[SOLVED] SSL for TLS

Dec 27, 2020
108
16
23
45
THank you in advace for anyone helping.

I have configured PMG 6.3-5 and updated the file:
/etc/pmg/pmg-api.pem

This is working properly for the GUI and passes. All email flows correctly unsecured.

However when I try to connect on Thunderbird ports 25/26 with TLS - it says it has self-signed certificate when connecting.

I used NetCat and 250-STARTTLS is showing on both ports:

Code:
admin@splaam:~$ nc -v localhost 26
DNS fwd/rev mismatch: localhost.domain.com.au != ip6-localhost
localhost.domain.com.au [127.0.0.1] 26 (?) open
220 splaam.domain.com.au Mail Gateway
ehlo test.com
250-splaam.domain.com.au
250-PIPELINING
250-SIZE 52430000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING


I have rebooted the server - how can I correctly update the SSL for these connections?
 
Last edited:
Is there an issue with wildcard certs and TLS?


Code:
user@app01:~$ openssl s_client -connect splaam.domain.com.au:26 -starttls smtp -no_ssl3
CONNECTED(00000005)
depth=0 OU = Proxmox Mail Gateway, O = domain.com.au, CN = *.domain.com.au
verify error:num=18:self signed certificate
verify return:1
depth=0 OU = Proxmox Mail Gateway, O = domain.com.au, CN = *.domain.com.au
verify return:1
---
Certificate chain
0 s:OU = Proxmox Mail Gateway, O = domain.com.au, CN = *.domain.com.au
   i:OU = Proxmox Mail Gateway, O = domain.com.au, CN = *.domain.com.au
---
Server certificate
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
subject=OU = Proxmox Mail Gateway, O = domain.com.au, CN = *.domain.com.au
issuer=OU = Proxmox Mail Gateway, O = domain.com.au, CN = *.domain.com.au

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2384 bytes and written 435 bytes
Verification error: self signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self signed certificate)
---
250 CHUNKING
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: B1F8FE0D656CA3...F250435C6ED0D157EE8719
    Session-ID-ctx:
    Resumption PSK: 7AE76BFEF7E...00D82B44E097941C2927
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:

    Start Time: 1611489451
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
 
Can the 'pmg-api.pem' file and the 'pmg-tls.pem' files contain the exact same certificate chain?
e.g. pmg-api.pem has been setup with a valid, purchased certificate and then simply do a 'cp pmg-api.pem pmg-tls.pem'
 
should work

Just to necro-bump this thread.....

I'm running PMG 7.1-2 - and even though I have an acme account, and the pmg-api.pem cert is the correct Lets Encrypt cert, the `pmg-tls.pem` file seems to be a self-signed cert.

If I copy one to the other so they are BOTH using the Lets Encrypt cert, will PMG auto-renew both via the ACME account for Lets Encrypt? Or will something else happen?

I do have the ACME cert selected for smtp;api Usage.
 
Last edited:
Just to necro-bump this thread.....

I'm running PMG 7.1-2 - and even though I have an acme account, and the pmg-api.pem cert is the correct Lets Encrypt cert, the `pmg-tls.pem` file seems to be a self-signed cert.

If I copy one to the other so they are BOTH using the Lets Encrypt cert, will PMG auto-renew both via the ACME account for Lets Encrypt? Or will something else happen?

I do have the ACME cert selected for smtp;api Usage.

I did the manual methos and combined the certificate when I had my own certificate, and stopped once I implemented ACME as its easier and faster to just create the second cert for the TLS than to copy and paste IMO - although yes it is possible by combining the TLS, API and the 3rd key which I cant remember:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_keys_and_certificates
 
  • Like
Reactions: Stoiko Ivanov
You just need to select both API and SMTP for the certificate usage in the GUI - see the picture at 'Domains' in section 4.6.3 at:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#sysadmin_certificate_management

Hi mate,

I already had this set:
1652341732227.png

However the SMTP side still used the Proxmox self-signed certificate.

I'm just wondering now that I've done the file copy manually now, if that will mean I won't have to do it again to update the cert in 80-90 days time...
 
However the SMTP side still used the Proxmox self-signed certificate.
That's odd - this does work here (the last time I tested)

did you change the certificate location for postfix? (/etc/pmg/pmg-tls.pem, is what PMG's ACME implementation is using and replacing)
any thing in the logs indicating an error when the certificate was created?

do you get a correct certificate (and does postfix use it) if you click on 'Order Certificates Now'->'Order SMTP Certificate' ?
 
That's odd - this does work here (the last time I tested)

did you change the certificate location for postfix? (/etc/pmg/pmg-tls.pem, is what PMG's ACME implementation is using and replacing)
any thing in the logs indicating an error when the certificate was created?

do you get a correct certificate (and does postfix use it) if you click on 'Order Certificates Now'->'Order SMTP Certificate' ?

This is the config I have now:

1652343033357.png

It was `pmg-tls.pem` that was set as the self-signed cert.

I copied the file across - so at the moment, the Valid Since and Expires are identical.

If I do the Order Certificate -> Order SMTP Certificate, then it does look like the renewal worked:

1652343152762.png

I guess I'll keep an eye on it coming up to August and see if that auto-renews and all is ok, or manual effort would be required to fix...
 
  • Like
Reactions: Stoiko Ivanov
ok - then I think it really should work fine!
It may well be worthwhile looking at using the same .pem files if the two certificates are supposed to be the same... Makes no sense to get LetsEncrypt to issue a second cert for exactly the same details.

Maybe if I could put that on the wishlist somehow ;)
 
It may well be worthwhile looking at using the same .pem files if the two certificates are supposed to be the same... Makes no sense to get LetsEncrypt to issue a second cert for exactly the same details.
PMG shares quite a bit of it's acme implementation with our other products (PVE, PBS), which do not have this 2 type of certificate distinction.
While it might seem a bit more elegant - this would result in quite a bit of divergence in the code - which effectively would mean that new features/bugfixes won't make it as soon to PMG (or the other products) - compared to the increased maintenance burden I'd say that the second issuing is an ok price to pay.
 
PMG shares quite a bit of it's acme implementation with our other products (PVE, PBS), which do not have this 2 type of certificate distinction.
While it might seem a bit more elegant - this would result in quite a bit of divergence in the code - which effectively would mean that new features/bugfixes won't make it as soon to PMG (or the other products) - compared to the increased maintenance burden I'd say that the second issuing is an ok price to pay.

That's fair.
 
Like CRCinAU, Ive issued SMTP certs successfully but a checktls.com test reports certificate failures due to self signed certificates.
Debug does indeed show the Proxmox Mail Gateway self signed certificate. I never issued API certs but do have SMTP certs.

Mail Gateway 8.0.7
 

Attachments

  • 1702885614699.png
    1702885614699.png
    12.5 KB · Views: 8

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!