Posts by fulltilt

another necessary fix for Proftpd TLS

FileZilla needs TLSProtocol TLSv1.2

nano /etc/proftpd/proftpd.conf

change TLS 1 to TLS1.2

there is a newer script for certbot-auto (letsencrypt-auto)

/plugins//LetsEncrypt/bin/certbot-auto

https://github.com/certbot/cer…r/letsencrypt-auto-source

maybe the plugin could work with it?

Thanks Kess! It works with my test vps ... but I think it would be a better idea to be patient until Nuxwin is done with his work.

Manual changes in database or OS (via snapd sources) could possibly cause problems afterwards ...

For now I prefer the solution of vege.net ... an undo is very simple because only line 134 needs to be activated again.

Quote from Nuxwin

It's not working ok... but ... any relevant data would be welcome.

Thank you...

Nuxwin

some details about the expired letsencrypt certificates (certbot-auto affected)

Intermediate R3 expired on 9/29/2021 at 19:21:40 (GMT)

DST Root CA X3 expired on 9/30/2021 14:01:15 (GMT)

https://letsencrypt.org/docs/d…xpiration-september-2021/

everything seems to work with the letsencrypt patch, but I discovered a problem when installing a purchased certificate ...

To install a paid certificate line 134 needs to be reactivated in OpenSSL.pm (afterwards deactivate again).

Therefore I have deactivated / changed the button links in the client theme to prevent customers being able to create and edit certificates themselves except letsencrypt

also w/ any other line with {CERT_SCRIPT} for alias, alias-sub, sub ...

or simply

I will try to make this accessible only to the administrator

if ... admin

<a href="{CERT_SCRIPT}" ...

else

<a href=""

...

openssl verify still shows an error but the certificate seems to be valid

I also tried to remove the CA X3 incl. reboot afterwards but that didn't change anything ...

@Joern

I noticed earlier today that the imscp (panel) certificates are not affected by the internal verification process ...

you hit exactly the point to solve the problem w/ the customer stuff and the letsencrypt-r3.crt seems to work

Quote from vege.net

just comment out line 134

# ( ( $self->{'ca_bundle_container_path'} ne '' ) ? ( '-CAfile', $self->{'ca_bundle_container_path'} ) : () ),

yeah, it seems to work ...

great job, respect!

Thanks a lot

Quote from vege.net

no, just added the cert.. dont know if the others are necessary.. (?)

your welcome

OK, it seems it shows existing & available, only one cert (letsencrypt) was added

in /var/www/imscp/engine/PerlLib/iMSCP/OpenSSL.pm

Only 'openssl', 'verify' should remain active?

Quote from vege.net

we had the same problems, here is a hot fix which worked for us:

cd /usr/share/ca-certificates/mozilla/

wget https://letsencrypt.org/certs/lets-encrypt-r3.pem

mv lets-encrypt-r3.pem lets-encrypt-r3.crt

dpkg-reconfigure ca-certificates

-->> choose new letsencrypt Cert

vi /var/www/imscp/engine/PerlLib/iMSCP/OpenSSL.pm +134

comment out line 134

my $cmd = [

'openssl', 'verify',

# ( ( $self->{'ca_bundle_container_path'} ne '' ) ? ( '-CAfile', $self->{'ca_bundle_container_path'} ) : () ),

'-purpose', 'sslserver', $self->{'certificate_container_path'}

];

Regards, Joern

ps: Debian 9 / i-MSCP 1.5.3 Build: 2018120800

Build: 2018120800

Display More

Thank You!

should only the mozilla/letsencryypt-r3.crt selected in the dialog?

I mean should any other be de-selected?