Help with TLS and certs

Peter92 · Post by **Peter92** » Thu Feb 01, 2018 3:22 pm

I'm having a little trouble getting the email at 100% on checktls.com. For the record, I'm running vesta on vesta.website.com, and plan to have the main site set up on website.com. I'm not sure what to put as an MX record but it appears to work without one, just says "No Mail eXchangers found; will try TLS directly to host". Alternatively using one set to "website.com handled by vesta.website.com" doesn't seem to make much difference.

Initially the TLS was totally failing, but a quick google suggested setting the certificate permissions to root:Debian-exim (at /home/admin/conf/web/ssl.vesta.website.com.*) and that fixed it as it was unable to read them under the default Vesta settings.

Now that's working, it's failing at certificates, and I'm wondering if anyone knows how to fix it? They are correct on website.com and vesta.website.com in the browser, but for some reason not correct on email.

Here's the cert fail part from checktls.com:

Code: Select all

[000.624] 		Cert VALIDATION ERROR(S): unable to get local issuer certificate, unable to verify the first certificate
[000.625] 		This may help: What Is An Intermediate Certificate
[000.625] 		So email is encrypted but the recipient domain is not verified
[000.625] 		Cert Hostname DOES NOT VERIFY (dc-c3e7106d6d7b.website.com != vesta.website.com | DNS:vesta.website.com)
[000.625] 		So email is encrypted but the host is not verified

In mxtoolbox.com it gives this:

Code: Select all

 	smtp 	dc-c3e7106d6d7b.website.com 	6.233 seconds - Warning on Connection time 
 	smtp 	dc-c3e7106d6d7b.website.com 	9.057 seconds - Not good! on Transaction Time

Not sure where that dc-c3e7106d6d7b comes from. It's different depending on if you do @website.com or @vesta.website.com.

sacredwebsite · Post by **sacredwebsite** » Sun Feb 11, 2018 5:32 am

This is my reply to a previous post that may be relevant to you, specifically, read the pull request linked below to get a better idea.

Vesta currently does not pass the web domain SSL cert to the email level, this means that only your server hostname can be used without showing the certificate warning. I am not sure if this is quite possible as I have not yet myself studied how this can be implemented, I just know its expected right now, so if you use the domain to connect to, you have to either not use encryption, ignore the cert warning, or use the server name as the domain name.

However, in order for the server name to not trigger a warning, the cert itself there must be valid (not be self signed), and also the proper configuration must be made for the mail server to use it.

The best way to configure your server correctly to use the hostname and not get an error is by executing the following command on your server as root:
v-update-host-certificate [USER] [HOSTNAME]

USER is the user that has the web domain that you are pulling the cert from (most often admin as the server hostname is added to it by default), and HOSTNAME is your server hostname as listed in the web section and best to be matching your server hostname in the server configuration or you will have a cert error

If the hostname cert is being generated by Let's Encrypt, You can probably add this command to your admin user CRON so that you do not have to remember to run it when the cert expires every 3 months.
sudo /usr/local/vesta/bin/v-update-host-certificate [USER] [HOSTNAME]
Its up to you to decide how often it runs, I would set it to run once a month.

remember to replace [USER] [HOSTNAME] with your user and hostname (without the brackets [])

This was added recently, as of this pull request, you can read more details here:
https://github.com/serghey-rodin/vesta/pull/1317

This is the script if you want to look at it:
https://github.com/serghey-rodin/vesta/ ... ertificate

Vesta Control Panel - Forum