Letsencrypt/certbot fails when proxying with Apache ProxyPass

I had an issue on Directadmin server where client had nodejs application for which apache had to proxy on port 3001. Becouse of this, letsencrypt was not able to reach .well-known/acme-challenge/ and certificate registration/renewal failed. Solution is simple, you have to exclude proxy when requesting .well-known/acme-challenge/.

This was error whent trying to check .well-known/acme-challenge:

$ curl http://mydomain.com/.well-known/acme-challenge/test.txt 
{"errors":[{"message":"Route /.well-known/test.txt doesn't exist.","extensions":{"code":"ROUTE_NOT_FOUND"}}]}%

So I added “ProxyPass !” directive just before where I create proxy directive to port 3001. Like so:

. . .
<Location /.well-known/acme-challenge>
   ProxyPass !
</Location>

<Location />
Require all granted
   ProxyPass http://127.0.0.1:3000/
   ProxyPassReverse http://127.0.0.1:3000/
</Location>
. . . 

Then I was able tu make request to .well-known/acme-challenge sucsessfully:

> $ curl http://mydomain.com/.well-known/acme-challenge/test.txt 
It works!

I hope this helps! 🙂

Dovecot fails to reload after upgrade / code=exited, status=226/NAMESPACE

If your Dovecot fails to reload/restart after upgrade, chances are that your kernel is too old. But you can try and fix this problem with simple step bellow.

This was in syslog log:

systemd[20406]: dovecot.service: Failed at step NAMESPACE spawning /usr/bin/doveadm: No such file or directory
dovecot.service: Control process exited, code=exited status=226
systemd[1]: Reload failed for Dovecot IMAP/POP3 email server.

This was Dovecot service status:

● dovecot.service - Dovecot IMAP/POP3 email server
Loaded: loaded (/lib/systemd/system/dovecot.service; enabled; vendor preset: enabled)
Active: active (running) (Result: exit-code) since Tue 2021-09-07 19:31:12 CEST; 1 months 28 days ago
Docs: man:dovecot(1)
Process: 20406 ExecReload=/usr/bin/doveadm reload (code=exited, status=226/NAMESPACE)

To solve, you can try and edit dovecot service script and add coment to PrivateTmp variable.

root@mailmachine:~# vi /lib/systemd/system/dovecot.service

...
[Service]
Type=forking
ExecStart=/usr/sbin/dovecot
PIDFile=/var/run/dovecot/master.pid
ExecReload=/usr/bin/doveadm reload
ExecStop=/usr/bin/doveadm stop
#PrivateTmp=true
NonBlocking=yes
# Enable this if your systemd is new enough to support it:
#ProtectSystem=full
...

Directadmin – x509: certificate signed by unknown authority – Letsencrypt

DST Root CA X3 expired on September 30, 2021. Because of this I got invalid certificate error when visiting Directadmin login in Chrome. Certificate itself was valid. CA certificate is problem. What you have to do is update system CA certificates. Also update letsencrypt via custombuild if you didn’t already.

Error was:

[root@server]# /usr/local/directadmin/scripts/letsencrypt.sh renew my.server.com
Setting up certificate for a hostname: my.server.com
2021/09/30 14:49:15 Could not create client: get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get "https://acme-v02.api.letsencrypt.org/directory": x509: certificate signed by unknown authority
Certificate generation failed.

