Certificate problem

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
User avatar
bagu
Normal user
Normal user
Posts: 211
Joined: 2005-06-17 03:08
Location: France
Contact:

Certificate problem

Post by bagu » 2019-09-19 15:26

Hello,

I'm coming here to finish a question from this forum : https://www.apachelounge.com/viewtopic. ... 8503#38503

As i said on this forum, i have an apache web server with letsencrypt certificate (thanks to mod_md !).
I have set up my two domains to have the same mx pointing to mail.bagu.biz (witch is on the certificate)

But when i replace my cacert certificate by the letsencrypt certificate, everything fail on the client side.
And, there is no error message on hmailserver.

So : Is there something i miss ? Or, is there a difference between cacert certificate and letsencrypt certificate ?
hMailServer 5.6.8 With SpamAssassin 3.4.2

User avatar
bagu
Normal user
Normal user
Posts: 211
Joined: 2005-06-17 03:08
Location: France
Contact:

Re: Certificate problem

Post by bagu » 2019-09-19 17:49

I enable debug and i get this :

"DEBUG" 8232 "2019-09-19 17:47:19.697" "TCP connection started for session 6"
"DEBUG" 8232 "2019-09-19 17:47:19.698" "Performing SSL/TLS handshake for session 6. Verify certificate: False"
"DEBUG" 1900 "2019-09-19 17:47:19.718" "The read operation failed. Bytes transferred: 0 Remote IP: 172.16.0.1, Session: 6, Code: 335856658, Message: sslv3 alert bad certificate"
"DEBUG" 1900 "2019-09-19 17:47:19.718" "Ending session 6"

The certificate work well for the web server...
hMailServer 5.6.8 With SpamAssassin 3.4.2

User avatar
Dravion
Senior user
Senior user
Posts: 1486
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: Certificate problem

Post by Dravion » 2019-09-19 21:59

In your Debug log its unclear if its a SMTP or IMAP or POP3
Session. Your Client also is trying to negiotate a SSLv3
Session which is unsecure and thats why in newer hMailServer versions SSLv3 support was removed.

As said before.You need two certificates and its corresponding key files. The other Problem is, mod_md
is trying to replace a SSL-Certificate file which was loaded
as the hMailServer Service was started by Windows. Keep in mind that mod_md was developed to renew Apache2
Virtualhost SSL-Certificates on the fly and was not tested
by its Developers to work with hMailServer as well.

Try to restart hMailServer Windows Service manually after
mod_md has renewed your LE SSL-Certificates.

User avatar
bagu
Normal user
Normal user
Posts: 211
Joined: 2005-06-17 03:08
Location: France
Contact:

Re: Certificate problem

Post by bagu » 2019-09-19 22:06

Hello and thanks for your answer.

The problem happen in SMTP and IMAP session.
I use Thunderbird and i don't know why it's trying to negotiate a SSLv3 session.

For mod_md, the certificate is in place since a while.
Maybe i may use a copy of certificate/key instead of the certificate in mod_md folder.

Also, i always restart hmailserver service after changing certificate, so i think it's not the problem.
hMailServer 5.6.8 With SpamAssassin 3.4.2

User avatar
Dravion
Senior user
Senior user
Posts: 1486
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: Certificate problem

Post by Dravion » 2019-09-19 22:20

In your log, it clearly says "bad certificate".

Thats a Error message rooted in OpenSSL's
Security Library which is used by hMailServer to handle SSL-Stuff. It means it cannot load mod_md's LE renewed
SSL-Certificate because it seens to be corrupt or is formatted in a way OpenSSL doesn't understand.

User avatar
bagu
Normal user
Normal user
Posts: 211
Joined: 2005-06-17 03:08
Location: France
Contact:

Re: Certificate problem

Post by bagu » 2019-09-19 22:38

It's really strange because i use the same certificate for my website and everything appear ok Oo
And https://www.checktls.com/TestReceiver say that everything is ok when i set the LE certificate.

Argh ! :S
hMailServer 5.6.8 With SpamAssassin 3.4.2

User avatar
mattg
Moderator
Moderator
Posts: 20277
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Certificate problem

Post by mattg » 2019-09-20 01:09

Run this and post the results

viewtopic.php?f=20&t=30914

SSLv3.0 is broken and should be depreciated
I don't think that a modern apache server has SSLv3.0 enabled in default settings, I think you need to specifically add it.

If your hMailserver allows SSLv3.0 (which it looks like it does) then the certificate that you have may not like that, and may be too complex to allow SSLv3.0 connections.

I suspect turning SSLv3.0 OFF in hMailserver will solve this for you
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
bagu
Normal user
Normal user
Posts: 211
Joined: 2005-06-17 03:08
Location: France
Contact:

Re: Certificate problem

Post by bagu » 2019-09-20 10:07

Code: Select all

2019-09-20   Hmailserver: 5.7.0-B2429

DOMAINS

   "Domain1.com" - baxx.bix                       Enabled: True
      |- "Alias1.com" - maxx.baxx.bix

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:             7000   Enabled: True    
                   Max message size:    30000   Header:   Relaxed  Plus addressing:  True
                   Max size of accounts: 2000   Body:     Relaxed  Character:           +
                                                Algorithm: SHA256  Greylisting:      True
                                                Private key: e:\www\wwwbagubiz\certificats\privatedkimkey.txt
                                                Selector:    mail

   "Domain2.com" - baxx.fr                        Enabled: True
      |- "Alias2.com" - maxx.baxx.fr

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:             4000   Enabled: True    
                   Max message size:    30000   Header:   Relaxed  Plus addressing:  True
                   Max size of accounts: 4000   Body:     Relaxed  Character:           +
                                                Algorithm: SHA256  Greylisting:      True
                                                Private key: e:\www\wwwbagufr\certificats\privatedkimkey.txt
                                                Selector:    mail
-----------------------------------------------------------------------------------------------

IP RANGES

IP: 127.0.0.1 - 127.0.0.1     Priority: 500     Name: My computer

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:   True !! Protocol DISABLED !!      Antivirus:   True
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       - False
     Local To External    -  True              Local To External    - False
     External To Local    -  True              External To Local    - False
     External To External -  True              External To External -  True


IP: 172.16.0.1 - 172.16.1.255     Priority: 400     Name: Local Network

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:   True !! Protocol DISABLED !!      Antivirus:   True
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External -  True              External To External -  True


IP: 0.0.0.0 - 255.255.255.255     Priority: 10     Name: Internet

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:   True !! Protocol DISABLED !!      Antivirus:   True
     IMAP:   True                              SSL/TLS:     True

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External -  True              External To External -  True


   !!  Warning:  DEFAULT DOMAIN is SET  !! - "Domain1.com"
------------------------------------------------------
AUTOBANNED Local Addresses:
    172.16.0.1           Expires : 25/09/2019 13:40:21

-----------------------------------------------------------------------------------------------

