Using Letsencrypt certificate

[kranzfr3d]

[EDIT] This post is obsolete, please go here to view the "How-To"

Hi,

you're right again!!
Here we go, its ./exim_stage1/mainlog:

Code: Select all

2017-12-21 22:55:54 no host name found for IP address my.ip.adr.ess
2017-12-21 22:55:54 TLS error on connection from (openssl.client.net) [my.ip.adr.ess] (SSL_CTX_use_PrivateKey_file file=/usr/mailcleaner/etc/apache/certs/SANCert-priv.pem): error:0906D06C:PEM routines:PEM_read_bio:no start line
2017-12-21 22:55:54 SMTP call from (openssl.client.net) [my.ip.adr.ess] dropped: too many syntax or protocol errors (last command was "?\034?\032?\027?\031?\034?\033?\030?\032?\026?\016?\r?\v?\f?   ?")

How should the private key file be formatted??
Is starts with -----BEGIN RSA PRIVATE KEY----- and ends with -----END RSA PRIVATE KEY-----
The last line is an "empty" line
Encoding is UTF-8

So, what's the secret of this cert?


gr33tz

[madhopsman]

Hi,

you're right again!!
Here we go, its ./exim_stage1/mainlog:

Code: Select all

2017-12-21 22:55:54 no host name found for IP address my.ip.adr.ess
2017-12-21 22:55:54 TLS error on connection from (openssl.client.net) [my.ip.adr.ess] (SSL_CTX_use_PrivateKey_file file=/usr/mailcleaner/etc/apache/certs/SANCert-priv.pem): error:0906D06C:PEM routines:PEM_read_bio:no start line
2017-12-21 22:55:54 SMTP call from (openssl.client.net) [my.ip.adr.ess] dropped: too many syntax or protocol errors (last command was "?\034?\032?\027?\031?\034?\033?\030?\032?\026?\016?\r?\v?\f?   ?")

How should the private key file be formatted??
Is starts with -----BEGIN RSA PRIVATE KEY----- and ends with -----END RSA PRIVATE KEY-----
The last line is an "empty" line
Encoding is UTF-8

So, what's the secret of this cert?


gr33tz

Not sure exactly. However, maybe go back to how you are exporting your certificate. Export to PFX, then use openssl to generate the cert+chain and private key files:

Cert+chain PEM:

Code: Select all

\OpenSSL-Win64\bin\openssl.exe pkcs12 -in latestcert.pfx -out SANCert-and-chain.pem -nokeys -nodes -passin pass:passwordforpfx


Private key:

Code: Select all

\OpenSSL-Win64\bin\openssl.exe pkcs12 -in latestcert.pfx -nodes -passin pass:passwordforpfx -nocerts -nodes -out SANCert-priv.pem


[kranzfr3d]

[EDIT] This post is obsolete, please go here to view the "How-To"

Hi,

wonderful, I had a break through.
Your openssl-commands got me on the right track.
I played a bit with the certs whether the apache came up or not.

The fullchain has to be built up this way:

Code: Select all

-----BEGIN PRIVATE KEY-----
private key stuff
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
my LE certstuff
-----BEGIN CERTIFICATE-----
LE authority cert stuff
-----END CERTIFICATE-----


The fullchain is primary important for apache starting up, it doesn't need the private-only pem.
But the fullchain has to be built by my own - the script is coming below.

The private pem is important for SSL/TLS connections (in my case). Perhaps its important for some other things...
It only consists of itself...

Code: Select all

-----BEGIN PRIVATE KEY-----
private key stuff
-----END PRIVATE KEY-----

In all cases of my studies (lol) the exported "Bag"- and "Key"-Attributes were carried along the certs - that did not harm the apache/SSL functions.

The first condition of my script is an existing pfx file from LE and the second an existing openSSL.exe
The script is a first draft so far, I do not like it 100% yet - but it works:

Code: Select all

cls
$openssl = "C:\tools\openSSL-1.0.2n\openssl.exe"
$sourcePFX = "C:\sys\certs\SANCert.pfx"
$sourcePFX_Passphrase = "secretpassword"
$certfullfile = "C:\sys\certs\SANCert.key"
$privkeyfile = "C:\sys\certs\SANCert.pkey"
$certfullOutfile = "\\someotherserver\c$\sys\SANCert-fullchain.pem"
$privkeyOutfile = "\\someotherserver\c$\sys\SANCert-priv.pem"

