454 4.7.0 TLS not available due to local problem

[TomasHermansson]

Transcript of session follows.

Out: 220 mail.dmz.se dmz.se
In: EHLO mta-70-5-198.update.strava.com.sparkpostmail.com
Out: 250-mail.dmz.se
Out: 250-PIPELINING
Out: 250-SIZE 10485760
Out: 250-VRFY
Out: 250-ETRN
Out: 250-STARTTLS
Out: 250-ENHANCEDSTATUSCODES
Out: 250-8BITMIME
Out: 250-SMTPUTF8
Out: 250 CHUNKING
In: STARTTLS
Out: 454 4.7.0 TLS not available due to local problem
In: QUIT
Out: 221 2.0.0 Bye

For other details, see the local mail logfile

I did try to install Lets Encrypt Cert's but as HTTP port 80 access is requried I had to stop this. I have deleted private key with "pmgconfig cert delete api --restart" but still I cant get TLS to work...

1) how can I get my TLS to work again? I managed to get it working again with generating new cert "pmgconfig tlscert -force 1"
2) is there any way of getting Lets Encrypt to work without http/80 open?

 

[shanreich]

2) is there any way of getting Lets Encrypt to work without http/80 open?

You could use DNS-based verification [1]. Keep in mind that this has some drawbacks compared to HTTP (cannot automatically renew without some scripting and API support from your DNS provider, longer time for verification due to propagation time, ...) - you can read more about this in the docs i linked.

any particular reason why you cannot use port 80?

[1] https://letsencrypt.org/docs/challenge-types/