SSL Woes


#1

Really not sure what I am doing wrong, or what may be amiss with my setup as I seem to have no valid certs on my sym Jessie install. The output of one of my sites for example show the below but the certificate still seems invalid


#2

Your site’s certificate looks fine here (expires November 2017), the issue with the front page is it is mixed content - you are including HTTP requests within the page. A browser console will tell you precisely what, looks to be four copies of http://www.windsurf.me.uk/media/feedgator/images/feeds/pwa-logo.jpg
Hope that’s helpful.

(If the certificate wasn’t okay for you before, note I think you need to reload your web browser to take note of the new certificate, which might have happened for you overnight.)


#3

Thanks for taking the time to look. I will work on the mixed content when I have a bit more time. Last night turned into one of those evenings where you wish you had simply sat with a beer in front of the TV. I first discovered that while new certificates were being generated by the --verbose command, it was for some reason still using expired certs. So I did the deed for deleting the old certs from each directory then running --verbose to re-generate. Things still did not work and as it has been many months since my last restart I popped onto the bigv control panel and hit the button. After a restart noting worked, I could access nothing. Got a bit grumpy and threw my toys from the pram. Once I had calmed down and scratched away most of my hair, I discovered for some reason apache was not starting, Neither was exim and a few other services. I did the lazy thing and restored /etc from yesterdays backup and everything sprung to life much to my relief.

After that the certificates begun working and I am still not quite sure what I did to change things. I’ll put it down to “just one of those things”.

Once again, thanks for taking the time to look. I should have reported back once I fixed everything but was too knackered.


#4

Sym Jess didn’t work out for us because of cert renewal issues.
We’re stuck with Sym Wheezy BUT waiting to test Sym Stretch.


#5

After the certs are generated, the Apache configs need to be re-run to take account of the new location for the certs. There’s two options, either run another command, or simply wait a while for it to run and update the apache configs, and reload them in apache. Leaving it an hour or so, or waiting overnight usually works.


#6

Hey,

It beats me why, none of the ongoing cert issues, potential solutions and workarounds are comprehensively documented within the Sym Jessie docs. It would save us all an inordinate amount of time and frustration if the documentation was updated and simplified to address ongoing certificate issues.

For example:

  1. How do I remove the old certificates and reinstall a fresh set of certificates?

  2. How do I remove the existing Lets encrypt certificates and install professional certificates?

Some updated documentation would negate scratching around on this forum for potential solutions - surely Bytemark this would be the obvious coa?

Regards Pete


#7

To be fair, this is the first time I have experienced an issue. It took me a little thought but once I worked out what was going on it was relatively simple.

There is also part of the docs which explains how to use different cert - https://symbiosis.bytemark.co.uk/jessie/docs/symbiosis.html#ch-sslreference


#8

In answer to your questions

  1. Put a new, higher-numbered directory in config/ssl/sets with everything in it. Then run symbiosis-ssl --verbose example.com, which should detect the new certificates etc, and perform the roll over if everything is valid.
  2. If you don’t want to use LetsEncrypt at all, and prevent LetsEncrypt from ever being used to fetch new certificates, then put false in config/ssl-provider. Then simply follow the instructions in above to put a new set in place.

FWIW disabling LetsEncrypt is documented. Replacing sets with your own data is not documented explicitly, but the idea of SSL “sets” is, which is what is being used to put a new set in place.

It would be really helpful if you could raise bugs against Symbiosis on Github where you see failings.


#9

Symbiosis renewals work just fine on Jessie for me.

I don’t know enough to suggest why yours don’t, but I can assure you that it CAN work very well indeed.


#10

Iain,
I’m really pleased that you’re finding SymJess of utility. SymJess has plenty of well documented issues that precludes its use for business comms. Take a read:

We’re waiting for the release of SymStretch so that we can test its reliability prior to migrating our domains.
Al the best Pete


#11

Quoting your own thread is hardly “well documented”

I would be interested to find out exactly what went wrong with your setup. With mine I did something wrong which killed it. I and many other use is successfully without the problems you have experienced. In fact, a friend of mine successfully runs a dedicated host running symbiosis with over 4000 users many of which have iPhones to collect their mail and he rarely gets any problems whatsoever other than the usual individuals who struggle to setup their devices.

I understand how frustrating it can be when something doesn’t work as expected, and worse still when you have users moaning at you while you are trying to fix it, but in my mind is is better to fix a problem than to start again with a new system and inevitably a whole new set of headaches.


#12

This is the problem Phil:

pcherryDirector of operations, Bytemark HostingMay '16
Hi everyone

It is tricky to get SMTP/POP3/IMAP + multiple certificates working in a sane way with Symbiosis at the moment. I was working on a branch to get SNI going, which both dovecot and exim4 support, but it not quite ready, and requires quite a lot of testing.

If you’re happy using just one mail domain for all your domains on your box, then you can symlink the certificates in /etc/ssl to /srv/mail.example.com (or whatever you like) and use them that way. You’d then need to ask your clients to use mail.example.com as their POP3/IMAP/SMTP server, but that does work.

Best wishes,

Patrick

I’m hoping the SymStretch release of Symbiosis will see this issue fixed.
Regards Pete


#13

That’s rather unfortunate. I’ve been using it with no issues at all since it was released. There are about 100 domains hosted on the server, most of them with many mailboxes. Dozens, Perhaps scores (or more) of iPhone and iPad victims using it with no specific problems - well not ones they have mentioned, and their email seems to work OK…

You need a proper SSL certificate for the mail server. A self-signed one will work, but it is not suitable for a production server.

Of course it does depend on installing the certificate for the correct name, and using that name in the phones email settings. Sounds like you didn’t get that right.

The letsencrypt certificates certainly work for the web server. I am still using a paid-for certificate for the mail server, but I hope not to have to pay to renew it this year. Let’s hope that letsencrypt works OK with it.
.