& $openssl pkcs12 -in $sourcePFX -out $certfullfile -nokeys -nodes -passin pass:$sourcePFX_Passphrase
& $openssl pkcs12 -in $sourcePFX -nodes -passin pass:$sourcePFX_Passphrase -nocerts -nodes -out $privkeyfile

$certfullfilecontent = Get-Content $certfullfile | out-string
$privkeyfilecontent = Get-Content $privkeyfile | out-string

$deletePath = $certfullOutfile
  if (Test-Path $deletePath) {
  Remove-Item $deletePath
  }
 $deletePath = $privkeyOutfile
  if (Test-Path $deletePath) {
  Remove-Item $deletePath
  }

# SANCert and Chain
$privkeyfilecontent | Out-File -Encoding UTF8 $certfullOutfile
$certfullfilecontent | Out-File -Encoding UTF8 -Append $certfullOutfile
# private from SANCert
$privkeyfilecontent | Out-File -Encoding UTF8 $privkeyOutfile

  $deletePath = $sourcePFX
  if (Test-Path $deletePath) {
  Remove-Item $deletePath
  }

$deletePath = $privkeyfile
  if (Test-Path $deletePath) {
  Remove-Item $deletePath
  }

  $deletePath = $certfullfile
  if (Test-Path $deletePath) {
  Remove-Item $deletePath
  }

The SSL-Test is running now, but is it running right - could you check it - please?
I have some headache with the "unable to get local issuer certificate"-parts. Is this ok, because my openSSL doesn't have an cert for the server, isn't it?

Code: Select all

OpenSSL> s_client -connect mymx.my.externaldomain:25 -starttls smtp
CONNECTED(000001F4)
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:/CN=myMX
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
some RIGHT cert stuff
-----END CERTIFICATE-----
subject=/CN=myMX
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3528 bytes and written 468 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: someID
    Session-ID-ctx:
    Master-Key: someKey
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 200 (seconds)
    TLS session ticket:
    0000 - 68 f9 85 2b 3b 48 f3 70-62 5f a7 79 a5 67 1d 09   h..+;H.pb_.y.g..
    0010 - 4c 15 66 48 cb c0 bb 32-17 2d c5 72 de c7 8f fb   L.fH...2.-.r....
    0020 - 94 cd 1a 48 da 1c fa b7-4e f5 a9 91 14 99 20 75   ...H....N..... u
    0030 - 06 fe 69 de 7e 3c 3f 32-29 6d 91 82 0f 72 bf f6   ..i.~<?2)m...r..
    0040 - f5 41 e5 4d 5f d3 38 4f-00 55 1d 48 6b bd ea 51   .A.M_.8O.U.Hk..Q
    0050 - 1e 28 5e 3d 42 55 e6 bc-e2 be a7 7d 44 6c 28 f0   .(^=BU.....}Dl(.
    0060 - 6f 31 ea fb 68 7d 24 ef-10 c3 49 e7 dd 23 f0 cd   o1..h}$...I..#..
    0070 - 8d a2 70 3c 84 02 98 8d-df d0 09 69 fe 0f f8 b6   ..p<.......i....
    0080 - 77 42 ea c3 d7 62 72 b1-c6 e7 61 bc b9 58 84 fd   wB...br...a..X..
    0090 - 71 d9 53 07 52 23 42 2c-6b 7b be 9e c6 13 68 2d   q.S.R#B,k{....h-

    Start Time: 1513941329
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
250 HELP

The last part of this long post is the question, how do I get the certificates automatically to MC, but i'll check this with the tools you mentioned earlier.


gr33tz

[madhopsman]

...
The first condition of my script is an existing pfx file from LE and the second an existing openSSL.exe
The script is a first draft so far, I do not like it 100% yet - but it works:

Code: Select all

cls
...


I'm not certain why you are still re-encoding the output from OpenSSL. That may be why you are still getting the issue below. You don't need to do that. You can take the cert+chain and private key files just as they are given and copy them to mailcleaner.

The SSL-Test is running now, but is it running right - could you check it - please?
I have some headache with the "unable to get local issuer certificate"-parts. Is this ok, because my openSSL doesn't have an cert for the server, isn't it?

