[Eisfair] Apache certs_dehydrated Problem nach Reboot
Dirk Alberti
Howy-1 at gmx.de
So Mai 21 10:38:39 CEST 2017
Hallo zusammen,
ich habe es gerade nochmal durchgespielt.
Bei Ausführung des "Update smtp certificates for exim" in "Mail addon
certificates" habe ich plötzlich eine nicht mehr funktionierende
/var/certs/ssl/certs/******.no-ip.biz.pem
Sieht so aus:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:3e:e4:77:ff:71:b3:6f:ce:4d:00:91:26:bc:31:c2:bb:16
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
Validity
Not Before: May 7 10:16:00 2017 GMT
Not After : Aug 5 10:16:00 2017 GMT
Subject: CN=******.no-ip.biz
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ed:d0:70:24:73:54:6f:1e:97:5b:4a:6a:73:d3:
c6:e0:67:d1:db:54:b4:15:db:b4:59:f0:9e:f5:5b:
c0:05:54:c0:69:cc:d7:0c:83:58:e0:84:28:d4:fb:
af:e9:74:8d:50:5d:0b:a0:7e:23:70:b1:8f:84:92:
d8:d5:93:39:c9:cf:06:34:63:0c:ac:52:97:60:70:
27:a7:e1:b1:18:36:c7:e1:60:b2:8f:5d:cb:35:86:
df:4d:e6:8b:8e:8c:95:53:a7:83:f5:a5:dc:27:09:
bd:a5:b7:ec:a8:6f:00:11:79:f4:e1:a1:7f:d7:07:
ce:08:f7:f2:b9:ca:2e:34:d8:1a:34:5e:8d:f6:16:
db:e0:07:15:57:58:a0:01:46:bc:75:ec:ed:eb:53:
c1:bc:a0:7a:a9:ac:72:cb:be:84:d8:c7:70:5e:46:
8f:0e:54:d7:a9:eb:46:b2:c0:e6:62:31:b3:97:58:
7c:b4:07:27:02:d1:d5:0e:7a:20:69:04:32:f4:3c:
60:9e:fb:eb:8f:54:6e:3f:93:2f:ec:64:cd:c1:8b:
c8:98:cd:d9:4b:26:be:0f:2b:28:77:0f:ff:20:80:
f3:05:48:29:fe:c2:6a:c6:4c:6d:77:6c:49:98:cb:
62:ec:60:1a:bc:37:b1:fa:a0:e8:e3:ad:53:4b:d1:
8e:ff
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client
Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
FF:C2:E9:25:4C:6D:98:14:30:B3:CA:F4:07:36:2C:07:D1:89:7D:7C
X509v3 Authority Key Identifier:
keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
Authority Information Access:
OCSP - URI:http://ocsp.int-x3.letsencrypt.org/
CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
X509v3 Subject Alternative Name:
DNS:******.no-ip.biz
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
User Notice:
Explicit Text: This Certificate may only be relied
upon by Relyin
g Parties and only in accordance with the Certificate Policy found at
https://letsenc
rypt.org/repository/
Signature Algorithm: sha256WithRSAEncryption
08:bb:a6:a0:f0:eb:81:21:34:57:84:da:d8:a3:41:f8:7c:e0:
53:96:ac:56:85:0f:4e:19:20:e7:ec:af:9c:8d:2d:44:cc:b5:
fb:99:51:7f:f9:a8:cb:b4:65:8f:1b:e1:0f:1c:86:e7:e5:37:
cd:8c:a7:24:a9:52:8d:93:b7:ac:36:92:e4:78:9e:df:a0:f9:
5e:e2:99:c8:e4:44:54:d4:28:a6:0d:67:87:a1:0a:3c:9c:8b:
f3:7a:a0:ca:70:00:d6:97:ca:dc:77:3b:8a:5b:41:01:84:75:
ee:6f:59:f7:43:81:2e:56:bf:29:18:e3:8e:61:50:1e:8c:89:
4a:87:4a:a8:be:5d:ba:a5:32:e7:0c:1f:49:9a:13:7d:b4:fa:
a7:49:9b:7c:16:25:f7:3c:44:ba:fd:2c:41:8a:f6:a3:fe:dc:
4a:1a:52:8f:07:d3:06:51:00:19:6d:bd:71:7c:d4:a5:d6:be:
22:fd:99:dd:3f:47:d3:86:22:b8:8d:be:af:09:54:35:ba:da:
92:66:cd:59:8e:21:33:a4:4d:c2:a3:6f:5e:38:69:f0:af:00:
9c:ed:98:56:c5:95:e6:b1:4d:55:aa:96:6b:ee:b0:00:68:2b:
f9:96:32:26:88:14:1a:f4:82:1b:a8:5c:ca:9c:ff:8a:ed:63:
12:77:76:0e
-----BEGIN CERTIFICATE-----
MIIFCDCCA/CgAwIBAgISAz7kd/9xs2/OTQCRJrwxwrsWMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzA1MDcxMDE2MDBaFw0x
...und so weiter.....
Und Apache startet nicht.
Führe ich das Setup von certs_dehydrated aus sieht danach die
/var/certs/ssl/certs/******.no-ip.biz.pem so aus:
-----BEGIN RSA PRIVATE KEY-----
.
.
.
.
Hier steht dann der Key
.
.
.
-----END RSA PRIVATE KEY-----
-----BEGIN DH PARAMETERS-----
.
.
.
und so weiter, so wie es sein soll...
Also scheint da beim Update der SMTP-Zertifikate wirklich was nicht zu
stimmen.
Oder vielleicht liegt noch irgendwo was altes, von den mit Certs selbst
erstellten Zertifikaten rum, was da fälschlicherweise übernommen wird.
Dirk
Mehr Informationen über die Mailingliste Eisfair