subject:"multi\-site SSL certificates"

Re: multi-site SSL certificates

2018-04-02 Thread Poliman - Serwis

Try add in your nginx "vhost" as the first line:
Alias /.well-known/acme-challenge /path/to/acme/.well-known/acme-challenge
ProxyPassMatch ^/\.well-known !

I have this same error with ProxyPass inside apache vhost which proxying to
node application backend. In letsencrypt logs I have this same what you.

2018-04-02 17:38 GMT+02:00 Alex JOST :

> Am 02.04.2018 um 14:25 schrieb Jeff Abrahamson:
>
>> I'm handling mail for several domains, let's call them a.com, b.com,
>> and c.com.  I have certificates for each of these domains individually
>> via certbot (letsencrypt) and nginx is happy with all of that.
>>
>> Since I initially configured the site to handle mail only for a.com,
>> my /etc/postfix/main.cf file currently has these two lines:
>>
>>  smtpd_tls_cert_file = /etc/letsencrypt/live/mail.a.com/fullchain.pem
>>  smtpd_tls_key_file = /etc/letsencrypt/live/mail.a.com/privkey.pem
>>
>> But I see that mail test tools are reporting that MX for b.com and
>> c.com are misconfigured due to an SSL name mismatch.  Indeed, this is
>> true!
>>
>> So I believe I should generate a multi-site SSL cert.  I try this:
>>
>>  sudo certbot  certonly  --cert-name postfix  --webroot \
>>--webroot-path /var/www/a-com -d www.a.com -d a.com -d mail.a.com
>> \
>>--webroot-path /var/www/b-com -d www.b.com -d b.com \
>>--webroot-path /var/www/c-com -d www.c.com -d c.com
>>
>> And that fails with a bunch of errors like this:
>>
>>  Domain: www.a.com
>>  Type:   unauthorized
>>  Detail: Invalid response from
>>  http://www.a.com/.well-known/acme-challenge/IT7-YURAep4bniD
>> 9zYpKpdRUBQcgCRJ6FflmZzWQGNg:
>>  "
>>  404 Not Found
>>  
>>  404 Not Found
>>  "
>>
>> I see that the file
>>
>>  .well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6
>> FflmZzWQGNg
>>
>> is being created (and one other file, too) but that nginx reports that
>> the _directory_
>>
>>  .well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6
>> FflmZzWQGNg
>>
>> doesn't exist.
>>
>> Multi-site + letsencrypt + postfix is a subject that has recently
>> changed quite a bit, so I'm suspecting my web reading is merely
>> leading me astray.  It is also entirely possible I've misunderstood
>> things about SSL certificates.  Any pointers how to generate (or point
>> to) the certificates that I need to make those who contact my postfix
>> instance happy with their SSL conversation?
>>
>> Thanks!
>>
>>
> You can use 1 directory to create certificates for multiple virtual hosts.
> Copy the config below to all the virtual host config you want to use in
> your certificate (or use 'includes').
>
> user@server:~$ cat /etc/nginx/sites-enabled/a-com
>   server {
> [...]
>
> location ~ /.well-known {
>   location ~ /.well-known/acme-challenge/(.*) {
> root/usr/share/nginx/html;
> add_header  Content-Type application/jose+json;
>   }
>   allow all;
>   try_files $uri $uri/ =404;
> }
>   }
>
>
> After reloading nginx you can create a new certificate by providing only 1
> webroot directory.
>
> user@server:~$ sudo certbot  certonly  --cert-name postfix \
>   --webroot -w /usr/share/nginx/html \
>   -d www.a.com -d a.com -d mail.a.com \
>   -d www.b.com -d b.com \
>   -d www.c.com -d c.com
>
> --
> Alex JOST
>



-- 

*Pozdrawiam / Best Regards*
*Piotr Bracha*

Re: multi-site SSL certificates

2018-04-02 Thread Alex JOST


Am 02.04.2018 um 14:25 schrieb Jeff Abrahamson:

I'm handling mail for several domains, let's call them a.com, b.com,
and c.com.  I have certificates for each of these domains individually
via certbot (letsencrypt) and nginx is happy with all of that.

Since I initially configured the site to handle mail only for a.com,
my /etc/postfix/main.cf file currently has these two lines:

 smtpd_tls_cert_file = /etc/letsencrypt/live/mail.a.com/fullchain.pem
 smtpd_tls_key_file = /etc/letsencrypt/live/mail.a.com/privkey.pem

But I see that mail test tools are reporting that MX for b.com and
c.com are misconfigured due to an SSL name mismatch.  Indeed, this is
true!