You have to update system CA certificates ( Centos in this case ):

[root@server ~]# yum install ca-certificates -y
....
[root@server ~]# update-ca-trust

Then try to create new certificate for server hostname:

[root@server]# /usr/local/directadmin/scripts/letsencrypt.sh request_single my.server.com 4096
Setting up certificate for a hostname: my.server.com
2021/09/30 14:51:50 [INFO] [my.server.com] acme: Obtaining SAN certificate
2021/09/30 14:51:51 [INFO] [my.server.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/35702261650
2021/09/30 14:51:51 [INFO] [my.server.com] acme: Could not find solver for: tls-alpn-01
2021/09/30 14:51:51 [INFO] [my.server.com] acme: use http-01 solver
2021/09/30 14:51:51 [INFO] [my.server.com] acme: Trying to solve HTTP-01
2021/09/30 14:51:57 [INFO] [my.server.com] The server validated our request
2021/09/30 14:51:57 [INFO] [my.server.com] acme: Validations succeeded; requesting certificates
2021/09/30 14:52:01 [INFO] [my.server.com] Server responded with a certificate.
Certificate for my.server.com has been created successfully!
DirectAdmin certificate has been setup.
...

SNI support for Dovecot and Postfix

If you are in position that you need multiple SSL certificates for different domains on single mail server, you can do it with SNI. Of corse, on very old versions this is not supported. Check documentation first, if its supported for your version of Dovecot and Postfix.

Dovecot:

In case of incoming mailserver Dovecot it’s easy as listed bellow. I made file ssl-sni.conf in which I add SNI configurations for my domains. Then I included ssl-sni.conf in main dovecot config.

Create ssl-sni.conf and add your SNI definitions in it:

local_name mail.domain1.com {
ssl_cert = </etc/ssl/certs/domain1/fullchain.pem
ssl_key = </etc/ssl/certs/domain1/privkey.pem
}

local_name pop3.domain2.com {
ssl_cert = </etc/ssl/certs/domain2/fullchain.pem
ssl_key = </etc/ssl/certs/domain2/privkey.pem
}
...

Then include this in main dovecot config (you can add those configurations directly in dovecot.conf or 00-ssl.conf also. I just prefer separate this):

# SNI include
!include ssl-sni.conf

Postfix:

As for Postfix, configuration is also simple:

Inside /etc/postfix/, create file domain_ssl.map and add ssl definitions in it:

mail.domain1.com /etc/ssl/certs/domain1/privkey.pem /etc/ssl/certs/domain1/fullchain.pem
smtp.domain2.net /etc/ssl/certs/domain2/privkey.pem /etc/ssl/certs/domain2/fullchain.pem

Run postmap and restart Postfix:

[root@mail postfix]# postmap -F domain_ssl.map which will create domain_ssl.map.db
[root@mail postfix]# systemctl restart postfix

If everything is OK, you should now have SNI supported mail server.

Directadmin – ModSecurity: Request body (Content-Length) is larger than the configured limit (13107200)

I had problem with uploading files on Directadmin server with mod_security enabled. I set upload_max_filesize and post_max_size to 64M, and still recived error like this:

[Wed Aug 04 23:31:30.320425 1912] [:error] [pid 1418987:tid 140666332325632] [client 89.212.96.1:64983] [client 89.212.96.1] ModSecurity: Request body (Content-Length) is larger than the configured limit (13107200). [hostname "www.geekytuts.net"] [uri "/wp-admin/async-upload.php"] [unique_id "YQpCUpEZgUlp9rxIlbunrAAAnTQ"], referer: https://www.geekytuts.net/wp-admin/media-new.php

I found out that this behavior is not caused by any mod_security rules (Free ModSecurity Rules from Comodo) but by directive SecRequestBodyLimit setting . Default value is 12.5M and since I set 64M for file uploads, I changed this value the same – in bytes.

File which you want to modify is /etc/httpd/conf/extra/httpd-modsecurity.conf. In my case, I modifyed like this:

SecRequestBodyLimit 67108864
SecRequestBodyNoFilesLimit 1048576

Directadmin – Unrouteable address error on incoming mail

I had this stupid error the other day on Directadmin. I upgraded Exim to the latest version and then all mail sent to address@email.com which was on this server was bounced with the error “Unrouteable address”. From the past, I knew that errors like this can be due to exceeded mail limit. But in this case, this was happening only for one mail out of 50 others, and no limits were reached.

