Invalid certificate after update (to register a listener)

  • Hi everybody


    I followed this tutorial (which I need to adapt for me cause it doesn't work.. but it's anoter problem) : Listener::Named::Slave::Provisioning - Zonetransfer to Secondary Nameserver + Howto

    In this tuto there's a new listener to register.

    The command to achieve this is :

    Code
    1. cd /usr/local/src/imscp-1.5.3-2018120800/
    2. perl imscp-autoinstall -dasr named


    each time I ran this command, the setup detects my certificates for the panel and the services as invalid.

    They are generated via the LetsEncrypt plugin.


    My setup :

    Debian 9 - up to date

    iMSCP v 1.5.3 - last release

    FQDN : web1.cproinfo.fr

    Panel address : panel.cproinfo.fr



    The log output (/var/log/imscp/imscp-setup.log) :

    Code
    1. [Sun Jun 5 02:47:05 2022] [debug] iMSCP::Execute::execute: openssl pkey -in /etc/imscp/imscp_services.pem -noout
    2. [Sun Jun 5 02:47:05 2022] [debug] iMSCP::Execute::execute: openssl verify -CAfile /etc/imscp/imscp_services.pem -purpose sslserver /etc/imscp/imscp_services.pem
    3. [Sun Jun 5 02:47:05 2022] [debug] iMSCP::OpenSSL::validateCertificate: error /etc/imscp/imscp_services.pem: verification failed
    4. [Sun Jun 5 02:47:05 2022] [debug] iMSCP::Execute::execute: /usr/bin/dialog --exit-label Abort --yes-label Yes --ok-label Ok --title 'i-MSCP Installer Dialog' --backtitle 'i-MSCP - internet Multi Server Control Panel (1.5.3)' --cancel-label Back --help-label Help --colors --no-label No --no-shadow --msgbox 'Your SSL certificate for the FTP and MAIL services is missing or invalid.



    The certificate is generated today !

    I already did :

    Code
    1. dpkg-reconfigure ca-certificates

    to update the DB and change the preferred root CA...


    In order to make this working again, I have to revoke the certs in the panel then generate new certs, and all is fine till next update....


    Is it because I have 2 dns names for the services and for the panel ?

    Am I missing another thing ?


    Many thanks for your help.

  • What gives a manual

    Code
    1. openssl verify -CAfile /etc/imscp/imscp_services.pem -purpose sslserver /etc/imscp/imscp_services.pem

    ??

  • What gives a manual

    Code
    1. openssl verify -CAfile /etc/imscp/imscp_services.pem -purpose sslserver /etc/imscp/imscp_services.pem

    ??

    Hi.
    here's the output. :


    Code
    1. /etc/imscp/imscp_services.pem: OK


    So, I decide to do a new :


    Code
    1. cd /usr/local/src/imscp-1.5.3-2018120800/
    2. perl imscp-autoinstall -dasr named



    And the setup detects the cert for panel invalid : cf log

    Code
    1. [Tue Jun 7 02:43:15 2022] [debug] iMSCP::Execute::execute: openssl pkey -in /etc/imscp/imscp_services.pem -noout
    2. [Tue Jun 7 02:43:15 2022] [debug] iMSCP::Execute::execute: openssl verify -CAfile /etc/imscp/imscp_services.pem -purpose sslserver /etc/imscp/imscp_services.p em
    3. [Tue Jun 7 02:43:15 2022] [debug] iMSCP::OpenSSL::validateCertificate: /etc/imscp/imscp_services.pem: OK
    4. [Tue Jun 7 02:43:15 2022] [debug] iMSCP::Execute::execute: openssl pkey -in /etc/imscp/panel.cproinfo.fr.pem -noout
    5. [Tue Jun 7 02:43:15 2022] [debug] iMSCP::Execute::execute: openssl verify -CAfile /etc/imscp/panel.cproinfo.fr.pem -purpose sslserver /etc/imscp/panel.cproinfo.fr.pem
    6. [Tue Jun 7 02:43:15 2022] [debug] iMSCP::OpenSSL::validateCertificate: error /etc/imscp/panel.cproinfo.fr.pem: verification failed
    7. [Tue Jun 7 02:43:15 2022] [debug] iMSCP::Execute::execute: /usr/bin/dialog --no-label No --no-shadow --ok-label Ok --help-label Help --colors --cancel-label B ack --exit-label Abort --backtitle 'i-MSCP - internet Multi Server Control Panel (1.5.3)' --yes-label Yes --title 'i-MSCP Installer Dialog' --msgbox '
    8. Your SSL certificate for the control panel is missing or invalid.



    So I did after a :

    Code
    1. openssl verify -CAfile /etc/imscp/panel.cproinfo.fr.pem -purpose sslserver /etc/imscp/panel.cproinfo.fr.pem
    2. /etc/imscp/panel.cproinfo.fr.pem: OK


    So, when I connect I have the alert message tha CA is unknown... Click OK, the renew the certificate via LetsEncrypt option.

    When I connect, all is fine, but when i ran :


    Code
    1. # openssl verify -CAfile /etc/imscp/panel.cproinfo.fr.pem -purpose sslserver /etc/imscp/panel.cproinfo.fr.pem
    2. O = Digital Signature Trust Co., CN = DST Root CA X3
    3. error 10 at 3 depth lookup: certificate has expired
    4. error /etc/imscp/panel.cproinfo.fr.pem: verification failed


    But, if I run :

    Code
    1. openssl verify -purpose sslserver /etc/imscp/panel.cproinfo.fr.pem
    2. /etc/imscp/panel.cproinfo.fr.pem: OK


    Is there a way to "remove" the "-CAfile /etc/...." part of the command ?

  • Code
    1. dpkg-reconfigure ca-certificates


    and unselect this one:


    mozilla/DST_Root_CA_X3.crt


    Maybe this helps...


    /Joxi

  • Thanks for your answers.

    I followed the "tuto" by fulltilt , and it's not mentionned but if you want the "line 134" to be commented in production, you also have to edit the file in your source dir.

    I have to wait a day or 2 to renew the command cause I'm stuck with LetsEncrypt limits....

  • Hi everybody.

    Just to tell you that after editing source and do



    Code
    1. cd /usr/local/src/imscp-1.5.3-2018120800/
    2. perl imscp-autoinstall -dasr named




    All is fine.

    No the certs renews without problems.