So I believe I should generate a multi-site SSL cert.  I try this:

 sudo certbot  certonly  --cert-name postfix  --webroot \
   --webroot-path /var/www/a-com -d www.a.com -d a.com -d mail.a.com \
   --webroot-path /var/www/b-com -d www.b.com -d b.com \
   --webroot-path /var/www/c-com -d www.c.com -d c.com

And that fails with a bunch of errors like this:

 Domain: www.a.com
 Type:   unauthorized
 Detail: Invalid response from
 
http://www.a.com/.well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6FflmZzWQGNg:
 "
 404 Not Found
 
 404 Not Found
 "

I see that the file

 .well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6FflmZzWQGNg

is being created (and one other file, too) but that nginx reports that
the _directory_

 .well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6FflmZzWQGNg

doesn't exist.

Multi-site + letsencrypt + postfix is a subject that has recently
changed quite a bit, so I'm suspecting my web reading is merely
leading me astray.  It is also entirely possible I've misunderstood
things about SSL certificates.  Any pointers how to generate (or point
to) the certificates that I need to make those who contact my postfix
instance happy with their SSL conversation?

Thanks!



You can use 1 directory to create certificates for multiple virtual 
hosts. Copy the config below to all the virtual host config you want to 
use in your certificate (or use 'includes').


user@server:~$ cat /etc/nginx/sites-enabled/a-com
  server {
[...]

location ~ /.well-known {
  location ~ /.well-known/acme-challenge/(.*) {
root/usr/share/nginx/html;
add_header  Content-Type application/jose+json;
  }
  allow all;
  try_files $uri $uri/ =404;
}
  }


After reloading nginx you can create a new certificate by providing only 
1 webroot directory.


user@server:~$ sudo certbot  certonly  --cert-name postfix \
  --webroot -w /usr/share/nginx/html \
  -d www.a.com -d a.com -d mail.a.com \
  -d www.b.com -d b.com \
  -d www.c.com -d c.com

--
Alex JOST

Re: multi-site SSL certificates

2018-04-02 Thread Jeff Abrahamson

On Mon, Apr 02, 2018 at 04:20:05PM +0300, Reio Remma wrote:
> On 02.04.18 16:17, Jeff Abrahamson wrote:
> > On Mon, Apr 02, 2018 at 02:34:34PM +0200, Gedalya wrote:
> > > You have a problem with your nginx config. It doesn't seem
> > > related to postfix et al.
> > > 
> > > Really off-topic for this list but you could perhaps post your
> > > nginx config and logs.
> > If this is more properly a certbot question, I should ask there.  I'd
> > understood from the certbot docs that postfix had developed a
> > postfix-specific certbot plugin, in which case this might have been
> > the right venue to ask.  That I hadn't found that plugin was, to be
> > fair, a bit suspicious to me, but it wouldn't be the first time I miss
> > something in front of my nose.
> 
> Hello! Maybe try the Postfix list?

Doh, dovecot and postfix aren't actually the same project.  This is
not my day.  You may ignore me, please.

Re: multi-site SSL certificates

2018-04-02 Thread Gedalya

On 04/02/2018 03:17 PM, Jeff Abrahamson wrote:
> On Mon, Apr 02, 2018 at 02:34:34PM +0200, Gedalya wrote:
>> On 04/02/2018 02:25 PM, Jeff Abrahamson wrote:
>>> I see that the file
>>>
>>> .well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6FflmZzWQGNg
>>>
>>> is being created (and one other file, too) but that nginx reports that
>>> the _directory_
>>>
>>> .well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6FflmZzWQGNg
>>>
>>> doesn't exist.
>> You have a problem with your nginx config. It doesn't seem related to 
>> postfix et al.
>>
>> Really off-topic for this list but you could perhaps post your nginx config 
>> and logs.
> If this is more properly a certbot question, I should ask there.  I'd
> understood from the certbot docs that postfix had developed a
> postfix-specific certbot plugin, in which case this might have been
> the right venue to ask.  That I hadn't found that plugin was, to be
> fair, a bit suspicious to me, but it wouldn't be the first time I miss
> something in front of my nose.

You're using the webroot plugin for the challenge. This is as simple as 
dropping a file and letting nginx serve it as static content (maybe with 
try_files). The various certbot plugins for postfix and other apps are for 
automating the certificate installation and tweaking TLS configuration to match 
certain recommendations. That's not related to your issue here. You're looking 
at a challenge failure. You're saying that the file is there but nginx is 
failing to serve it, that should be easy to fix and once it fix the challenge 
will pass and your certificate will be issued. You can then install it, 
manually or otherwise.