Code: Select all

OpenSSL> s_client -connect mymx.my.externaldomain:25 -starttls smtp
...
250 HELP

The last part of this long post is the question, how do I get the certificates automatically to MC, but i'll check this with the tools you mentioned earlier.


gr33tz

I use the following code to push the certs to mailcleaner:

Code: Select all

#Allows running external commands and easily capturing output and errors
Function Execute-Command ($commandTitle, $commandPath, $commandArguments)
{
  Try {
    $pinfo = New-Object System.Diagnostics.ProcessStartInfo
    $pinfo.FileName = $commandPath
    $pinfo.RedirectStandardError = $true
    $pinfo.RedirectStandardOutput = $true
    $pinfo.UseShellExecute = $false
    $pinfo.Arguments = $commandArguments
    $pinfo.Verb = "runas";
   
    $p = New-Object System.Diagnostics.Process
    $p.StartInfo = $pinfo
    $p.Start() | Out-Null
    [pscustomobject]@{
        commandTitle = $commandTitle
        stdout = $p.StandardOutput.ReadToEnd()
        stderr = $p.StandardError.ReadToEnd()
        ExitCode = $p.ExitCode 
    }
   
    $p.WaitForExit(10000)
  }
  Catch {
     [pscustomobject]@{
     commandTitle = $commandTitle
     stdout = $error[0]
     stderr = $error[0].exception.message
     ExitCode = 1}
  }
}

        $cmd = Execute-Command -commandtitle "psftp" -commandpath "c:\LetsEncrypt\psftp.exe" -commandArguments 'root@mailcleaner -pw rootpassword -b C:\LetsEncrypt\upload.ini -bc -batch'
        if ($cmd.ExitCode -eq 0) {
            $cmd2 = Execute-Command -commandtitle "putty" -commandpath "c:\LetsEncrypt\putty.exe" -commandArguments '"root@mailcleaner" -pw rootpassword -m C:\LetsEncrypt\commands.ini'
            if ($cmd.Exitcode -ne 0) {
                #Unsuccessful.  log error found in $cmd2.stderr and handle accordingly
            }
        }
        Else {
            #Unsuccessful.  log error found in $cmd.stderr and handle accordingly
        }
 

The first Execute-Command is running psftp.exe and giving it a batch command script to upload the new cert files. This file (upload.ini) comprises of the following lines:

Code: Select all

lcd c:\LetsEncrypt
cd /usr/mailcleaner/etc/apache/certs
put fullchain.pem
put privkey.pem
quit


Obviously, change the paths as you see fit.

The second Execute-Command is running putty to restart the mailcleaner services. It's also being given a batch command file. This file (commands.ini) comprises of the following lines:

Code: Select all

/usr/mailcleaner/etc/init.d/mailcleaner restart
exit


One other item not mentioned here; in order for letsencrypt.exe (Let's Encrypt Simple Windows Client) to succeed in authorizing the host name assigned to the the mailcleaner system, I have port 80 for that IP being routed to my Exchange server. Also, if you would prefer to keep 80 closed, you can just enable when running the script and close when complete as follows:

Code: Select all

#open port 80
set-NetFirewallRule -displayname "World Wide Web Services (HTTP Traffic-In)" -action allow

#do stuff

#close port 80
set-NetFirewallRule -displayname "World Wide Web Services (HTTP Traffic-In)" -action block


Hopefully that all helps you and any others as well.

[kranzfr3d]

hi,

I just wanted to let you know - I solved all issues into my LE-cert-injection chain from MX to MC - thanks a lot. From another linux system I got "Verify return code: 0 (ok)" when checking the smtp ssl certificate. I'm going to update my earlier posts and this one after christmas writing a guidance ( ).
The cert rebuilding was because I had a "#" sign at the beginning of the SSLCertificateKeyFile-row in mailcleaner.conf_template


gr33tz & merry chrismas & thanks a lot!


EDIT:

Code: Select all

#open port 80
set-NetFirewallRule -displayname "Windows Remote Management (HTTP-In)" -action allow

#do stuff

#close port 80
set-NetFirewallRule -displayname "Windows Remote Management (HTTP-In)" -action block


I don't get a clue because firewallrule "Windows Remote Management (HTTP-In)" regards to port 5985 and not 80

[kranzfr3d]

Hi,

here are my experiences regarding my Windows 2016 with Exchange 2016 server talking to MC this way:
Step 1: get PFX with exportable private key from lets encrypt
Step 2: split the PFX into "fullchain.pem" and "privkey.pem"
Step 3: upload them both onto MC
Step 4: change the path to the uploaded certs in 4 templates onto MC (1 apache and 3 exim)
Step 5: restart MC services to update certs
Step 6: test, troubleshoot, test, troubl...

