Frequent SSL Error

wahmed · September 12, 2017, 2:35pm

NethServer Version: 7
Module: WebTop

I have been having this SSl error for a while and now it became too serious and frustrating to ignore. Manually applying Wildcard SSL seems to be really problematic. I tried to upload SSL through GUI and manually through console. But sometimes it will work and sometimes it does not specially after a reboot. Recently I renewed SSL and tried to upload it in place of the old one and things just wont work. I can only successfully access https://domain.com/webtop without error, but my Android stopped receiving/sending emails, so did my thunderbird. Running systemctl status for httpd httpd-admin postfix seems all good.

What am I doing wrong? The upload process through GUI should all i need no?
Some help to figure this all out would be much appreciated as it is causing major disruption to our email communication. I also recently installed another instance of Nethserver for a client email server but facing the exact same issue.

mrmarkuz · September 12, 2017, 3:24pm

HI @wahmed,

you need a pem cert and install it for dovecot AFAIK…
But I had the case, where I wanted a renewed wildcard ssl cert and got a wrong one from provider because they don’t have wildcard anymore…so maybe not a webtop problem

Something to read about SSL and dovecot:
https://wiki.dovecot.org/SSL/DovecotConfiguration
https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=SO17759&actp=RSS&viewlocale=en_US

There are some internal threads about SSL and webtop too:
https://community.nethserver.org/search?q=webtop%20ssl

wahmed · September 12, 2017, 4:23pm

Thanks @mrmarkuz for your reply.

I have few ClearOS setups where i installed the same SSL and working perfectly fine. The same SSL also applied to some web servers and hypervisors. This is Comodo Wildcard SSL. The certs are also in PEM format. Sometimes I need to manually rename the certs and the .conf files to make it work, then when server reboots, nethserver rewrites the conf. Thats how it worked for last several months. But this time around manually changing file name in conf or the certs itself not working. I can access the webtop on https:// using a browser just fine. I can see the server receiving emails just fine on Web GUI if Webpo, but my thunderbird or android stopped receiving emails completely.

mrmarkuz · September 12, 2017, 7:24pm

This is because Nethserver uses templates for the config files:

In this case you need to edit /etc/dovecot.conf:
So look if there are templates, and there are some:

[root@server ~]# ls /etc/e-smith/templates/etc/dovecot/dovecot.conf/
10debug            20users             50quota          70smtpauth
10distro-defaults  25user-action-logs  50spamfolder     90imap_max_line_length
10environment      40namespaces        50spam_training  90webtop
10limits           40postlogin         60lda
20protocols        50deletedtotrash    60lmtp

Never edit the original templates, make your own one at templates-custom:

mkdir -p /etc/e-smith/templates-custom/etc/dovecot/dovecot.conf
cp /etc/e-smith/templates/etc/dovecot/dovecot.conf/90webtop /etc/e-smith/templates-custom/etc/dovecot/dovecot.conf/90webtop

Enter your special config in this file and expand the template to rewrite the config:

nano /etc/e-smith/templates-custom/etc/dovecot/dovecot.conf/90webtop
expand-template /etc/dovecot/dovecot.conf

This was just an example, look which file is necessary to edit…

For more information about templates:
http://docs.nethserver.org/projects/nethserver-devel/en/v7/templates.html

So it seems there’s another problem, not just templating. Do you have a backup from the time, where everything worked?

wahmed · September 26, 2017, 2:24pm

I think i got SSL part taken care now. Based on suggestions that Nethserver uses templates for SSL, i removed all manual changes including renaming file, deleted custom SSL then uploaded SSL from scratch. My mobile device still wasnt syncing even though it was connected fine. Then i found another article on this forum about sync issue and was suggested to remove the account from mobile device completely, then remove it from Webtop GUI, then reconnect the device again. All seems to work now.

It does look like a good idea to use template for SSL on multi services so users dont need to change different SSL configurations. But i dont think i came across this piece of info on documentation, if i did i missed it totally.