Re: multi-site SSL certificates

2018-04-02 Thread Reio Remma


On 02.04.18 16:17, Jeff Abrahamson wrote:

On Mon, Apr 02, 2018 at 02:34:34PM +0200, Gedalya wrote:

On 04/02/2018 02:25 PM, Jeff Abrahamson wrote:

I see that the file

 .well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6FflmZzWQGNg

is being created (and one other file, too) but that nginx reports that
the _directory_

 .well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6FflmZzWQGNg

doesn't exist.

You have a problem with your nginx config. It doesn't seem related to postfix 
et al.

Really off-topic for this list but you could perhaps post your nginx config and 
logs.

If this is more properly a certbot question, I should ask there.  I'd
understood from the certbot docs that postfix had developed a
postfix-specific certbot plugin, in which case this might have been
the right venue to ask.  That I hadn't found that plugin was, to be
fair, a bit suspicious to me, but it wouldn't be the first time I miss
something in front of my nose.


Hello! Maybe try the Postfix list?

Good luck!
Reio

Re: multi-site SSL certificates

2018-04-02 Thread Jeff Abrahamson

On Mon, Apr 02, 2018 at 02:34:34PM +0200, Gedalya wrote:
> On 04/02/2018 02:25 PM, Jeff Abrahamson wrote:
> > I see that the file
> >
> > .well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6FflmZzWQGNg
> >
> > is being created (and one other file, too) but that nginx reports that
> > the _directory_
> >
> > .well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6FflmZzWQGNg
> >
> > doesn't exist.
> 
> You have a problem with your nginx config. It doesn't seem related to postfix 
> et al.
> 
> Really off-topic for this list but you could perhaps post your nginx config 
> and logs.

If this is more properly a certbot question, I should ask there.  I'd
understood from the certbot docs that postfix had developed a
postfix-specific certbot plugin, in which case this might have been
the right venue to ask.  That I hadn't found that plugin was, to be
fair, a bit suspicious to me, but it wouldn't be the first time I miss
something in front of my nose.

Re: multi-site SSL certificates

2018-04-02 Thread Gedalya

On 04/02/2018 02:25 PM, Jeff Abrahamson wrote:
> I see that the file
>
> .well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6FflmZzWQGNg
>
> is being created (and one other file, too) but that nginx reports that
> the _directory_
>
> .well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6FflmZzWQGNg
>
> doesn't exist.

You have a problem with your nginx config. It doesn't seem related to postfix 
et al.

Really off-topic for this list but you could perhaps post your nginx config and 
logs.

multi-site SSL certificates

2018-04-02 Thread Jeff Abrahamson

I'm handling mail for several domains, let's call them a.com, b.com,
and c.com.  I have certificates for each of these domains individually
via certbot (letsencrypt) and nginx is happy with all of that.

Since I initially configured the site to handle mail only for a.com,
my /etc/postfix/main.cf file currently has these two lines:

smtpd_tls_cert_file = /etc/letsencrypt/live/mail.a.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.a.com/privkey.pem

But I see that mail test tools are reporting that MX for b.com and
c.com are misconfigured due to an SSL name mismatch.  Indeed, this is
true!

So I believe I should generate a multi-site SSL cert.  I try this:

sudo certbot  certonly  --cert-name postfix  --webroot \
  --webroot-path /var/www/a-com -d www.a.com -d a.com -d mail.a.com \
  --webroot-path /var/www/b-com -d www.b.com -d b.com \
  --webroot-path /var/www/c-com -d www.c.com -d c.com

And that fails with a bunch of errors like this:

Domain: www.a.com
Type:   unauthorized
Detail: Invalid response from

http://www.a.com/.well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6FflmZzWQGNg:
"
404 Not Found

404 Not Found
"

I see that the file

.well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6FflmZzWQGNg

is being created (and one other file, too) but that nginx reports that
the _directory_

.well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6FflmZzWQGNg

doesn't exist.

Multi-site + letsencrypt + postfix is a subject that has recently
changed quite a bit, so I'm suspecting my web reading is merely
leading me astray.  It is also entirely possible I've misunderstood
things about SSL certificates.  Any pointers how to generate (or point
to) the certificates that I need to make those who contact my postfix
instance happy with their SSL conversation?

Thanks!

Re: multi-site SSL certificates

Re: multi-site SSL certificates

Re: multi-site SSL certificates

Re: multi-site SSL certificates

Re: multi-site SSL certificates

Re: multi-site SSL certificates

Re: multi-site SSL certificates

multi-site SSL certificates

8 matches

Site Navigation

Mail list logo

Footer information