SSL Certificate Problem Unable to get Local Issuer Certificate – Vestacp Exim4 And Dovecot

byOri Grata •أغسطس 24, 2021

0

Dalam proses configurasi mail server pada vestacp hal paling penting sekali untuk diaktifkan adalah SSL/TLS. Namun banyak kendala yang bagi untuk melakukan configurasinya

Berikut kami berikan tips dan trik agar sukses melakukan configurasi Mail Server Exim4 Pada Vesta CP

Misalkan domain utama kita adalah origrata.com

Serta alamat SMTP mail server adalah mail.origrata.com

Maka langkah langkah yang harus dilakukan adalah:

memberikan sertifikat SSL pada subdomain mail.origrata.com bisa menggunakan ssl gratis dari letsencrypt. Setelah selesai memberikan Sertifikat SSL maka secara otomatis akan tercipta 3 buah file yang terdapat pada:

           /home/admin/conf/web/ssl.mail.origrata.com.crt
           /home/admin/conf/web/ssl.mail.origrata.com.key
           /home/admin/conf/web/ssl.mail.origrata.com.pem

Pastikan hak akses ssl sertifikatnya 664

root@mail:/home/admin/conf/web# chmod 664 ssl.mail.origrata.com.*

Melakukan perubahan hostname server vestacp ke mail.origrata.com dan meminta ke provider agar IP Public Server diarahkan PTR Recordnya ke mail.origrata.com

Menghapus file certificate.crt dan certificate.key pada folder /usr/local/vesta/ssl/

cd /usr/local/vesta/ssl

$ rm certificate.crt certificate.key

Membuat symbol link certifacte SSL dari hasil generate SSL letsencrypt pada mail.origrata.com ke folder /usr/local/vesta/ssl

cd /usr/local/vesta/ssl/

ln -s /home/admin/conf/web/ssl.mail.origrata.com.pem certificate.crt

ln -s /home/admin/conf/web/ssl.mail.origrata.com.key certificate.key

Perhatikan tulisan warna merah dengan extention .pem untuk membuat certificate.crt

mendaftarkan sertifkat terhadap configurasi exim4 dan dovecot pada vestacp

nano /etc/exim4/exim4.conf.template selanjut cari tulisan seperti dan rubah seperti dibawah

tls_advertise_hosts = *

tls_certificate = /usr/local/vesta/ssl/certificate.crt

tls_privatekey = /usr/local/vesta/ssl/certificate.key

nano /etc/dovecot/conf.d/10-ssl.conf Selanjut sesuaikan dengan yang di bawah

ssl = yes

ssl_cert = </usr/local/vesta/ssl/certificate.crt

ssl_key = </usr/local/vesta/ssl/certificate.key

#tls_certificate = /usr/local/vesta/ssl/certificate.crt

#tls_privatekey = /usr/local/vesta/ssl/certificate.key

Setelah berhasil melakukan perubahan file selanjutnya Restart Vesta, exim4 dan dovecot dengan comandline di bawah

service vesta restart

service exim4 restart

service dovecot restart

Lakukan Pengujian pada situs

https://www.checktls.com/TestReceiver

seconds	test stage and result
[000.000]	DNS LOOKUPS
[000.000]	created RESOLVER
[000.004]	NS	10.132.36.231
[000.004]	MX	(10) mail.origrata.com
[000.006]	A-->origrata.com	103...*
[000.008]	_mta-sts[TXT]	v=STSv1
[000.008]	_mta-sts[TXT]	id=20210822204131
[000.010]	_smtp._tls[TXT]	v=TLSRPTv1
[000.011]	_smtp._tls[TXT]	rua=mailto:[email protected]
[000.013]	A-->mail.origrata.com	103...*
[000.013]	primary	mail.origrata.com
[000.013]	primary-->type	MX
[000.013]	primary-->DNSSEC?	no
[002.763]	MTA-STS policy-->version	STSv1
[002.763]	MTA-STS policy-->mode	testing
[002.763]	MTA-STS policy-->max_age	604800
[002.763]	MTA-STS policy-->mx	mail.origrata.com
[002.763]	mail.ioscloud.co.id	MTA-STS OK

seconds		test stage and result
[000.000]		Trying TLS on mail.origrata.com[103...*:25] (10)
[000.239]		Server answered
[001.425]	<‑‑	220 mail.origrata.com ESMTP Exim 4.90_1 Ubuntu Mon, 23 Aug 2021 23:21:59 +0700
[001.425]		We are allowed to connect
[001.426]	‑‑>	EHLO www11-do.CheckTLS.com
[001.664]	<‑‑	250-mail.origrata.com Hello www11-do.checktls.com [167.71.160.115] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-CHUNKING 250-STARTTLS 250 HELP
[001.664]		We can use this server
[001.664]		TLS is an option on this server
[001.664]	‑‑>	STARTTLS
[002.618]	<‑‑	220 TLS go ahead
[002.619]		STARTTLS command works on this server
[003.737]		Connection converted to SSL
		SSLVersion in use: TLSv1_2
		Cipher in use: ECDHE-RSA-AES256-GCM-SHA384
		Perfect Forward Secrecy: yes
		Certificate #1 of 4 (sent by MX):
		Cert signed by: #2
		Cert VALIDATED: ok
		Cert Hostname VERIFIED (mail.origrata.com = mail.origrata.com \| DNS:mail.origrata.com)
		Not Valid Before: Aug 20 01:42:32 2021 GMT
		Not Valid After: Nov 18 01:42:31 2021 GMT
		subject= /CN=mail.origrata.com
		issuer= /C=US/O=Let's Encrypt/CN=R3
		Certificate #2 of 4 (sent by MX):
		Cert signed by: #3, #4
		Cert VALIDATED: ok
		Not Valid Before: Sep 4 00:00:00 2020 GMT
		Not Valid After: Sep 15 16:00:00 2025 GMT
		subject= /C=US/O=Let's Encrypt/CN=R3
		issuer= /C=US/O=Internet Security Research Group/CN=ISRG Root X1
		Certificate #3 of 4 (added from CA Root Store):
		Cert signed by: #3, #4
		Cert VALIDATED: ok
		Not Valid Before: Jun 4 11:04:38 2015 GMT
		Not Valid After: Jun 4 11:04:38 2035 GMT
		subject= /C=US/O=Internet Security Research Group/CN=ISRG Root X1
		issuer= /C=US/O=Internet Security Research Group/CN=ISRG Root X1
		Certificate #4 of 4 (sent by MX):
		Cert is unsigned
		Cert VALIDATED:
		Not Valid Before: Jan 20 19:14:03 2021 GMT
		Not Valid After: Sep 30 18:14:03 2024 GMT
		subject= /C=US/O=Internet Security Research Group/CN=ISRG Root X1
		issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3
[005.046]		DANE failed: no TLSA records
[005.048]	~~>	EHLO www11-do.CheckTLS.com
[005.287]	<~~	250-mail.origrata.com Hello www11-do.checktls.com [167.71.160.115] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-CHUNKING 250 HELP
[005.287]		TLS successfully started on this server
[005.287]		TLSAs not checked (no TLSA)
[005.287]	~~>	MAIL FROM:<[email protected]>
[005.526]	<~~	250 OK
[005.526]		Sender is OK
[005.526]	~~>	QUIT
[005.765]	<~~	221 mail.origrata.com closing connection

Tags: ssl vestacp

Please Select Embedded Mode For Blogger Comments

SSL Certificate Problem Unable to get Local Issuer Certificate – Vestacp Exim4 And Dovecot

Ikuti lewat Email

Advertisement

نموذج الاتصال