After some searching, I found out that there was an alias pointing to the email address itself, which was causing this error. I removed the forwarder (alias) and incoming mail started to work again on this mailbox.

2021-05-09 20:53:28 H=([1.1.1.1]) [2.2.2.2] F=<us11-99cb50d256-903kjsd32113@inbound.mailchimp.com> rejected RCPT <address@email.com>: Unrouteable address

So I had mail forwarder like:
address@email.com -> address@email.com

So when dealing with such an error, just remove the alias like described above.

Directadmin – install Drush locally – drush: command not found

This is how you can install Drush locally and make drush command localy on specific user.

  • First go to root directory of user and login with this user
    [root@da ~]# cd /home/mydrush/
    [root@da mydrush]# su mydrush
  • Install drush via composer
    [mydrush@da mydrush]$ composer require drush/drush
    Using version ^10.4 for drush/drush
    ./composer.json has been created
    Running composer update drush/drush
    Loading composer repositories with package information
    Updating dependencies
    ...
  • Create alias to drush for this user. Open file .bashrc and add line bellow to it and save. Then run source.
    # User specific environment and startup programs
    export PATH="$HOME/vendor/bin:$PATH"
    
    [mydrush@da mydrush]$ source .bashrc
    
  • This is it
    [mydrush@da mydrush]$ drush version
    Drush version : 10.4.3

Special thanks to Adrian

Slow email sending from cPanel SMTP

I received a few complaints from different people, that sending of email messages is really slow. This didn’t make any sense, because no modifications were made on the server.

After an hour, I found that this was caused by Exim setting “Delay SMTP Transaction”. Quoting cPanel: The SMTP receiver will wait a few additional seconds for a connection when it detects spam messages in order to reduce inbound spam. 

So it’s another weapon to fight spam mail, but it makes sending slower.

You can disable this feature in Exim Configuration Manager -> ACL Options -> Introduce a delay into the SMTP transaction for unknown hosts and messages detected as spam.

When disabled, your emails should be fast again.

Directadmin – auto assign custom authorized_keys for newly created users – SSH access

I setup a Directadmin server which was primary for website hosting. Separating every project with new DirectAdmin user is a good practice security vise. If one website/project is hacked, other sites that are with different users are safe. But creating new users and then set up ssh keys that are allowed for every user can be time consumedly. In this case, ssh public keys were the same for every user as only developers were able to ssh connect to user account. I created a simple script that will create .ssh directory and authorized_keys with public keys for every user.

  • First, create script  user_create_post.sh inside /usr/local/directadmin/scripts/custom/.
  • Create template file with all ssh  public keys that should be assign to every new user. I created file /usr/local/directadmin/data/custom-authorized_keys
  • Add this content to the script:
    #!/bin/sh

    mkdir /home/$username/.ssh
    chown $username:$username /home/$username/.ssh
    cp /usr/local/directadmin/data/custom-authorized_keys /home/$username/.ssh/authorized_keys
    chown $username:$username /home/$username/.ssh/authorized_keys
    chmod 600 /home/$username/.ssh/authorized_keys

    echo "SSH keys added!"

    exit 0;
  • Give this script execution rights
    chmod +x /usr/local/directadmin/scripts/custom/user_create_post.sh

That is it. Every time a new user is created, .ssh directory with authorized_keys will be created inside user’s home account.

Limit number of email recipients with Roundcube

I had an issue with one of the mail servers on which one user’s account password was stolen and was sending spam. Spam was sent from Roundcube and there was a very large number of recipients in one email. Limit the number of recipients in Postfix was not an option. It had to be done on webmail. It is very simple with Roundcube. Just add variable bellow in your Roundcube configuration file – config.inc.php.

$config['max_recipients'] = 10;

This will allow only 10 recipients in one email message. Of course you can change the number according to your needs.

© 2021 geegkytuts.net
Hosted by SIEL


About author