I'm using Let's Encrypt's SSL. Website is working fine with HTTPS. But If I try to use those certificates in SMTP server I'm getting this error. When I test SMTP settings with postal test-app-smtp [email protected] it gives following:
Error: OpenSSL::SSL::SSLError (SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A)
or
Error: Errno::ECONNRESET (Connection reset by peer - SSL_connect)
Here is related config from postal.yml
smtp_server:
port: 2525
tls_enabled: true
tls_certificate_path: /etc/letsencrypt/live/postal.mydomain.com/fullchain.pem # I used chown -R postal:postal /etc/letsencrypt/live/postal.mydomain.com to ensure permission
tls_private_key_path: /etc/letsencrypt/live/postal.mydomain.com/privkey.pem
proxy_protocol: false
log_connect: true
strip_received_headers: false
If I disable tls, email is sending fine. But that means emails are sending in plain text right?
I've googled a lot and tried to add these lines into SMTP settings.
tls_ciphers:
ssl_version: TLSv1
Also tried to change tls_ciphers, ssl_version into many different combinations no luck. I assume postal is not recognizing the value of ssl_version.
Ok, got it working! Full details coming soon.
Edit: Solution
First I noticed Let's Encrypt's generated certificates require root permission to access and had to
chown -R postal:postal /etc/letsencrypt/live/postal.mydomain.com
But this wasn't enough, /etc/letsencrypt/live/postal.mydomain.com is actually symlink of /etc/letsencrypt/archive and you have to
chown -R postal:postal /etc/letsencrypt/archive
folder too. But apparently it didn't work for me (I guess lol.. forgot it was enough or not). I ended up using
chown -R postal:postal /etc/letsencrypt
entire letsencrypt folder. It worked for me. I wasted long enough time googling on error
Error: OpenSSL::SSL::SSLError (SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A)
After you configure your letsencrypt certificate in postal.yml You will encounter another error:
Error: OpenSSL::SSL::SSLError (hostname "127.0.0.1" does not match the server certificate)
You have to change:
smtp:
# Specify an SMTP server that can be used to send messages from the Postal management
# system to users. You can configure this to use a Postal mail server once the
# your installation has been set up.
host: 127.0.0.1 to -> your postal address like postal.domain.com to get certificate working.
...
Good spot, glad you figured it out.
Its very easy to accidentally remove the /etc/letsencrypt folder so we keep a backup copy at /organisation/letsencrypt and reference that from the config which works and bypasses the permission issue.
I'm not sure how well the permission change you have made will work when the certificates get renewed in a few months but you'll probably get emailed if the renew fails and can fix it in time.
Oh yea, I also wonder what will happen when certificates renews. Preferred way to implement this is maybe make copy of it and use it, but making a copy and automating it was another job to do..
For your reference, it is a matter of amending the /etc/cron.d/certbot file to copy the updated folder to your location of choice.
Ok, got it working! Full details coming soon.
Edit: Solution
First I noticed Let's Encrypt's generated certificates require root permission to access and had to
chown -R postal:postal /etc/letsencrypt/live/postal.mydomain.comBut this wasn't enough,
/etc/letsencrypt/live/postal.mydomain.comis actually symlink of/etc/letsencrypt/archiveand you have tochown -R postal:postal /etc/letsencrypt/archivefolder too. But apparently it didn't work for me (I guess lol.. forgot it was enough or not). I ended up using
chown -R postal:postal /etc/letsencryptentire letsencrypt folder. It worked for me. I wasted long enough time googling on error
Error: OpenSSL::SSL::SSLError (SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A)After you configure your letsencrypt certificate in
postal.ymlYou will encounter another error:Error: OpenSSL::SSL::SSLError (hostname "127.0.0.1" does not match the server certificate)You have to change:
smtp: # Specify an SMTP server that can be used to send messages from the Postal management # system to users. You can configure this to use a Postal mail server once the # your installation has been set up. host: 127.0.0.1 to -> your postal address like postal.domain.com to get certificate working. ...
i faced the same issue how have you manage to fix the
Error: OpenSSL::SSL::SSLError (SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A)
I've successfully done the postal website of the house with LE. How do we deal with the fast_server? Nginx is not listening to second IP so I'm good there. I'm just lost because it is domain specific and I haven't found anything on this yet. Any help would be greatly appreciated.
Fast server is not related to nginx. Fast server issues Let's Encrypt certificate for its own usage on its own.
thanks, no I get that part. But if you look at the code section they have an example where you put in the LE path for the fast server.when I look at the log I see:
# Logfile created on 2019-09-17 22:57:48 -0400 by logger.rb/56438
[6664] [2019-09-17T22:57:48.535] INFO -- : Successfully registered private key with address XXXXXX
[worker.12:6242] [2019-09-17T23:00:01.124] INFO -- : Attempting verification of XXXXXXX.com
[worker.12:6242] [2019-09-17T23:00:03.631] INFO -- : Status was not valid (was: invalid)
[worker.12:6242] [2019-09-17T23:00:04.763] INFO -- : Attempting verification of track.XXXXXXX.com
[worker.12:6242] [2019-09-17T23:00:06.508] INFO -- : Status was not valid (was: invalid)
[worker.8:3386] [2019-09-18T23:15:01.337] INFO -- : Attempting verification of track.XXXXXXX.com
[worker.8:3386] [2019-09-18T23:15:02.596] INFO -- : Status was not valid (was: invalid)
[worker.8:3386] [2019-09-18T23:15:03.734] INFO -- : Attempting verification of track.XXXXXXX.com
[worker.8:3386] [2019-09-18T23:15:05.294] INFO -- : Status was not valid (was: invalid)
[4990] [2019-09-18T23:40:56.584] INFO -- : Attempting verification of track.XXXXXXX.com
[4990] [2019-09-18T23:40:58.167] INFO -- : Status was not valid (was: invalid)
[4990] [2019-09-18T23:40:58.667] INFO -- : Attempting verification of track.XXXXXXX.com
[4990] [2019-09-18T23:41:00.052] INFO -- : Status was not valid (was: invalid)
root@vps258001:/opt/postal/log#
example code is:
fast_server:
enabled: false
bind_address:
# Set appropriate IP addresses to listen on. These should be dedicated IP
# addresses just used for this server. You should list IPv4 and IPv6 addresses
# as appropriate.
# - 1.2.3.4
# - abcd:a:b:c:d::1
port: 80
ssl_port: 443
proxy_protocol: false
default_private_key_path: # Defaults to config/fast_server.key
default_tls_certificate_path: # Defaults to config/fast_server.cert
above is located: postal/config/postal.defaults.yml
dns is valid, just fyi
@sergioloera If you do not have a dedicated IP for fast_server please consider reading this #321 for sample config. This is the necessary section of your main postal.yml:
fast_server:
enabled: true
bind_address: YOUR_INTERNAL_IP_HERE
# Set appropriate IP addresses to listen on. These should be dedicated IP
# addresses just used for this server. You should list IPv4 and IPv6 addresses
# as appropriate.
# - 1.2.3.4
# - abcd:a:b:c:d::1
ssl_port: 443
default_private_key_path: # Defaults to config/fast_server.key
default_tls_certificate_path: # Defaults to config/fast_server.cert
@igerzog thanks but that's not what I was asking. I do have the second dedicated IP and ports open and nginx not listening to it. I was more confused about setting the "Defaults to config/fast_server.key/cert".
For those that over think it, like I did. You don't need it. Stick to the basics lol here's what worked for me
fast_server:
enabled: true
bind_address: YOUR_SECOND_IP
then you'll want to make sure to stop postal (not restart) and then start again. Once I did that just delete the tracking domain you setup and recreate it. SSL/LE will provision.
Ok, I see 馃槉 So the default paths should be changed to LE if it is necessary to handle fast_server.cert regular updates for some purposes.
Sorry for continuing to resurrect this old thread, I believe setting the default certificate effectively allows you to give a valid certificate for the base tracking domain (i.e. track.postal.yourorganisation.com) but I can't think of many benefits for doing so.
Postal uses Lets Encrypt to cover all the endpoints specified in the UI so the base one is accessible but not actually going to do anything other than hello.
Presumably you could apply a certificate if you wanted to monitor your fast server externally with web requests and weren't already monitoring the Postal processes.
Most helpful comment
Ok, got it working! Full details coming soon.
Edit: Solution
First I noticed Let's Encrypt's generated certificates require root permission to access and had to
But this wasn't enough,
/etc/letsencrypt/live/postal.mydomain.comis actually symlink of/etc/letsencrypt/archiveand you have tofolder too. But apparently it didn't work for me (I guess lol.. forgot it was enough or not). I ended up using
entire letsencrypt folder. It worked for me. I wasted long enough time googling on error
After you configure your letsencrypt certificate in
postal.ymlYou will encounter another error:You have to change: