding section without success so far.

I have an idea what it is but may be completely off-track. Bekow are the sanitised error from dehydrated and ditto http_error.

I suspect the problem is the server CommonName is not the DNS name of the domain it's trying to verify.

Am I on the right track?

Thanks for any suggestions or kicks.

MeJ

dehydrated

[root@serv1 dehydrated]# dehydrated -c
# INFO: Using main config file /etc/dehydrated/config
+ Generating account key...
+ Registering account key with ACME server...
Fetching missing account information from CA...
Processing mail.TLD.co.uk with alternative names: serv1.TLD.co.uk
 + Creating new directory /etc/dehydrated/certs/mail.TLD.co.uk ...
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 2 authorizations URLs from the CA
  + ERROR: An error occurred while sending get-request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/38626606 (Status 405)

Details:
HTTP/1.1 405 Method Not Allowed
Server: nginx
Date: Wed, 12 Feb 2020 20:01:46 GMT
Content-Type: application/problem+json
Content-Length: 103
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"

{
  "type": "urn:ietf:params:acme:error:malformed",
  "detail": "Method not allowed",
  "status": 405
}

[root@serv1 dehydrated]#

http_error

[Wed Feb 12 19:55:19 2020] [notice] caught SIGTERM, shutting down
[Wed Feb 12 19:55:19 2020] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Feb 12 19:55:19 2020] [warn] RSA server certificate CommonName (CN) `serv1.TLD.co.uk' does NOT match server name!?
[Wed Feb 12 19:55:19 2020] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Feb 12 19:55:19 2020] [warn] RSA server certificate CommonName (CN) `serv1.TLD.co.uk' does NOT match server name!?
[Wed Feb 12 19:55:19 2020] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Feb 12 19:55:19 2020] [warn] RSA server certificate CommonName (CN) `serv1.TLD.co.uk' does NOT match server name!?
[Wed Feb 12 19:55:19 2020] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Wed Feb 12 19:55:19 2020] [notice] Digest: generating secret for digest authentication ...
[Wed Feb 12 19:55:19 2020] [notice] Digest: done
[Wed Feb 12 19:55:19 2020] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Feb 12 19:55:19 2020] [warn] RSA server certificate CommonName (CN) `serv1.TLD.co.uk' does NOT match server name!?
[Wed Feb 12 19:55:19 2020] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Feb 12 19:55:19 2020] [warn] RSA server certificate CommonName (CN) `serv1.TLD.co.uk' does NOT match server name!?
[Wed Feb 12 19:55:19 2020] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Feb 12 19:55:19 2020] [warn] RSA server certificate CommonName (CN) `serv1.TLD.co.uk' does NOT match server name!?
[Wed Feb 12 19:55:19 2020] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Wed Feb 12 19:55:19 2020] [notice] Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/1.0.1e-fips configured -- resuming normal operations
[Wed Feb 12 19:58:43 2020] [error] [client 89.248.174.146] File does not exist: /home/e-smith/files/ibays/Primary/html/editBlackAndWhiteList
[Wed Feb 12 20:01:24 2020] [notice] caught SIGTERM, shutting down
[Wed Feb 12 20:01:24 2020] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Feb 12 20:01:24 2020] [warn] RSA server certificate CommonName (CN) `serv1.TLD.co.uk' does NOT match server name!?
[Wed Feb 12 20:01:24 2020] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Feb 12 20:01:24 2020] [warn] RSA server certificate CommonName (CN) `serv1.TLD.co.uk' does NOT match server name!?
[Wed Feb 12 20:01:24 2020] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Feb 12 20:01:24 2020] [warn] RSA server certificate CommonName (CN) `serv1.TLD.co.uk' does NOT match server name!?
[Wed Feb 12 20:01:24 2020] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Wed Feb 12 20:01:24 2020] [notice] Digest: generating secret for digest authentication ...
[Wed Feb 12 20:01:24 2020] [notice] Digest: done
[Wed Feb 12 20:01:24 2020] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Feb 12 20:01:24 2020] [warn] RSA server certificate CommonName (CN) `serv1.TLD.co.uk' does NOT match server name!?
[Wed Feb 12 20:01:24 2020] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Feb 12 20:01:24 2020] [warn] RSA server certificate CommonName (CN) `serv1.TLD.co.uk' does NOT match server name!?
[Wed Feb 12 20:01:24 2020] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Feb 12 20:01:24 2020] [warn] RSA server certificate CommonName (CN) `serv1.TLD.co.uk' does NOT match server name!?
[Wed Feb 12 20:01:24 2020] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Wed Feb 12 20:01:24 2020] [notice] Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/1.0.1e-fips configured -- resuming normal operations
This, too, will pass ;)

Offline ReetP

  • *
  • 2,259
Re: Let's Encrypt on sub-domain only - possible?
« Reply #5 on: February 15, 2020, 11:08:19 AM »
This is your issue.

Code: [Select]
ERROR: An error occurred while sending get-request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/38626606 (Status 405)
Nothing will work until the dehydrated script completes without errors. It needs to complete and run a 'deploy' section.

So first fix that.

Which versions of smeserver-letsencrypt & dehydrated are you running?

You might need the dehydrated version in test which is 0.6.5

Also

cat /etc/dehydrated/config

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation