Forums

×

Warning

JUser: :_load: Unable to load user with ID: 182501
Medium
Offline
Resolved
0 votes
Hi, I'm looking for advise to improve my current setup. Cause it's not ideal and probably stupid from a professional's point of view. Thank you so much for your thoughts!

This is the situation:
I host two hobby related websites at home, as well as a mailserver and owncloud for my wife and kids and me. I access those on resp. https://mail.mydomainhere.com and https://www.mydomainhere.com/owncloud" target="_blank">https://www.mydomainhere.com/owncloud.
I have decided long time ago to do that on two different VM's (now on COS7) on an ESXi host. At that time I wanted to separate my private stuff (mail + owncloud) from publicly accessible stuff (both websites), because of security and because the websites are rather static and I wish to backup my private data way more often. I can now do that easily by taking that VM offline and copying it.

This is the routing:
I'm not incredibly experienced, I do my best to learn, but long ago I figured to separate traffic in my router, which has a static outside IP. I set port 80 to go to the VM #1 with the websites, and port 8080 to go to the VM #2 with the mailserver and owncloud. This was probably not very professional :-)

Problem 1:
The actual problems I have with this setup are twofold. The first is with Letsencrypt. I could only get that up and running on VM #1, because it needs traffic to http://www.mydomainhere.com to verify and create the certificate for https://www.mydomainhere.com. So every two months when Letsencrypt has refreshed the certificate on VM #1, I have to sit down and copy the fresh certificate files from VM #1 to #2, where I actually send https traffic, and integrate that into VM #2's configuration. That's a waste of time and of course due to my own earlier choices. But how can I improve this situation, what's the proper thing to do in this case?

Problem 2:
The second problem is that I think the certificate isn't working perfectly either. After each two-monthly transportation, I have to re-accept the Letsencrypt certificate on all my e-mail clients (on both desktop and mobile devices). The certificate seems OK, the new date is correct etc, but apparently not as good as the clients would like it to have to accept it right away. How do I figure out what the problem is there, and can it be related to my setup with separated http and https machines? Or is that due to Letsencrypt being a free service? Moreover, on the Android gmail app from Google I cannot even accept my own certificate at all. There's nothing I can do to make it work with my renewed certificate on my mailserver.

Thank you for helping out!

Wouter
Wednesday, February 12 2020, 04:16 PM
Share this post:
Responses (20)
  • Accepted Answer

    Thursday, February 20 2020, 08:02 PM - #Permalink
    Resolved
    0 votes
    Richard George wrote:

    Nick; I've UNsubscribed from the discussion as it's been solved, but I'm still getting email notifications. There's something not right! - the button in the OP says 'subscribe ..' so I shouldn't be getting them.
    I'll ping the website people, but don't get your hopes up.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, February 20 2020, 06:57 PM - #Permalink
    Resolved
    0 votes
    Nick; I've UNsubscribed from the discussion as it's been solved, but I'm still getting email notifications. There's something not right! - the button in the OP says 'subscribe ..' so I shouldn't be getting them.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, February 20 2020, 06:15 PM - #Permalink
    Resolved
    0 votes
    Odd, some of the operations on the symlinks should affect the underlying files and recursive (-R) operations on /etc/letsencrypt/live should have gone down through the folders and operated on the symlink targets. Also, because they are done at the /etc/letsencrypt/live/ level they should operate on all domains.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, February 20 2020, 05:51 PM - #Permalink
    Resolved
    0 votes
    Woohoo, I got it up and running, thanks to all of you! I really appreciate it!!

    I indeed had to change the certificate configuration, I still had the old key files referenced to instead of the new Letsencrypt certificate for my mailserver.
    I followed this guide for the Cyrus part, but had to tailor it a bit for my needs.

    First of all, after doing this part:
    echo '#!/bin/sh' >
    /var/clearos/events/lets_encrypt/cyrus-imapd
    echo >> /var/clearos/events/lets_encrypt/cyrus-imapd
    echo 'sleep 10' >> /var/clearos/events/lets_encrypt/cyrus-imapd
    echo >> /var/clearos/events/lets_encrypt/cyrus-imapd
    echo 'systemctl condrestart cyrus-imapd.service' >>
    /var/clearos/events/lets_encrypt/cyrus-imapd
    chmod 0755 /var/clearos/events/lets_encrypt/cyrus-imapd

    I had to repeat the last line separately cause it threw an error at first. The file was generated just fine.

    Secondly, where it says:
    chown root:ssl-cert /etc/letsencrypt/live 
    /etc/letsencrypt/archive
    chmod 0750 /etc/letsencrypt/live /etc/letsencrypt/archive

    I had to extend those 4 paths with /mail.<mydomain.com>

    Last but not least, I had to do some things extra:
    chown root:ssl-cert
    /etc/letsencrypt/archive/mail.<mydomain.com>/privkey1.pem -R
    chmod g+r /etc/letsencrypt/archive/mail.<mydomain.com>/privkey1.pem
    -R

    cause in my case the certificate files in the live folder appear to be just links to those files under the archive path. With only the commands from the guide (that take care of the files in the live folder) it
    wasn't working.

    So, just to be complete, I didn't follow the webroot update proces that Richard proposed. Not to say that any way is better than the other or something.
    Now Android's gmail isn't complaining anymore.
    We'll see if everything keeps running fine when my certificates renew themselves in April (web) and May (mail). Fingers crossed.

    Thanks again everyone!
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, February 20 2020, 10:13 AM - #Permalink
    Resolved
    0 votes
    Please check the Let's Encrypt howto, especially the bit about changing permissions on your key. Let us know if this fixes the issue.

    [edit]
    Also are your certificate renewals up to date?
    [/edit]
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, February 20 2020, 07:38 AM - #Permalink
    Resolved
    0 votes
    It's the file that lives in /etc/letsencrypt/renewal, but it's doubtful what I've done will fix your problem - if the gmail client app is saying a valid LetsEncrypt certificate is untrusted, then there's not much you can do other than use a different mail client. Are you sure that it's the LE certificate that it's complaining about?
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, February 19 2020, 10:18 PM - #Permalink
    Resolved
    0 votes
    Thank you everyone, I got it up and running. Mailserver and owncloud are accessible in my proposed configuration.
    The Owncloud error I mentioned earlier was easily solved by editing the config.php to reflect the changed subdomain, after all it is now on mail. instead of www.

    Just for the certificates, when I use the Android gmail app to create an account to my own mailserver, it throws an error. It shows the correct Letsencrypt certificate with its future expiry datesas hosted by the webserver but says it cannot be trusted.

    Richard, is what you have written down below a solution for that problem? If so, what file is that exactly?
    Richard George wrote:
    [..]
    Having said that, I do use LetsEncrypt certificates in the mail server - that's where the use of the webroot update option comes in. You define the LetsEncrypt config file on VM #2 to use webroot rather than the standalone webserver (which is what the default is). The LetsEncrypt end of things then checks that it can see a webserver on port 80 (which it can because of the webserver in VM #1), and issues a certificate via port 80, which gets passed on to the LetsEncrypt client making the request by ProxyPass - that gets stored and "Bob's your uncle".

    It works here ...

    Relevant part of the mail.xxx.xxx.xxx.conf file on the mail server ...

    [renewalparams]
    authenticator = webroot
    account = xxxx
    server = xxxx
    [[webroot_map]]
    mail.xxx.xxx.xxx = /var/www/html
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, February 19 2020, 06:13 PM - #Permalink
    Resolved
    0 votes
    Or will it cause a problem with the IMAP/SMTP certificates if I go that route?

    Not at all. The IMAP/SMTP certificates are completely separate from the webserver ones in your VM #1 - indeed they don't need to be anything other than the self-created certificates. Once you've accepted them into your clients, the fact they are self-generated is irrelevant. Your email client won't complain, nor will other SMTP servers that yours might connect to; all they are interested in is that your server is authentic (ie not a spam source).

    No, the only certificates that actually need to be signed (by LetsEncrypt) are those used on port 443 in your webserver in VM #1 so that web browsers don't complain. Connections to webmail (via ProxyPass) see the LetsEncrypt certificates held in the VM #1 webserver, not those on the mail server.

    Having said that, I do use LetsEncrypt certificates in the mail server - that's where the use of the webroot update option comes in. You define the LetsEncrypt config file on VM #2 to use webroot rather than the standalone webserver (which is what the default is). The LetsEncrypt end of things then checks that it can see a webserver on port 80 (which it can because of the webserver in VM #1), and issues a certificate via port 80, which gets passed on to the LetsEncrypt client making the request by ProxyPass - that gets stored and "Bob's your uncle".

    It works here ...

    Relevant part of the mail.xxx.xxx.xxx.conf file on the mail server ...

    [renewalparams]
    authenticator = webroot
    account = xxxx
    server = xxxx
    [[webroot_map]]
    mail.xxx.xxx.xxx = /var/www/html
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, February 19 2020, 04:56 PM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    There is no problem having your router forward ports 80 and 443 to VM1 and mail ports to VM2. The problem is the certificate renewal if you use Let's Encrypt for mail. The renewal process needs port 80 to be forwarded to the machine doing the renewal and it can only be forwarded to one machine. Using ProxyPass allows VM1 to forward subdomain requests on port 80/443 to VM2. This way both machines can run their own Let's Encrypt certificates and you don't have to worry about only one machine doing the renewal then distributing the certificates.

    Hi Nick,

    Thank you. You're basically confirming what I proposed will work, right?

    About the posting, I really wonder what happened. I was logged in with my usual username deechtewber, but my own previous posts were accompanied by the text "offline" . As if I was logged in under a different name, but only I wasn't. If I look below in the thread to the post of Monday, February 17 2020, 12:42 Pm, which wasn't mine, if I click on the avatar, it leads to my own profile page. Isn't that weird?

    Thanks for moderating everything Nick!
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, February 19 2020, 03:03 PM - #Permalink
    Resolved
    0 votes
    There is no problem having your router forward ports 80 and 443 to VM1 and mail ports to VM2. The problem is the certificate renewal if you use Let's Encrypt for mail. The renewal process needs port 80 to be forwarded to the machine doing the renewal and it can only be forwarded to one machine. Using ProxyPass allows VM1 to forward subdomain requests on port 80/443 to VM2. This way both machines can run their own Let's Encrypt certificates and you don't have to worry about only one machine doing the renewal then distributing the certificates.
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, February 19 2020, 02:48 PM - #Permalink
    Resolved
    0 votes
    @Wouter, for some reason your replies were moderated. Is it the first time you've posted on this account? I'll delete your duplicate posts. I am rejecting your other tests.
    The reply is currently minimized Show
  • Accepted Answer

    Monday, February 17 2020, 12:05 PM - #Permalink
    Resolved
    0 votes
    Sounds like you're trying to do what I've done ...

    In my case, 2 physical servers (COS7), one running a VM as a mail server. One of the servers is running as a file server and Nextcloud server, the other as the DHCP/DNS/VirtualBox host, along with a ProxyPass server. The gateway is a cable router with static ip, built-in dhcp server turned off - and acting as the gateway to the internet .. and the IMAP/SMTP/ICAL sent direct to the VM mailserver (bridged network address). HTTP/HTTPS accesses are sent to the ProxyPass for distribution. These include webmail/iPhone accesses (as they appear go via port 80). ProxyPass takes care of the mail/Nextcloud accesses (different servers) via port 80/443

    The ProxyPass webserver is setup with LetsEncrypt certificates (using default settings).
    Mailserver LetsEncrypt certificate .. IMAP/SMTP have their own certificates .. these are provided using the webroot configuration rather than the default .. mainly because the port 80 access goes via the ProxPass server and so the webserver side of the mailserver is not directly visible from outside .. but as the LetsEncrypt accesses can be made via the ProxyPass, it works.
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, February 16 2020, 08:24 PM - #Permalink
    Resolved
    0 votes
    ClearOS (along with a lot of firewalls) is not brilliant at redirecting traffic from the LAN to its WAN interface and back in. Whatever is used as the DNS resolver on your LAN should resolve mail.mydomain.com to a LAN IP.
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, February 16 2020, 07:44 PM - #Permalink
    Resolved
    0 votes
    Hi Nick,

    Thank you again.
    With forwarding the port at the gateway, you mean setting it in the port forwarding app, right? Or something else?

    When you say that my dns server needs to resolve the mail subdomain to the LAN IP of the mailserver, you mean within the VM #1 webserver, am I right? I do not run a separate dns server in my LAN.

    And why is that needed? If I set the port forwarding for port 993 to the LAN IP of my mailserver, why do I need to do that?

    Thanks for your comments (Marcel as well) on the billing. We'll see in 2021 :-)
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, February 16 2020, 05:49 PM - #Permalink
    Resolved
    0 votes
    Wouter Smit wrote:
    Side note: proxy pass costs €15, but per what? Year I presume? Is there a standard billing period of 1yr for subscriptions?


    I think it is indeed a billing period of 1 year. A bit strange this is not mentioned when purchasing the app.
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, February 16 2020, 05:48 PM - #Permalink
    Resolved
    0 votes
    ProxyPass is a one-off payment.

    For IMAP for external access, you should just port forward at the gateway. Do not open the incoming port on the gateway. You can track the packets with tcpdump with something like:
    tcodump -nn -i your_interface port 993
    You can have multiple windows, one running on your WAN port one on your LAN port and one on your mail server. For internal access, in your DNS server, you need to set your mail server name to point to your mailserver LAN IP. E.g if you have you e-mail client configured to point to mail.mydomain.com, externally it should resolve to your WAN IP and internally you put it in your DNS server so it resolves to your mail server's LAN IP.

    I have little idea about Owncloud and may need the exact message. I am a Nextcloud user but is is on my gateway.
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, February 16 2020, 04:20 PM - #Permalink
    Resolved
    0 votes
    Hi Nick,

    I've successfully installed and configured proxypass on my VM #1. I've set it to reverse proxy the traffic to subdomain mail.mydomain.com to my VM #2. I've changed the port forwarding in my router for https (443) and IMAP SSL (993) to go to VM #1. It works, I was able to get a new letsencrypt certificate on VM #2 and can access a test site on my VM #2 as well as mail.mydomain.com/owncloud.

    It feels much better this way.

    I still have two problems though.
    1) I can't access my imap server on VM #2. I figured proxypass wouldn't handle port 993, so I installed the COS port forwarding app. And set it to send 993 to the IP of my VM #2. But it doesn't work. Email clients say the server cannot be reached. I've tried opening up port 993 in the firewall as well as disabling the firewall. How can I find out where traffic is getting stuck?

    2) The Owncloud site shows, but it throws an error about being reached from an unknown location. I don't know the exact message and I reverted my steps yesterday cause I ran out of time.

    Side note: proxy pass costs €15, but per what? Year I presume? Is there a standard billing period of 1yr for subscriptions?
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, February 13 2020, 07:17 PM - #Permalink
    Resolved
    0 votes
    If you set one server as the gateway and the other behind it and use the ProxyPass app, you can probably achieve what you want but each server would have to look after its own certificates. You'd need the ProxyPass app to allow the web server (Let's Encrypt runs its own mini webserver) to run on both servers, otherwise you still have the certificate distribution issue.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, February 13 2020, 05:05 PM - #Permalink
    Resolved
    0 votes
    Hi Nick, thank you so much for your reply. I did no special thing on my certificate to enable it for e-mail. I'll follow these steps.

    Nevertheless, wouldn't it be possible to get my router out of the equation, have all traffic on port 80, 8080 and the e-mail ports come in on VM #1, handle all the certificate stuff on VM #1, and only serve the contents of my mail. and owncloud. subdomains from VM #2? That would make a lot of things easier, no? I just have the feeling no-one in the world would have arranged things like I did.

    Thank you!
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, February 12 2020, 04:57 PM - #Permalink
    Resolved
    0 votes
    Have a look at the Let's Encrupt HowTo for ideas. You should be able to put something into a file in /var/clearos/events/lets_encrypt which will fire every time the certificates are renewed. In that file you could scp or rsync the files from /etc/letsencrypt/live/{your_domain} over to your new box but be a bit careful as they are currently symlinks and you want to transfer the files across. The same job should be able to reload httpd or webconfig with something like:
    ssh root@other_box systemctl reload httpd webconfig
    For this to work best, you should set up ssh keys so one box trusts the other. It is not so easy to embed passwords into rsync or ssh commands.

    If Dave were to do it, he'd do it in to parts, rsync the files across in to a staging area then, on the other box have something to move them into the right place and restart the services.

    If you have to maually accept certificates in mail clients then something is wrong. I had to update the howto last September as the underlying app, certbot (which is out of our control), changed how keys were handled and you now need to update the permissions on the latest key. Once done, it will carry forward on renewal. Check this and also check you have implemented correctly in your mail apps. I never have to re-accept my certificates
    The reply is currently minimized Show
Your Reply