AUTOBAN
  Autoban Enabled: True       Max invalid logon attempts:      2
                              Minutes Before Reset:         1500  (25,00 hours, 1,04 days)
                              Minutes to Autoban:           8760  (146,00 hours, 6,08 days)

There is a total of 192 auto-ban IP ranges.
-----------------------------------------------------------------------------------------------

INCOMING RELAYS
                    127.0.0.1        -   127.0.0.1
-----------------------------------------------------------------------------------------------

MIRRORING         Disabled
-----------------------------------------------------------------------------------------------

PROTOCOLS

SMTP
GENERAL             DELIVERY                  RFC COMPLIANCE            ADVANCED
No. Connections:  0  No Retries:  5 Mins: 30   Plain Text:         True  Bind: 
                     Host: Alias1.com          Empty sender:       True  Batch recipients:    50
Max Msg Size: 30000  Relay:-                   Incorrect endings:  True  Use STARTTLS:      True
                     (none entered)            Disc. on invalid:   True  Delivered-To hdr:  True
                                               Max number commands:   2  Loop limit:           3
                                                                         Recipient hosts:     25
  Routes:
    9bxxxxxxx.fr             - S: Remote  R: Remote - Addr: All         (ok)
    acxxxxxxx.fr             - S: Remote  R: Remote - Addr: All         (ok)
    grxxxxxxxxxxxxxxxxxxxxx.f- S: Remote  R: Remote - Addr: All         (ok)
    loxxxxxxxxxxxxxx.fr      - S: Remote  R: Remote - Addr: All         (ok)
    mdxx.loxxxxxxxxxxxxxx.fr - S: Remote  R: Remote - Addr: All         (ok)
    nexx.fr                  - S: Remote  R: Remote - Addr: All         (ok)
    prxxxxxxx.com            - S: Remote  R: Remote - Addr: All         (ok)
    prxxxxxxx.fr             - S: Remote  R: Remote - Addr: All         (ok)
    prxxxxxxx.orx            - S: Remote  R: Local  - Addr: All         (ok)
    sfx.fr                   - S: Remote  R: Remote - Addr: All         (ok)
    tixxxxx.net              - S: Remote  R: Remote - Addr: Selective   (ok)
    yaxxx.fr                 - S: Remote  R: Remote - Addr: All         (ok)

POP3
 !! Service Not Enabled !!

IMAP
 GENERAL                   PUBLIC FOLDERS                    ADVANCED
  No. Connections:   0      Public folder name: #Public       IMAP sort:  True
                                                              IMAP Quota: True
                                                              IMAP Idle:  True
                                                              IMAP ACL:   True
                                                              Delim: "."
-----------------------------------------------------------------------------------------------

ANTISPAM

GENERAL                              SPAM TESTS              Score   SPAMASSASSIN
  Spam Mark:                  5       Use SPF:            True - 2    Use Spamassassin:    True
  Add X-HmailServer-Spam:     True    Check HELO host:    True - 2    Hostname:       127.0.0.1
  Add X-HmailServer-Reason:   True    Check MX records:   True - 3    Port:                 783
  Add X-HmailServer-Subject:  True    Verify DKIM:        True - 2    Use SA score:        True
              Subject Text: "*****SPAM*****"
  Spam delete threshold: 20         Maximum message size: 4096

DNSBL ENTRIES:
                  zen.spamhaus.org      Score: 2     Result: 127.0.0.*
                  psbl.surriel.com      Score: 1     Result: 127.0.0.*
                virbl.dnsbl.bit.nl      Score: 1     Result: 127.0.0.*
            b.barracudacentral.org      Score: 2     Result: 127.0.0.*
                    bl.spamcop.net      Score: 3     Result: 127.0.0.*
                   dnsbl.sorbs.net      Score: 2     Result: 127.0.0.*
     hostkarma.junkemailfilter.com      Score: 2     Result: 127.0.0.2|127.0.0.4
                   cbl.abuseat.org      Score: 2     Result: 127.0.0.2
                  all.spamrats.com      Score: 2     Result: 127.0.0.38|127.0.0.43

SURBL ENTRIES:
                   multi.surbl.org      Score: 2

GREYLISTING:
  Greylisting:   True       Defer mins: 1       Days Unused: 3      Days Used: 365
                            Bypass SPF: True     Bypass A/MX: False

Greylist WHITELIST ENTRIES:
   IP Address: 127.0.0.1
   IP Address: 88.184.248.22

Greylist DOMAINS enabled:
           Domain1.com
                 |--   Alias1.com
           Domain2.com
                 |--   Alias2.com

WHITELISTING

-----------------------------------------------------------------------------------------------

ANTIVIRUS

GENERAL:
  When found - Delete Attachments.

  Max Message Size: 10000
     CLAM AV:   True       Hostname: 127.0.0.1    Port: 3310
     CLAMWIN:   False
     CUSTOMAV:  False

  Block Attachments: True
               *.bat             Batch processing file
               *.cmd             Command file for Windows NT
               *.com             Command
               *.cpl             Windows Control Panel extension
               *.csh             CSH script
               *.exe             Executable file
               *.exe.txt         False text files
               *.inf             Setup file
               *.js              Fichiers javascript
               *.lnk             Windows link file
               *.msi             Windows Installer file
               *.msp             Windows Installer patch
               *.reg             Registration key
               *.scf             Windows Explorer command
               *.scr             Windows Screen saver
-----------------------------------------------------------------------------------------------

SSL CERTIFICATES
   Bagu.biz
       Certificate: D:\wamp\apache\md\domains\Domain1.com\pubcert.pem
       Private key: D:\wamp\apache\md\domains\Domain1.com\privkey.pem
   Certificat
       Certificate: D:\Certificats\mail.Domain1.com.crt
       Private key: D:\Certificats\mail.Domain1.com.key
-----------------------------------------------------------------------------------------------

SSL/TLS
             SSL 3.0 :  False
             TLS 1.0 :  False
             TLS 1.1 :  False
             TLS 1.2 :   True                Verify Remote SSL/TLS Certs:  False
SslCipherList  :

-----------------------------------------------------------------------------------------------

TCPIP PORTS                                         Connection Sec
               0.0.0.0         / 25    / SMTP   -   StartTLS Optional   Cert: Certificat
               0.0.0.0         / 143   / IMAP   -   StartTLS Optional   Cert: Certificat
               0.0.0.0         / 465   / SMTP   -   SSL/TLS             Cert: Certificat
               0.0.0.0         / 587   / SMTP   -   StartTLS Optional   Cert: Certificat
               0.0.0.0         / 993   / IMAP   -   SSL/TLS             Cert: Certificat
-----------------------------------------------------------------------------------------------

LOGGING      Logging Enabled: True

  Paths:-
    Current:  D:\wamp\logs\hmailserver\\hmailserver_2019-09-20.log  - !! NOT PRESENT !!
    Error:    D:\wamp\logs\hmailserver\\ERROR_hmailserver_2019-09-20.log
    Event:    D:\wamp\logs\hmailserver\\hmailserver_events.log - Last Event: 2019/09/20
    Awstats:  D:\wamp\logs\hmailserver\\hmailserver_awstats.log
                        APPLICATION -      .
                        SMTP        -    True
                        POP3        -      .
                        IMAP        -      .
                        TCPIP       -      .
                        DEBUG       -      .
                        AWSTATS     -      .
-----------------------------------------------------------------------------------------------

SYSTEM TESTS

Database type: MySQL

IPv6 support is available in operating system.

Backup directory F:\Sauvegardes\ServeurMail is writable.

Relative message paths are stored in the database for all messages.

There are no error logs in the log directory.
-----------------------------------------------------------------------------------------------

HMAILSERVER.INI

[Directories]
Program folder:  D:\hMailServer\
Database folder: 
Data folder:     D:\hMailServer\Data
Log folder:      D:\wamp\logs\hmailserver\
Temp folder:     X:\Temp
Event folder:    D:\hMailServer\Events\

[Database]
Type=              MYSQL
Username=          hmailserver
PasswordEncryption=1
Port=              3306
Server=            127.0.0.1
Internal=          0

[Settings]
DNSBLChecksAfterMailFrom=1
RewriteEnvelopeFromWhenForwarding=1
DisableAuthList=25
SepSvcLogs=1
-----------------------------------------------------------------------------------------------

Generated by HMSSettingsDiagnostics v1.96, Hmailserver Forum.

Here it is, but i never enable sslv3, so i am a little bit disappointed
hMailServer 5.6.8 With SpamAssassin 3.4.2

palinka
Senior user
Senior user
Posts: 1275
Joined: 2017-09-12 17:57

Re: Certificate problem

Post by palinka » 2019-09-20 13:02

You have no ciphers? I'm not the expert on ssl/tls, but i do believe *something* has to be listed there.

User avatar
bagu
Normal user
Normal user
Posts: 211
Joined: 2005-06-17 03:08
Location: France
Contact:

Re: Certificate problem

Post by bagu » 2019-09-20 13:04

Oh, i remove them to rewrite them...

Here are my ciphers :

Code: Select all

ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM::ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK;
I think i will replace it by :

Code: Select all

ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
hMailServer 5.6.8 With SpamAssassin 3.4.2

User avatar
mattg
Moderator
Moderator
Posts: 20277
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Certificate problem

Post by mattg » 2019-09-21 00:06

As you are only running TLSv1.2 you could try this

HIGH:!TLSv1:!SSLv3;

It is what I run
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
jim.bus
Senior user
Senior user
Posts: 304
Joined: 2011-05-28 11:49
Location: US

Re: Certificate problem

Post by jim.bus » 2019-09-21 12:01

bagu is using Hmailserver: 5.7.0-B2429.

This is not an official latest stable hMailServer version or Build. I believe the last information I saw was that MattG considers hMailServer 5.7.0-B2485 should still be considered an Alpha Build.

Current official stable latest hMailServer is 5.6.7-B2425.

Is it possible bagu is running into an unstable part or bug of hMailServer 5.7.0-B2429? An instability or bug that doesn't deal well with SSLv3.0. I also thought Martin said he had to remove SSLv3.0 in order to add TLSv1.3 but I don't know what Build he said he had to do that with.

User avatar
bagu
Normal user
Normal user
Posts: 211
Joined: 2005-06-17 03:08
Location: France
Contact:

Re: Certificate problem

Post by bagu » 2019-09-21 13:02

jim.bus is quite right.

I'm using the Dravion version.

mattg : i will try your cipher ;) Thanks
hMailServer 5.6.8 With SpamAssassin 3.4.2

User avatar
bagu
Normal user
Normal user
Posts: 211
Joined: 2005-06-17 03:08
Location: France
Contact:

Re: Certificate problem

Post by bagu » 2019-09-21 13:34

After some other tests, same prolem happen on v5.6.8 - Build 2451 (BETA) and vhMailServer 5.6.7 - Build 2425 with and without the mattg cipher


P.S. : new post because after a small amount of time, i can't edit my previous post
hMailServer 5.6.8 With SpamAssassin 3.4.2

palinka
Senior user
Senior user
Posts: 1275
Joined: 2017-09-12 17:57

Re: Certificate problem

Post by palinka » 2019-09-21 13:46

Have you tried with the default ciphers on any version?

User avatar
bagu
Normal user
Normal user
Posts: 211
Joined: 2005-06-17 03:08
Location: France
Contact:

Re: Certificate problem

Post by bagu » 2019-09-21 13:49

I can't remember the default cipher and it seem there is no way to make it default again (maybe a futur feature ? :D )

EDIT : ok, the default cipher is :
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK;

For archive purpose ;)

RE-EDIT : same result
hMailServer 5.6.8 With SpamAssassin 3.4.2

palinka
Senior user
Senior user
Posts: 1275
Joined: 2017-09-12 17:57

Re: Certificate problem

Post by palinka » 2019-09-21 14:51

Have you tried creating a certificate using win-acme? It will export pem format certificates which can be used by both Apache and hmailserver. I created a couple of tutorials for win-acme in the tutorial forum.

User avatar
bagu
Normal user
Normal user
Posts: 211
Joined: 2005-06-17 03:08
Location: France
Contact:

Re: Certificate problem

Post by bagu » 2019-09-21 14:53

I already try it, but it seem it failed to launch :

Code: Select all

 [EROR] Error loading any types from assembly D:\Certificats\GenLeCertificate\Utils\libbind9.dll: BadImageFormatException {Message="Impossible de charger le fichier ou l'assembly 'libbind9.dll' ou une de ses dépendances. Le module était censé contenir un manifeste de l'assembly.", FileName="libbind9.dll", FusionLog="", Data=[], InnerException=BadImageFormatException {Message="Impossible de charger le fichier ou l'assembly 'libbind9.dll' ou une de ses dépendances. Le module était censé contenir un manifeste de l'assembly.", FileName="libbind9.dll", FusionLog="", Data=[], InnerException=null, TargetSite=null, StackTrace=null, HelpLink=null, Source=null, HResult=-2146234344}, TargetSite=System.Reflection.AssemblyName nGetFileInformation(System.String), StackTrace="   à System.Reflection.AssemblyName.nGetFileInformation(String s)\r\n   à System.Reflection.AssemblyName.GetAssemblyName(String assemblyFile)\r\n   à PKISharp.WACS.Services.PluginService.GetTypes()", HelpLink=null, Source="mscorlib", HResult=-2146234344}
 [EROR] Error loading any types from assembly D:\Certificats\GenLeCertificate\Utils\libdns.dll: BadImageFormatException {Message="Impossible de charger le fichier ou l'assembly 'libdns.dll' ou une de ses dépendances. Le module était censé contenir un manifeste de l'assembly.", FileName="libdns.dll", FusionLog="", Data=[], InnerException=BadImageFormatException {Message="Impossible de charger le fichier ou l'assembly 'libdns.dll' ou une de ses dépendances. Le module était censé contenir un manifeste de l'assembly.", FileName="libdns.dll", FusionLog="", Data=[], InnerException=null, TargetSite=null, StackTrace=null, HelpLink=null, Source=null, HResult=-2146234344}, TargetSite=System.Reflection.AssemblyName nGetFileInformation(System.String), StackTrace="   à System.Reflection.AssemblyName.nGetFileInformation(String s)\r\n   à System.Reflection.AssemblyName.GetAssemblyName(String assemblyFile)\r\n   à PKISharp.WACS.Services.PluginService.GetTypes()", HelpLink=null, Source="mscorlib", HResult=-2146234344}
 [EROR] Error loading any types from assembly D:\Certificats\GenLeCertificate\Utils\libeay32.dll: BadImageFormatException {Message="Impossible de charger le fichier ou l'assembly 'libeay32.dll' ou une de ses dépendances. Le module était censé contenir un manifeste de l'assembly.", FileName="libeay32.dll", FusionLog="", Data=[], InnerException=BadImageFormatException {Message="Impossible de charger le fichier ou l'assembly 'libeay32.dll' ou une de ses dépendances. Le module était censé contenir un manifeste de l'assembly.", FileName="libeay32.dll", FusionLog="", Data=[], InnerException=null, TargetSite=null, StackTrace=null, HelpLink=null, Source=null, HResult=-2146234344}, TargetSite=System.Reflection.AssemblyName nGetFileInformation(System.String), StackTrace="   à System.Reflection.AssemblyName.nGetFileInformation(String s)\r\n   à System.Reflection.AssemblyName.GetAssemblyName(String assemblyFile)\r\n   à PKISharp.WACS.Services.PluginService.GetTypes()", HelpLink=null, Source="mscorlib", HResult=-2146234344}
 [EROR] Error loading any types from assembly D:\Certificats\GenLeCertificate\Utils\libirs.dll: BadImageFormatException {Message="Impossible de charger le fichier ou l'assembly 'libirs.dll' ou une de ses dépendances. Le module était censé contenir un manifeste de l'assembly.", FileName="libirs.dll", FusionLog="", Data=[], InnerException=BadImageFormatException {Message="Impossible de charger le fichier ou l'assembly 'libirs.dll' ou une de ses dépendances. Le module était censé contenir un manifeste de l'assembly.", FileName="libirs.dll", FusionLog="", Data=[], InnerException=null, TargetSite=null, StackTrace=null, HelpLink=null, Source=null, HResult=-2146234344}, TargetSite=System.Reflection.AssemblyName nGetFileInformation(System.String), StackTrace="   à System.Reflection.AssemblyName.nGetFileInformation(String s)\r\n   à System.Reflection.AssemblyName.GetAssemblyName(String assemblyFile)\r\n   à PKISharp.WACS.Services.PluginService.GetTypes()", HelpLink=null, Source="mscorlib", HResult=-2146234344}
 [EROR] Error loading any types from assembly D:\Certificats\GenLeCertificate\Utils\libisc.dll: BadImageFormatException {Message="Impossible de charger le fichier ou l'assembly 'libisc.dll' ou une de ses dépendances. Le module était censé contenir un manifeste de l'assembly.", FileName="libisc.dll", FusionLog="", Data=[], InnerException=BadImageFormatException {Message="Impossible de charger le fichier ou l'assembly 'libisc.dll' ou une de ses dépendances. Le module était censé contenir un manifeste de l'assembly.", FileName="libisc.dll", FusionLog="", Data=[], InnerException=null, TargetSite=null, StackTrace=null, HelpLink=null, Source=null, HResult=-2146234344}, TargetSite=System.Reflection.AssemblyName nGetFileInformation(System.String), StackTrace="   à System.Reflection.AssemblyName.nGetFileInformation(String s)\r\n   à System.Reflection.AssemblyName.GetAssemblyName(String assemblyFile)\r\n   à PKISharp.WACS.Services.PluginService.GetTypes()", HelpLink=null, Source="mscorlib", HResult=-2146234344}
 [EROR] Error loading any types from assembly D:\Certificats\GenLeCertificate\Utils\libisccc.dll: BadImageFormatException {Message="Impossible de charger le fichier ou l'assembly 'libisccc.dll' ou une de ses dépendances. Le module était censé contenir un manifeste de l'assembly.", FileName="libisccc.dll", FusionLog="", Data=[], InnerException=BadImageFormatException {Message="Impossible de charger le fichier ou l'assembly 'libisccc.dll' ou une de ses dépendances. Le module était censé contenir un manifeste de l'assembly.", FileName="libisccc.dll", FusionLog="", Data=[], InnerException=null, TargetSite=null, StackTrace=null, HelpLink=null, Source=null, HResult=-2146234344}, TargetSite=System.Reflection.AssemblyName nGetFileInformation(System.String), StackTrace="   à System.Reflection.AssemblyName.nGetFileInformation(String s)\r\n   à System.Reflection.AssemblyName.GetAssemblyName(String assemblyFile)\r\n   à PKISharp.WACS.Services.PluginService.GetTypes()", HelpLink=null, Source="mscorlib", HResult=-2146234344}
 [EROR] Error loading any types from assembly D:\Certificats\GenLeCertificate\Utils\libisccfg.dll: BadImageFormatException {Message="Impossible de charger le fichier ou l'assembly 'libisccfg.dll' ou une de ses dépendances. Le module était censé contenir un manifeste de l'assembly.", FileName="libisccfg.dll", FusionLog="", Data=[], InnerException=BadImageFormatException {Message="Impossible de charger le fichier ou l'assembly 'libisccfg.dll' ou une de ses dépendances. Le module était censé contenir un manifeste de l'assembly.", FileName="libisccfg.dll", FusionLog="", Data=[], InnerException=null, TargetSite=null, StackTrace=null, HelpLink=null, Source=null, HResult=-2146234344}, TargetSite=System.Reflection.AssemblyName nGetFileInformation(System.String), StackTrace="   à System.Reflection.AssemblyName.nGetFileInformation(String s)\r\n   à System.Reflection.AssemblyName.GetAssemblyName(String assemblyFile)\r\n   à PKISharp.WACS.Services.PluginService.GetTypes()", HelpLink=null, Source="mscorlib", HResult=-2146234344}
 [EROR] Error loading any types from assembly D:\Certificats\GenLeCertificate\Utils\libns.dll: BadImageFormatException {Message="Impossible de charger le fichier ou l'assembly 'libns.dll' ou une de ses dépendances. Le module était censé contenir un manifeste de l'assembly.", FileName="libns.dll", FusionLog="", Data=[], InnerException=BadImageFormatException {Message="Impossible de charger le fichier ou l'assembly 'libns.dll' ou une de ses dépendances. Le module était censé contenir un manifeste de l'assembly.", FileName="libns.dll", FusionLog="", Data=[], InnerException=null, TargetSite=null, StackTrace=null, HelpLink=null, Source=null, HResult=-2146234344}, TargetSite=System.Reflection.AssemblyName nGetFileInformation(System.String), StackTrace="   à System.Reflection.AssemblyName.nGetFileInformation(String s)\r\n   à System.Reflection.AssemblyName.GetAssemblyName(String assemblyFile)\r\n   à PKISharp.WACS.Services.PluginService.GetTypes()", HelpLink=null, Source="mscorlib", HResult=-2146234344}
 [EROR] Error loading any types from assembly D:\Certificats\GenLeCertificate\Utils\libxml2.dll: BadImageFormatException {Message="Impossible de charger le fichier ou l'assembly 'libxml2.dll' ou une de ses dépendances. Le module était censé contenir un manifeste de l'assembly.", FileName="libxml2.dll", FusionLog="", Data=[], InnerException=BadImageFormatException {Message="Impossible de charger le fichier ou l'assembly 'libxml2.dll' ou une de ses dépendances. Le module était censé contenir un manifeste de l'assembly.", FileName="libxml2.dll", FusionLog="", Data=[], InnerException=null, TargetSite=null, StackTrace=null, HelpLink=null, Source=null, HResult=-2146234344}, TargetSite=System.Reflection.AssemblyName nGetFileInformation(System.String), StackTrace="   à System.Reflection.AssemblyName.nGetFileInformation(String s)\r\n   à System.Reflection.AssemblyName.GetAssemblyName(String assemblyFile)\r\n   à PKISharp.WACS.Services.PluginService.GetTypes()", HelpLink=null, Source="mscorlib", HResult=-2146234344}
So i'm not sure it really work
hMailServer 5.6.8 With SpamAssassin 3.4.2

palinka
Senior user
Senior user
Posts: 1275
Joined: 2017-09-12 17:57

Re: Certificate problem

Post by palinka » 2019-09-21 14:56

wonder if it's possible to have a wildcard certificate for two domains with mod_md.

I ask this because i have an hmailserver installation with only one certificate for *.bagu.fr and *.bagu.biz witch allow me to have smtp.bagu.fr and other things like that without having the need to have these subdomains responding with apache. (dns only)
I have exactly what you need.

https://hmailserver.com/forum/viewtopic ... 21&t=34386

Who is your domain host?

palinka
Senior user
Senior user
Posts: 1275
Joined: 2017-09-12 17:57

Re: Certificate problem

Post by palinka » 2019-09-21 14:57

bagu wrote:
2019-09-21 14:53
I already try it, but it seem it failed to launch :
Tried what? Win-acme?

User avatar
bagu
Normal user
Normal user
Posts: 211
Joined: 2005-06-17 03:08
Location: France
Contact:

Re: Certificate problem

Post by bagu » 2019-09-21 14:57

hMailServer 5.6.8 With SpamAssassin 3.4.2

User avatar
bagu
Normal user
Normal user
Posts: 211
Joined: 2005-06-17 03:08
Location: France
Contact:

Re: Certificate problem

Post by bagu » 2019-09-21 14:59

palinka wrote:
2019-09-21 14:56
wonder if it's possible to have a wildcard certificate for two domains with mod_md.

I ask this because i have an hmailserver installation with only one certificate for *.bagu.fr and *.bagu.biz witch allow me to have smtp.bagu.fr and other things like that without having the need to have these subdomains responding with apache. (dns only)
I have exactly what you need.

https://hmailserver.com/forum/viewtopic ... 21&t=34386

Who is your domain host?
My mail server answer througt mail.bagu.biz
I just begin to read your post, but i need more time to understand what to download :D
hMailServer 5.6.8 With SpamAssassin 3.4.2

palinka
Senior user
Senior user
Posts: 1275
Joined: 2017-09-12 17:57

Re: Certificate problem

Post by palinka » 2019-09-21 15:00

System requirements
Windows Server 2008 R2 or higher (though Windows 2008 has been reported to work)
.NET Framework version 4.7.2 or higher, which can be downloaded here
Do you have the min .NET?

User avatar
bagu
Normal user
Normal user
Posts: 211
Joined: 2005-06-17 03:08
Location: France
Contact:

Re: Certificate problem

Post by bagu » 2019-09-21 15:02

Yes, but i have a higher version...

I will try to install the 4.7.2 to see if it change something

Oh, i can't : ".NET Framework 4.7.2 ou une mise à jour ultérieure est déjà installé sur cet ordinateur."
Last edited by bagu on 2019-09-21 15:05, edited 1 time in total.
hMailServer 5.6.8 With SpamAssassin 3.4.2

palinka
Senior user
Senior user
Posts: 1275
Joined: 2017-09-12 17:57

Re: Certificate problem

Post by palinka » 2019-09-21 15:02

bagu wrote:
2019-09-21 14:59
palinka wrote:
2019-09-21 14:56
Who is your domain host?
My mail server answer througt mail.bagu.biz
I just begin to read your post, but i need more time to understand what to download :D
I mean who provides your domain hosting? Like godaddy, etc.

User avatar
bagu
Normal user
Normal user
Posts: 211
Joined: 2005-06-17 03:08
Location: France
Contact:

Re: Certificate problem

Post by bagu » 2019-09-21 15:07

Oh, ok...

My registrar is Gandi but my dns provider is cloudflare.
I host my domains myself on the same server than hmailserver with apache. (that's why i use mod_md)
hMailServer 5.6.8 With SpamAssassin 3.4.2

palinka
Senior user
Senior user
Posts: 1275
Joined: 2017-09-12 17:57

Re: Certificate problem

Post by palinka » 2019-09-21 15:21

bagu wrote:
2019-09-21 15:07
Oh, ok...

My registrar is Gandi but my dns provider is cloudflare.
I host my domains myself on the same server than hmailserver with apache. (that's why i use mod_md)
https://github.com/rmbolger/Posh-ACME/b ... dflare.ps1

If you insist on mod_md, it appears to be possible to do dns validation. Modify the script above to accept whatever parameters are sent by mod_md. Look at my tutorial as an example. That's exactly how i got it to work with win-acme.

palinka
Senior user
Senior user
Posts: 1275
Joined: 2017-09-12 17:57

Re: Certificate problem

Post by palinka » 2019-09-21 15:42

mod_md:
Wildcard Certificates
Wildcard certificates are possible with version 2.x of `mod_md``. But they are not straight-forward. Let's Encrypt requires the `dns-01` challenge verification for those. No other is considered good enough.
The difficulty here is that Apache cannot do that on its own. (which is also a security benefit, since corrupting a web server or the communication path to it is the scenario `dns-01` protects against). As the name implies, `dns-01` requires you to show some specific DNS records for your domain that contain some challenge data. So you need to _write_ your domain's DNS records.
If you know how to do that, you can integrated this with `mod_md`. Let's say you have a script for that in `/usr/bin/acme-setup-dns` you configure Apache with:

Code: Select all

MDChallengeDns01 /usr/bin/acme-setup-dns
and Apache will call this script when it needs to setup/teardown a DNS challenge record for a domain.
Assuming you want a certificate for `*.mydomain.com`, mod_md will call:

Code: Select all

/usr/bin/acme-setup-dns setup mydomain.com challenge-data
# this needs to remove all existing DNS TXT records for 
# _acme-challenge.mydomain.com and create a new one with 
# content "challenge-data"
and afterwards it will call

Code: Select all

/usr/bin/acme-setup-dns teardown mydomain.com
# this needs to remove all existing DNS TXT records for 
# _acme-challenge.mydomain.com

Cloudflare.ps1

Code: Select all

param(
	[string]$Task,
	[string]$RecordName,
	[string]$TxtValue
)

#	FILL IN THESE VARIABLES FROM YOUR CLOUDFLARE ACCOUNT
$CFAuthEmail = ''
$CFAuthKey = ''
$CFAuthToken = ''
$CFAuthTokenInsecure = ''

function Add-DnsTxtCloudflare {
    [CmdletBinding(DefaultParameterSetName='Email')]
    param(
        [Parameter(Mandatory,Position=0)]
        [string]$RecordName,
        [Parameter(Mandatory,Position=1)]
        [string]$TxtValue,
        [Parameter(ParameterSetName='Email',Mandatory,Position=2)]
        [string]$CFAuthEmail,
        [Parameter(ParameterSetName='Email',Mandatory,Position=3)]
        [string]$CFAuthKey,
        [Parameter(ParameterSetName='Bearer',Mandatory,Position=2)]
        [securestring]$CFToken,
        [Parameter(ParameterSetName='BearerInsecure',Mandatory,Position=2)]
        [string]$CFTokenInsecure,
        [Parameter(ValueFromRemainingArguments)]
        $ExtraParams
    )

    $apiRoot = 'https://api.cloudflare.com/client/v4/zones'
    $authHeader = Get-CFAuthHeader @PSBoundParameters

    Write-Verbose "Attempting to find hosted zone for $RecordName"
    if (!($zoneID = Find-CFZone $RecordName $authHeader)) {
        throw "Unable to find Cloudflare hosted zone for $RecordName"
    }

    # check for an existing record
    $response = Invoke-RestMethod "$apiRoot/$zoneID/dns_records?type=TXT&name=$RecordName&content=$TxtValue" `
        -Headers $authHeader -ContentType 'application/json' @script:UseBasic

    # add the new TXT record if necessary
    if ($response.result.Count -eq 0) {

        $bodyJson = @{ type="TXT"; name=$RecordName; content=$TxtValue } | ConvertTo-Json
        Write-Verbose "Adding $RecordName with value $TxtValue"
        Invoke-RestMethod "$apiRoot/$zoneID/dns_records" -Method Post -Body $bodyJson `
            -ContentType 'application/json' -Headers $authHeader @script:UseBasic | Out-Null

    } else {
        Write-Debug "Record $RecordName with value $TxtValue already exists. Nothing to do."
    }


    <#
    .SYNOPSIS
        Add a DNS TXT record to Cloudflare.

    .DESCRIPTION
        Use Cloudflare V4 api to add a TXT record to a Cloudflare DNS zone.

    .PARAMETER RecordName
        The fully qualified name of the TXT record.

    .PARAMETER TxtValue
        The value of the TXT record.

    .PARAMETER CFAuthEmail
        The email address of the account used to connect to Cloudflare API

    .PARAMETER CFAuthKey
        The Global API Key associated with the email address entered in the CFAuthEmail parameter.

    .PARAMETER CFAuthToken
        The scoped API Token that has been given read/write permissions to the necessary zones. This SecureString version can only be used from Windows or any OS with PowerShell Core 6.2+.

    .PARAMETER CFAuthTokenInsecure
        The scoped API Token that has been given read/write permissions to the necessary zones. This standard String version may be used with any OS.

    .PARAMETER ExtraParams
        This parameter can be ignored and is only used to prevent errors when splatting with more parameters than this function supports.

    .EXAMPLE
        Add-DnsTxtExample '_acme-challenge.site1.example.com' 'asdfqwer12345678' 'admin@example.com' 'xxxxxxxxxxxx'

        Adds a TXT record for the specified site with the specified value.
    #>
}

function Remove-DnsTxtCloudflare {
    [CmdletBinding()]
    param(
        [Parameter(Mandatory,Position=0)]
        [string]$RecordName,
        [Parameter(Mandatory,Position=1)]
        [string]$TxtValue,
        [Parameter(ParameterSetName='Email',Mandatory,Position=2)]
        [string]$CFAuthEmail,
        [Parameter(ParameterSetName='Email',Mandatory,Position=3)]
        [string]$CFAuthKey,
        [Parameter(ParameterSetName='Bearer',Mandatory,Position=2)]
        [securestring]$CFToken,
        [Parameter(ParameterSetName='BearerInsecure',Mandatory,Position=2)]
        [string]$CFTokenInsecure,
        [Parameter(ValueFromRemainingArguments)]
        $ExtraParams
    )

    $apiRoot = 'https://api.cloudflare.com/client/v4/zones'
    $authHeader = Get-CFAuthHeader @PSBoundParameters

    Write-Verbose "Attempting to find hosted zone for $RecordName"
    if (!($zoneID = Find-CFZone $RecordName $authHeader)) {
        throw "Unable to find Cloudflare hosted zone for $RecordName"
    }

    # check for an existing record
    $response = Invoke-RestMethod "$apiRoot/$zoneID/dns_records?type=TXT&name=$RecordName&content=$TxtValue" `
        -Headers $authHeader -ContentType 'application/json' @script:UseBasic

    # remove the txt record if it exists
    if ($response.result.Count -gt 0) {

        $recID = $response.result[0].id
        Write-Verbose "Removing $RecordName with value $TxtValue"
        Invoke-RestMethod "$apiRoot/$zoneID/dns_records/$recID" -Method Delete `
            -ContentType 'application/json' -Headers $authHeader @script:UseBasic | Out-Null

    } else {
        Write-Debug "Record $RecordName with value $TxtValue doesn't exist. Nothing to do."
    }


    <#
    .SYNOPSIS
        Remove a DNS TXT record from Cloudflare.

    .DESCRIPTION
        Use Cloudflare V4 api to remove a TXT record to a Cloudflare DNS zone.

    .PARAMETER RecordName
        The fully qualified name of the TXT record.

    .PARAMETER TxtValue
        The value of the TXT record.

    .PARAMETER CFAuthEmail
        The email address of the account used to connect to Cloudflare API.

    .PARAMETER CFAuthKey
        The Global API Key associated with the email address entered in the CFAuthEmail parameter.

    .PARAMETER CFAuthToken
        The scoped API Token that has been given read/write permissions to the necessary zones. This SecureString version can only be used from Windows or any OS with PowerShell Core 6.2+.

    .PARAMETER CFAuthTokenInsecure
        The scoped API Token that has been given read/write permissions to the necessary zones. This standard String version may be used with any OS.

    .PARAMETER ExtraParams
        This parameter can be ignored and is only used to prevent errors when splatting with more parameters than this function supports.

    .EXAMPLE
        Remove-DnsTxtExample '_acme-challenge.site1.example.com' 'asdfqwer12345678' 'admin@example.com' 'xxxxxxxxxxxx'

        Removes a TXT record for the specified site with the specified value.
    #>
}

function Save-DnsTxtCloudflare {
    [CmdletBinding()]
    param(
        [Parameter(ValueFromRemainingArguments)]
        $ExtraParams
    )
    <#
    .SYNOPSIS
        Not required.

    .DESCRIPTION
        This provider does not require calling this function to commit changes to DNS records.

    .PARAMETER ExtraParams
        This parameter can be ignored and is only used to prevent errors when splatting with more parameters than this function supports.
    #>
}

############################
# Helper Functions
############################

function Get-CFAuthHeader {
    [CmdletBinding(DefaultParameterSetName='Email')]
    param(
        [Parameter(ParameterSetName='Email',Mandatory,Position=0)]
        [string]$CFAuthEmail,
        [Parameter(ParameterSetName='Email',Mandatory,Position=1)]
        [string]$CFAuthKey,
        [Parameter(ParameterSetName='Bearer',Mandatory,Position=0)]
        [securestring]$CFToken,
        [Parameter(ParameterSetName='BearerInsecure',Mandatory,Position=0)]
        [string]$CFTokenInsecure,
        [Parameter(ValueFromRemainingArguments)]
        $ExtraConnectParams
    )

    if ('Email' -eq $PSCmdlet.ParameterSetName) {
        $authHeader = @{
            'X-Auth-Email' = $CFAuthEmail
            'X-Auth-Key'   = $CFAuthKey
        }
    } elseif ('Bearer' -eq $PSCmdlet.ParameterSetName) {
        $CFTokenInsecure = (New-Object PSCredential "user",$CFToken).GetNetworkCredential().Password
        $authHeader = @{
            Authorization = "Bearer $CFTokenInsecure"
        }
    } elseif ('BearerInsecure' -eq $PSCmdlet.ParameterSetName) {
        $authHeader = @{
            Authorization = "Bearer $CFTokenInsecure"
        }
    } else {
        throw "Unable to determine valid auth headers."
    }

    return $authHeader
}

function Find-CFZone {
    [CmdletBinding()]
    param(
        [Parameter(Mandatory,Position=0)]
        [string]$RecordName,
        [Parameter(Mandatory,Position=1)]
        [hashtable]$AuthHeader
    )

    # setup a module variable to cache the record to zone mapping
    # so it's quicker to find later
    if (!$script:CFRecordZones) { $script:CFRecordZones = @{} }

    # check for the record in the cache
    if ($script:CFRecordZones.ContainsKey($RecordName)) {
        return $script:CFRecordZones.$RecordName
    }

    $apiRoot = 'https://api.cloudflare.com/client/v4/zones'

    # We need to find the zone ID for the closest/deepest sub-zone that would
    # contain the record.
    $pieces = $RecordName.Split('.')
    for ($i=1; $i -lt ($pieces.Count-1); $i++) {

        $zoneTest = "$( $pieces[$i..($pieces.Count-1)] -join '.' )"
        Write-Debug "Checking $zoneTest"
        $response = Invoke-RestMethod "$apiRoot/?name=$zoneTest" -Headers $AuthHeader @script:UseBasic

        # The response object always contains a "result" array even if empty
        if ($response.result.Count -gt 0) {
            Write-Debug ($response | ConvertTo-Json -Depth 5)
            $zoneID = $response.result[0].id
            $script:CFRecordZones.$RecordName = $zoneID
            return $zoneID
        }
    }

    return $null
}

if ($Task -eq 'setup'){
	Add-DnsTxtCloudflare $RecordName $TxtValue $CFAuthEmail $CFAuthKey $CFAuthToken $CFAuthTokenInsecure
}

if ($Task -eq 'teardown'){
	Remove-DnsTxtCloudflare $RecordName $TxtValue $CFAuthEmail $CFAuthKey $CFAuthToken $CFAuthTokenInsecure
}
Test it by running in powershell:

Code: Select all

PS C:\> C:\path\to\Cloudflare.ps1 setup mydomain.com challenge-data
If it fails, comment out all instances of @script:UseBasic and try again. Also, I haven't really looked at the script - all I did was add the same things I added to my provider's script. CFAuthToken & CFAuthTokenInsecure may actually be generated by the script. So if it doesn't work, try commenting out those variables at the top.

User avatar
bagu
Normal user
Normal user
Posts: 211
Joined: 2005-06-17 03:08
Location: France
Contact:

Re: Certificate problem

Post by bagu » 2019-09-21 21:10

Ok, i give many tries, but nothing work...

So, i read many docs, and here is how i get a working solution :
  1. i launch powershell as an admin
  2. Install Posh-ACME with this command :

    Code: Select all

    Install-Module -Name Posh-ACME
  3. Set the server as a production server (to use a staging server, replace LE_PROD by LE_STAGE) :

    Code: Select all

    Set-PAServer LE_STAGE
  4. Ask my certificate with :

    Code: Select all

    New-PACertificate '*.bagu.biz','*.bagu.fr' -AcceptTOS -Contact my@email.biz
  5. Then, i go to cloudflare to create the TXT Dns lines
  6. Validate the changes by pressing a key on powershell
  7. Then, i search my certificate with :

    Code: Select all

    Get-PACertificate | fl
  8. Get cert.key as key and fullchain.cer as public certificate
I may try to replace the asking-certificate command by these :

Code: Select all

$pArgs = @{ CFAuthEmail='my@email.biz'; CFAuthKey='mycloudflaresecretpassword' }
New-PACertificate '*.bagu.biz','*.bagu.fr' -AcceptTOS -Contact my@email.biz -DnsPlugin Cloudflare -PluginArgs $pArgs
To avoid the need of stage 4

It look like easier for me, and it work like a charm for the moment (i don't already try to use cloudflare dnsplugin)
If the cloudflare plugin work (i will see that in 55 days), i will say it here and make an task to automate the process.

Thank you everyone ;)

Thank you palinka to show me the Posh-ACME process ;)
hMailServer 5.6.8 With SpamAssassin 3.4.2

palinka
Senior user
Senior user
Posts: 1275
Joined: 2017-09-12 17:57

Re: Certificate problem

Post by palinka » 2019-09-21 21:18

Im glad it worked. Try to use the script. It's for automation.

No more errors in hmailserver?

User avatar
bagu
Normal user
Normal user
Posts: 211
Joined: 2005-06-17 03:08
Location: France
Contact:

Re: Certificate problem

Post by bagu » 2019-09-21 21:29

I will try it later, it's late for now ;)

And yes, no more error in hmailserver with this certificate.
So i search why the mod_md certificate don't work...It seem that there is something different...
hMailServer 5.6.8 With SpamAssassin 3.4.2

User avatar
mattg
Moderator
Moderator
Posts: 20277
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Certificate problem

Post by mattg » 2019-09-22 02:58

jim.bus wrote:
2019-09-21 12:01
bagu is using Hmailserver: 5.7.0-B2429.

This is not an official latest stable hMailServer version or Build. I believe the last information I saw was that MattG considers hMailServer 5.7.0-B2485 should still be considered an Alpha Build.

Current official stable latest hMailServer is 5.6.7-B2425.
bagu wrote:
2019-09-21 13:02
jim.bus is quite right.

I'm using the Dravion version.
Dravion's unofficial version is slightly different, for a start it uses a different SSL library that the official hMailserver version

The Alpha build of hMailserver that I am using is 5.7.0-B2486(x64) found here https://build.hmailserver.com/
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
jimimaseye
Moderator
Moderator
Posts: 8170
Joined: 2011-09-08 17:48

Re: Certificate problem

Post by jimimaseye » 2019-09-22 08:28

mattg wrote:
2019-09-22 02:58
jim.bus wrote:
2019-09-21 12:01
bagu is using Hmailserver: 5.7.0-B2429.

This is not an official latest stable hMailServer version or Build. I believe the last information I saw was that MattG considers hMailServer 5.7.0-B2485 should still be considered an Alpha Build.

Current official stable latest hMailServer is 5.6.7-B2425.
bagu wrote:
2019-09-21 13:02
jim.bus is quite right.

I'm using the Dravion version.
Dravion's unofficial version is slightly different, for a start it uses a different SSL library that the official hMailserver version

The Alpha build of hMailserver that I am using is 5.7.0-B2486(x64) found here https://build.hmailserver.com/
Note proof that these hybrid clones provided by dravion and others should be called something different to distinguish them from official Hmailserver. People world then know who to best ask. (Martin made this suggestion request but it fell on deaf ears).
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
jim.bus
Senior user
Senior user
Posts: 304
Joined: 2011-05-28 11:49
Location: US

Re: Certificate problem

Post by jim.bus » 2019-09-22 10:12

jimimaseye wrote:
2019-09-22 08:28
mattg wrote:
2019-09-22 02:58
jim.bus wrote:
2019-09-21 12:01
bagu is using Hmailserver: 5.7.0-B2429.

This is not an official latest stable hMailServer version or Build. I believe the last information I saw was that MattG considers hMailServer 5.7.0-B2485 should still be considered an Alpha Build.

Current official stable latest hMailServer is 5.6.7-B2425.
bagu wrote:
2019-09-21 13:02
jim.bus is quite right.

I'm using the Dravion version.
Dravion's unofficial version is slightly different, for a start it uses a different SSL library that the official hMailserver version

The Alpha build of hMailserver that I am using is 5.7.0-B2486(x64) found here https://build.hmailserver.com/
Note proof that these hybrid clones provided by dravion and others should be called something different to distinguish them from official Hmailserver. People world then know who to best ask. (Martin made this suggestion request but it fell on deaf ears).
I tend to agree there is confusion. If you don't check on what Build someone is asking questions on, you don't know if it is an official version or not. I'm not certain if this is the best way to go but I sort of feel either hMailServer is going to go forward as an existing product with efforts be put into evolving hMailServer or perhaps there should be another branch of the product which isn't confused with hMailServer. Personally I would like to see hMailServer evolve as a product. It has served me well over the years though it could be updated to keep in sync with other evolving products it uses such as MySQL which seems to have dropped 32 bit and isn't producing them anymore and upgrading to TLSv1.3, etc.

Last I heard Martin upgraded to an Alpha or Beta version (whatever you want to call it) but then it seems it has died because I do not hear about much activity (from Martin at any rate) on it though I have only looked occasionally to see if anything was going on. I have some confidence in the official versions of hMailServer regarding being well tested. Personally right now I wouldn't want to go with any of the Builds beyond B2425 as I keep hearing of problems cropping up from people (not the people who are upgrading it but people who actually are seemingly users) who are installing them and then finding problems they post in the official hMailServer Forums looking for solutions. There is an Alpha Discussions Forum but the problems with these Alphas seems to get reported in the General Discussions Forum which I think adds to the confusion.

User avatar
bagu
Normal user
Normal user
Posts: 211
Joined: 2005-06-17 03:08
Location: France
Contact:

Re: Certificate problem

Post by bagu » 2019-09-22 11:21

In my case, the problem occurs on the stable versions, beta and dravion.
So, I do not think it comes from hmailserver, but it comes from the certificate generated by mod_md.

In fact, if I use a certificate other than the one generated by mod_md, everything works fine.

Now, I'm watching Dravion's work carefully because I think it's about creating a cross-platform version of hmailserver, it's really a good idea.
By cons, use another name, although close (if martin is ok) would know that the dravion version is based on hmailserver.
hMailServer 5.6.8 With SpamAssassin 3.4.2

User avatar
jim.bus
Senior user
Senior user
Posts: 304
Joined: 2011-05-28 11:49
Location: US

Re: Certificate problem

Post by jim.bus » 2019-09-22 11:54

bagu wrote:
2019-09-22 11:21
In my case, the problem occurs on the stable versions, beta and dravion.
So, I do not think it comes from hmailserver, but it comes from the certificate generated by mod_md.

In fact, if I use a certificate other than the one generated by mod_md, everything works fine.

Now, I'm watching Dravion's work carefully because I think it's about creating a cross-platform version of hmailserver, it's really a good idea.
By cons, use another name, although close (if martin is ok) would know that the dravion version is based on hmailserver.
With regards to cross platform, yes that is a good idea but the concern I have about that is apparently from what I've heard there are more developers who want to do Unix based OS development than Windows. One of the draws for me was that I wanted a Windows based Email Server and hMailServer is one of the few if not only email server that runs on Windows. If hMailServer continued to be just as supported as a Cross Platform version of hMailServer then I would think that would be wonderful but I do not want to see hMailServer die as an obsolete Windows application.

User avatar
bagu
Normal user
Normal user
Posts: 211
Joined: 2005-06-17 03:08
Location: France
Contact:

Re: Certificate problem

Post by bagu » 2019-09-22 12:09

I doubt that this leads to this result if we consider that the builds must remain multi-platform.
Indeed, many developers would like to have a port of hmailserver because it is really within reach of all.
But if the basic idea of porting is that it remains multi-platform, there should be no problem. It depend on the lead or team lead.
hMailServer 5.6.8 With SpamAssassin 3.4.2

User avatar
bagu
Normal user
Normal user
Posts: 211
Joined: 2005-06-17 03:08
Location: France
Contact:

Re: Certificate problem

Post by bagu » 2019-09-22 12:30

I come back to the original problem.
I successfully tested the command with the cloudflare plugin.
On the other hand, the original command seems to set up a profile with all the right parameters.
The command to update all is

Code: Select all

Submit-Renewal -PluginArgs @{CFAuthEmail='my@email.fr'; CFAuthKey='cloudflaresupersecretpassword'}
I will test the order when the period allows me.
hMailServer 5.6.8 With SpamAssassin 3.4.2

Post Reply