[Eisfair] [E1 b:2.8.25 K: 5.10.70-eisfair-1-SMP] Problem Mail -> TLS/SSL Zertifikate

Martin Faderbauer martin at fmit.at
Mi Nov 10 14:32:31 CET 2021 

hallo NG

Exim übergibt keine Zertifikate obwohl die Gültig sind nun am richten 
Ort liegen die Web Zertifikate funktionieren.
nur die Mail Zertifikate werden nicht zum Client übertragen

die Zertifikate werden automatisch vom Certs -> Dehydrated Paket 
erstellt und monatlich erneuert hat bis zum vorigen Monat problemlos 
funktioniert hat villeicht jemand eine Idee was ich noch überprüfen kann?



>> # enable TLS/SSL server support
>> tls_certificate = /var/certs/ssl/certs/mail.bbit.at.pem
>> tls_privatekey  = /var/certs/ssl/certs/mail.bbit.at.pem
>> tls_dhparam     = /var/certs/ssl/certs/mail.bbit.at.pem
>> tls_ocsp_file   = /usr/local/ssl/crl/mail.bbit.at.ocsp
>> tls_advertise_hosts = *bbit.at


>> bbitsrv02 # ls /var/certs/ssl/certs | grep bbit
>> bbitsrv02.local.pem
>> mail.bbit.at.pem
>> www.bbit.at.pem
>> bbitsrv02 #

>> bbitsrv02 # ls /usr/local/ssl/crl | grep bbit
>> mail.bbit.at.ocsp
>> www.bbit.at.ocsp
>> bbitsrv02 #