Important: the encoded certificates doesn't display correctly anymore in web-configurator after following this post.

Step 1:
Try these tools for receiving your LE-PFX (Let's encrypt PFX cert with exportable private key): Let's Encrypt Simple Windows Client or the complete powershell way with no 3rd party tool (german)

Step 2:
Use OpenSSL for Windows to extract the 2 pems we need, they receive the right format and character set (PS-codelet):

Code: Select all

& C:\tools\openSSL-1.0.2n\openssl.exe pkcs12 -in C:\sys\certs\Cert.pfx -out C:\sys\certs\fullchain.pem -nokeys -nodes -passin pass:$sourcePFX_Passphrase
& C:\tools\openSSL-1.0.2n\openssl.exe pkcs12 -in C:\sys\certs\Cert.pfx -nodes -passin pass:$sourcePFX_Passphrase -nocerts -nodes -out C:\sys\certs\privkey.pem

Step 3:
Upload the certs to MC the automatic way using PuTTy and PsFTP (BOTH downloadable here), or for testing purposes WinSCP (downloadable here)
Store the 2 pems here:
Certificate file path: /usr/mailcleaner/etc/apache/certs/fullchain.pem <- Certificate and full chain
Certificate key path: /usr/mailcleaner/etc/apache/certs/privkey.pem <- Contains only the private key
My permissions on the file are 644, automatically given by upload.

Here are the PS-codelets and additional files for the automatic way:

I use the following code to push the certs to mailcleaner:

Code: Select all

#Allows running external commands and easily capturing output and errors
Function Execute-Command ($commandTitle, $commandPath, $commandArguments)
{
  Try {
    $pinfo = New-Object System.Diagnostics.ProcessStartInfo
    $pinfo.FileName = $commandPath
    $pinfo.RedirectStandardError = $true
    $pinfo.RedirectStandardOutput = $true
    $pinfo.UseShellExecute = $false
    $pinfo.Arguments = $commandArguments
    $pinfo.Verb = "runas";
   
    $p = New-Object System.Diagnostics.Process
    $p.StartInfo = $pinfo
    $p.Start() | Out-Null
    [pscustomobject]@{
        commandTitle = $commandTitle
        stdout = $p.StandardOutput.ReadToEnd()
        stderr = $p.StandardError.ReadToEnd()
        ExitCode = $p.ExitCode 
    }
   
    $p.WaitForExit(10000)
  }
  Catch {
     [pscustomobject]@{
     commandTitle = $commandTitle
     stdout = $error[0]
     stderr = $error[0].exception.message
     ExitCode = 1}
  }
}

        $cmd = Execute-Command -commandtitle "psftp" -commandpath "c:\LetsEncrypt\psftp.exe" -commandArguments 'root@mailcleaner -pw rootpassword -b C:\LetsEncrypt\upload.ini -bc -batch'
        if ($cmd.ExitCode -eq 0) {
            $cmd2 = Execute-Command -commandtitle "putty" -commandpath "c:\LetsEncrypt\putty.exe" -commandArguments '"root@mailcleaner" -pw rootpassword -t -m C:\LetsEncrypt\commands.ini'
            if ($cmd.Exitcode -ne 0) {
                #Unsuccessful.  log error found in $cmd2.stderr and handle accordingly
            }
        }
        Else {
            #Unsuccessful.  log error found in $cmd.stderr and handle accordingly
        }
 

The first Execute-Command is running psftp.exe and giving it a batch command script to upload the new cert files. This file (upload.ini) comprises of the following lines:

Code: Select all

lcd C:\sys\certs\
cd /usr/mailcleaner/etc/apache/certs
put fullchain.pem
put privkey.pem
quit


The second Execute-Command is running putty to restart the mailcleaner services. It's also being given a batch command file. This file (commands.ini) comprises of the following lines:

Code: Select all

/usr/mailcleaner/etc/init.d/mailcleaner restart && exit

Step 4:
changing apache template - important are "SSLCertificateFile" and "SSLCertificateKeyFile". If apache doesn't start anymore, your certs are wrong:

/usr/mailcleaner/etc/apache/sites/mailcleaner.conf_template:

Code: Select all

...
    SSLCompression off

    SSLCACertificatePath __SRCDIR__/etc/apache/certs
    SSLCertificateFile __SRCDIR__/etc/apache/certs/fullchain.pem
    SSLCertificateKeyFile __SRCDIR__/etc/apache/certs/privkey.pem
__IFSSLCHAIN__  SSLCertificateChainFile  __SRCDIR__/etc/apache/certs/certificate-chain.pem
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

    RewriteEngine On
   ...


In the 3 other files you can search these strings finding them faster: "tls_certificate" and "tls_privatekey"

/usr/mailcleaner/etc/exim/exim_stage1.conf_template:

Code: Select all

...
local_interfaces = <; ::0 ; 0.0.0.0

__IF__ USETLS
tls_advertise_hosts = *
tls_certificate = /usr/mailcleaner/etc/apache/certs/fullchain.pem
tls_privatekey = /usr/mailcleaner/etc/apache/certs/privkey.pem

tls_require_ciphers = ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:!SSLv2
openssl_options = +no_sslv2 +no_sslv3
...


/usr/mailcleaner/etc/exim/exim_stage2.conf_template:

Code: Select all

...
smtp_accept_max = 0

__IF__ USETLS
tls_advertise_hosts = *
tls_certificate = /usr/mailcleaner/etc/apache/certs/fullchain.pem
tls_privatekey = /usr/mailcleaner/etc/apache/certs/privkey.pem

tls_require_ciphers = ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:!SSLv2
openssl_options = +no_sslv2 +no_sslv3
...


/usr/mailcleaner/etc/exim/exim_stage4.conf_template:

Code: Select all

...
timeout_frozen_after = 1h

__IF__ USETLS
tls_advertise_hosts = *
[b]tls_certificate = /usr/mailcleaner/etc/apache/certs/fullchain.pem
tls_privatekey = /usr/mailcleaner/etc/apache/certs/privkey.pem[/b]

tls_require_ciphers = ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:!SSLv2
__ELSE__ USETLS
...


Step 5:

Once you're done, simply run the following command:

Code: Select all

/usr/mailcleaner/etc/init.d/mailcleaner restart


addition:
I am against using clear passwords in scripts. That's why I'm using the tool "Command Line Encrypt" from this website.
It's probaly not the best tool with the best encryption, but at least better than plain text passwords.
For example, here is my script for exporting the pems from pfx:

Code: Select all

#PARAMETERS
    $openssl = "C:\tools\openSSL-1.0.2n\openssl.exe"
    $sourcePFX = "C:\sys\certs\Cert.pfx"
    $crypter = "C:\tools\Command Line Encrypt\Command Line Encrypt.exe"
    $LEpw = "C:\tools\Command Line Encrypt\encryptedLEpwFile"
    $sec = "somePresharedSecretForEncryptedLEpwFileToDecrypt"
    $tmpfile = "C:\tools\encryptedLEpwFile\tempFileWithDecryptedPassword"
    $certfullOutfile = "\\somepath\certs\fullchain.pem"
    $privkeyOutfile = "\\somepath\certs\privkey.pem"

# check and execute script only if PFX file exists
    if (Test-Path $sourcePFX) {

# Read in PFX-PW
        & $crypter -decrypt -infile $LEpw -key $sec -outfile $tmpfile | Out-Null
        $sourcePFX_Passphrase = Get-Content $tmpfile
# delete tmpfile
        $deletePath = $tmpfile
        if (Test-Path $deletePath) {
            Remove-Item $deletePath
        }
# extract individual certificates from PFX
        & $openssl pkcs12 -in $sourcePFX -out $certfullOutfile -nokeys -nodes -passin pass:$sourcePFX_Passphrase
        & $openssl pkcs12 -in $sourcePFX -nodes -passin pass:$sourcePFX_Passphrase -nocerts -nodes -out $privkeyOutfile
    }


Step 6:
If the apache is up again, you can test your browser cert the usual way.
For example, to test your exim cert, you can use a different linux system this way:
Please don't forget to enable SSL/TLS in Configuration --> SMTP --> TLS/SSL

Code: Select all

OpenSSL> s_client -connect mymx.my.externaldomain:25 -starttls smtp

The return codelets you need are

Code: Select all

Secure Renegotiation IS supported

and

Code: Select all

Verify return code: 0 (ok)

Alternativly, you can visit Checktls.

I hope I have not forgotten a step, could you please check that madhopsman


gr33tz

[madhopsman]

...
I don't get a clue because firewallrule "Windows Remote Management (HTTP-In)" regards to port 5985 and not 80

Oops. Bad Copy/Paste. Fixed.

I hope I have not forgotten a step, could you please check that madhopsman
gr33tz

Looks good to me. I guess the test is someone else trying it and letting us know what the results are.