Page 1 of 1

STARTTLS Let's Encrypt bug (and manual fix).

Posted: 04 Oct 2017 13:33
by BOOZy
STARTTLS fails with "4.7.0 TLS not available due to local problem" after running the Let's Encrypt installation.

The Let's Encrypt generator script works fine for the webinterface but makes a small error in the Postfix config if the system name contains any capital letters.
The generated directory doesn't have capital letters but the main.cf entries do.

I named my system EFA1.domain.tld, the created directory structure is /etc/letsencrypt/live/efa1.domain.tld/ but the entries in main.cf point to /etc/letsencrypt/live/EFA1.domain.tld/ which is a different path.

Editing /etc/postfix/main.cf to point to the correct path does fix it.

I do wonder however if the refresh script will mess things up again... We'll find out in 30 days.

Re: STARTTLS Let's Encrypt bug (and manual fix).

Posted: 04 Oct 2017 13:53
by TheGr8Wonder
Thanks for the report!

The renew script does not update postfix paths (or apache) every 30 days, so the static mappings form your correction should work, since the "live" folder is a symbolic link. But the renew script (and the enabling of the feature) will also break the paths used to generate the Webmin cert if there are uppercase characters in the name (or domain name for the matter).

We'll add this to the issue list for 3.0.2.6. But in the meantime, as a quick work around, please change your hostname and domain name to lowercase, and then re-run the Let's Encrypt to disable, and then enable again to fix the certs in all 3 apps.

Thanks!

Re: STARTTLS Let's Encrypt bug (and manual fix).

Posted: 04 Oct 2017 18:18
by TheGr8Wonder
Fix published for 3.0.2.6 release

https://github.com/E-F-A/v3/issues/396

Once 3.0.2.6 is released, any instances affected by this will need to disable Let's Encrypt and re-enable the feature for the proper paths and renewal script to be replaced.

Re: STARTTLS Let's Encrypt bug (and manual fix).

Posted: 05 Oct 2017 07:06
by BOOZy
That was quick. Thanks!