>> Request Let’s Encrypt certificate update
>>
>> Umgebung : live
>> Challenge:
>>
>> Do you want to force a renewal of the certificate(s) (y/n) [no]? y
>>
>> # INFO: Using main config file /etc/dehydrated/config
>> Processing www.bbit.at with alternative names: www.korper.at
>>  + Checking domain name(s) of existing cert... unchanged.
>>  + Checking expire date of existing cert...
>>  + Valid till Feb  6 09:09:52 2022 GMT (Longer than 30 days). Ignoring because renew was forced!
>>  + Signing domains...
>>  + Generating private key...
>>  + Generating signing request...
>>  + Requesting new certificate order from CA...
>>  + Received 2 authorizations URLs from the CA
>>  + Handling authorization for www.bbit.at
>>  + Handling authorization for www.korper.at
>>  + 2 pending challenge(s)
>>  + Deploying challenge tokens...
>>  + Responding to challenge for www.bbit.at authorization...
>>  + Challenge is valid!
>>  + Responding to challenge for www.korper.at authorization...
>>  + Challenge is valid!
>>  + Cleaning challenge tokens...
>>  + Requesting certificate...
>>  + Checking certificate...
>>  + Done!
>>  + Creating fullchain.pem...
>> -> Executing hook script 'deploy_cert' ...
>> creating files/links required by eisfair ...
>> + domain 'www.bbit.at':
>>   - link '/usr/local/ssl/csr/www.bbit.at.csr' created/updated.
>>   - link '/usr/local/ssl/private/www.bbit.at.key' created/updated.
>>   - link '/usr/local/ssl/newcerts/www.bbit.at.crt' created/updated.
>>   - file '/usr/local/ssl/newcerts/www.bbit.at.dh' exists.
>>   - file '/usr/local/ssl/certs/www.bbit.at.pem' created.
>> + domain 'mail.bbit.at':
>>   - link '/usr/local/ssl/csr/mail.bbit.at.csr' created/updated.
>>   - link '/usr/local/ssl/private/mail.bbit.at.key' created/updated.
>>   - link '/usr/local/ssl/newcerts/mail.bbit.at.crt' created/updated.
>>   - file '/usr/local/ssl/newcerts/mail.bbit.at.dh' exists.
>>   - file '/usr/local/ssl/certs/mail.bbit.at.pem' created.
>> updating hashes '/usr/local/ssl/certs' ...
>> checking package usage definition ...
>> checking symbolic links to certificate ...
>> + domain 'www.bbit.at':
>>   - link 'apache.pem' ok.
>> + domain 'mail.bbit.at':
>>   - link 'exim.pem' ok.
>>   - link 'imapd.pem' ok.
>>   - link 'ipop3d.pem' ok.
>> # INFO: Using main config file /etc/dehydrated/config
>> ocsp-1636365265.der
>> Moving unused file to archive directory: mail.bbit.at/ocsp-1636365265.der
>> cert-1636366182.csr
>> Moving unused file to archive directory: www.bbit.at/cert-1636366182.csr
>> cert-1636366182.pem
>> Moving unused file to archive directory: www.bbit.at/cert-1636366182.pem
>> chain-1636366182.pem
>> Moving unused file to archive directory: www.bbit.at/chain-1636366182.pem
>> fullchain-1636366182.pem
>> Moving unused file to archive directory: www.bbit.at/fullchain-1636366182.pem
>> privkey-1636366182.pem
>> Moving unused file to archive directory: www.bbit.at/privkey-1636366182.pem
>>  + Done!
>>  + Updating OCSP stapling file
>> Processing mail.bbit.at
>>  + Checking domain name(s) of existing cert... unchanged.
>>  + Checking expire date of existing cert...
>>  + Valid till Feb  6 09:10:05 2022 GMT (Longer than 30 days). Ignoring because renew was forced!
>>  + Signing domains...
>>  + Generating private key...
>>  + Generating signing request...
>>  + Requesting new certificate order from CA...
>>  + Received 1 authorizations URLs from the CA
>>  + Handling authorization for mail.bbit.at
>>  + 1 pending challenge(s)
>>  + Deploying challenge tokens...
>>  + Responding to challenge for mail.bbit.at authorization...
>>  + Challenge is valid!
>>  + Cleaning challenge tokens...
>>  + Requesting certificate...
>>  + Checking certificate...
>>  + Done!
>>  + Creating fullchain.pem...
>> -> Executing hook script 'deploy_cert' ...
>> creating files/links required by eisfair ...
>> + domain 'www.bbit.at':
>>   - link '/usr/local/ssl/csr/www.bbit.at.csr' created/updated.
>>   - link '/usr/local/ssl/private/www.bbit.at.key' created/updated.
>>   - link '/usr/local/ssl/newcerts/www.bbit.at.crt' created/updated.
>>   - file '/usr/local/ssl/newcerts/www.bbit.at.dh' exists.
>>   - file '/usr/local/ssl/certs/www.bbit.at.pem' created.
>> + domain 'mail.bbit.at':
>>   - link '/usr/local/ssl/csr/mail.bbit.at.csr' created/updated.
>>   - link '/usr/local/ssl/private/mail.bbit.at.key' created/updated.
>>   - link '/usr/local/ssl/newcerts/mail.bbit.at.crt' created/updated.
>>   - file '/usr/local/ssl/newcerts/mail.bbit.at.dh' exists.
>>   - file '/usr/local/ssl/certs/mail.bbit.at.pem' created.
>> updating hashes '/usr/local/ssl/certs' ...
>> checking package usage definition ...
>> checking symbolic links to certificate ...
>> + domain 'www.bbit.at':
>>   - link 'apache.pem' ok.
>> + domain 'mail.bbit.at':
>>   - link 'exim.pem' ok.
>>   - link 'imapd.pem' ok.
>>   - link 'ipop3d.pem' ok.
>> # INFO: Using main config file /etc/dehydrated/config
>> cert-1636366197.csr
>> Moving unused file to archive directory: mail.bbit.at/cert-1636366197.csr
>> cert-1636366197.pem
>> Moving unused file to archive directory: mail.bbit.at/cert-1636366197.pem
>> chain-1636366197.pem
>> Moving unused file to archive directory: mail.bbit.at/chain-1636366197.pem
>> fullchain-1636366197.pem
>> Moving unused file to archive directory: mail.bbit.at/fullchain-1636366197.pem
>> privkey-1636366197.pem
>> Moving unused file to archive directory: mail.bbit.at/privkey-1636366197.pem
>> ocsp-1636366196.der
>> Moving unused file to archive directory: www.bbit.at/ocsp-1636366196.der
>>  + Done!
>>  + Updating OCSP stapling file
>> -> Executing hook script 'exit_hook' ...
>> Restarting eisfair services ...
>> + package 'apache2' restarted.
>> + package 'mail' restarted.
>>
>> Press ENTER to continue
>> Let's Encrypt Certificate administration

das schaut für mich OK aus
normaler weise ladet der Thunderbirt bein erstellen eines Mailkontos mit 
TLS/SSL sofort das Zerifikat. nur kommt das leider nicht und auch keine 
Fehlermeldung die das Problem erkennen könnte.

lg
Martin

Mehr Informationen über die Mailingliste Eisfair