|
|
|
|
|
|
|
|
| Re: Kerio connect 9.4 new Let's encrypt certificate error [message #150971 is a reply to message #150969] |
Sat, 29 January 2022 15:37   |
dbosiljevac
Messages: 14
Registered: April 2015
|
|
|
|
Check your settings under Security --> Security Policy. If it says "Require encryption" change it to "No restrictions". I found it didn't work when I had it forcing encryption, but worked fine when it was disabled.
I'm not keen on having the ability for people to log into webmail through HTTP and would much rather people get redirected to HTTPS, but I get why they need to do it for LetsEncrypt.
|
|
|
|
| Re: Kerio connect 9.4 new Let's encrypt certificate error [message #150972 is a reply to message #150969] |
Sat, 29 January 2022 21:47 |
Seeds
Messages: 3
Registered: January 2022
|
|
|
|
Hi,
Users may have to make a few changes to their Kerio Connect installation in order to use Kerio Connect's new Let's Encrypt ACME client to receive, auto install and update Let's Encrypt certificates.
1. Make sure the firewall has port 80 open and directing traffic to the Kerio Connect server. Also, make sure that port 80 traffic is being forwarded to the correct IP if Kerio Connect is bound to a specific IP or network card. In addition, make sure no other software on the Kerio Connect server is listening on port 80 using the same network card/IP address as Kerio Connect.
2. Make sure Kerio Connect is listening on Port 80. The HTTP service should be running on Port 80. Go to Configuration > Services > HTTP should have "All addresses:80" listed. You can set the service to run automatically to help Kerio Connect's Let's Encrypt ACME client renew the certificate.
3. Kerio Connect' Security policy has to be set to "No restriction." Go to Configuration > Security > Security Policy. Making this changes does not mean all connections are insecure. Connections can still be negotiated to use TLS, but Kerio Connect will accept non-encrypted traffic when the security policy is set to "No restriction."
Once Kerio is set-up, Let's Encrypt certificates install in about 2-3 seconds. But as with all features, there could be some issues.
Point three can be an issue for some installations of Kerio Connect. Some Kerio Connect administrators encrypt all traffic to Kerio Connect. When Let's Encrypt makes the connection on port 80 (unencrypted), Kerio will redirect the connection to HTTPS (port 443/8843). Meanwhile Kerio Connect's Let's Encrypt ACME client will still be listening on port 80. Eventually, the connection is never received. This can be observed in the debug log. Users could keep the security policy set to encrypted, then change the security policy to "no restriction" on the day Let's Encrypt needs to renew. However, this is not practical in many settings. It is better to bind the Kerio installation to a specific network card in the server or virtualize the installation.
Point 2 can be an issue for small businesses who have one bare metal server with multiple instances of server software installed. For instance, if a small business has Kerio Connect and IIS installed on one bare metal server with one network card, IIS is usually listening on port 80, making it impossible for Kerio Connect to listen on port 80. Kerio Connect's Let's Encrypt client will not be able to listen on port 80 as well. This problem can be mitigated by binding the server software to different network interfaces or virtualizing software installations, which most small business without full-time IT staff are unwilling or unable to do.
In future updates, I would like Kerio Connect to offer different Let's Encrypt challenges (such as DNS) to help solve the aforementioned issues.
|
|
|
|
|
|
| Re: Kerio connect 9.4 new Let's encrypt certificate error [message #150986 is a reply to message #150972] |
Tue, 01 February 2022 08:55 |
boisbleu
Messages: 62
Registered: May 2015
|
|
|
|
Seeds wrote on Sat, 29 January 2022 21:47
3. Kerio Connect' Security policy has to be set to "No restriction." Go to Configuration > Security > Security Policy. Making this changes does not mean all connections are insecure. Connections can still be negotiated to use TLS, but Kerio Connect will accept non-encrypted traffic when the security policy is set to "No restriction."
Are you sure? These are my settings and as I remember I don't change them in the last 2 years.
[Updated on: Tue, 01 February 2022 08:59] Report message to a moderator |
|
|
|
| Re: Kerio connect 9.4 new Let's encrypt certificate error [message #150991 is a reply to message #150986] |
Tue, 01 February 2022 17:14 |
Seeds
Messages: 3
Registered: January 2022
|
|
|
|
boisbleu wrote on Tue, 01 February 2022 08:55Seeds wrote on Sat, 29 January 2022 21:47
3. Kerio Connect' Security policy has to be set to "No restriction." Go to Configuration > Security > Security Policy. Making this changes does not mean all connections are insecure. Connections can still be negotiated to use TLS, but Kerio Connect will accept non-encrypted traffic when the security policy is set to "No restriction."
Are you sure? These are my settings and as I remember I don't change them in the last 2 years.
If you want to use Let's Encrypt's ACME client in Kerio version 9.4.0, then Kerio Connect's Security Policy has to be set to "No restriction," just as others in this thread discovered. When Kerio Connect's security policy is set to "Required Encryption or Secure Authorization" incoming requests are automatically forwarded to whatever secure port is set in services (i.e. port 443/8843). You can read this behavior in the Debug log. Let's Encrypt's ACME client in Kerio Connect 9.4.0 only has the HTTP challenge, which is an insecure port (i.e port 80/8880). Requiring Encryption or Secure authorization while divert the HTTP challenge to a secure port while the Let's Encrypt Acme client will listen on an insecure port. Thus, Let's Encrypt's ACME client will never receive any communication and no certificate.
|
|
|
|
| Re: Kerio connect 9.4 new Let's encrypt certificate error [message #150993 is a reply to message #150986] |
Tue, 01 February 2022 22:56 |
dbosiljevac
Messages: 14
Registered: April 2015
|
|
|
|
|
I think where my LetsEcnrypt renewals are getting hung up is on the redirect. I have both 443 and 8843 open (for ActiveSync) and, for some reason, my redirect goes to 8843 whenever I go to the unsecured login page with "Require encrypted connection" turned on. I believe LetsEncrypt supports being redirected to 443, but not to 8843. I'm not sure if there's a way to force a redirection to 443.
|
|
|
|
| Re: Kerio connect 9.4 new Let's encrypt certificate error [message #151000 is a reply to message #150991] |
Wed, 02 February 2022 15:06 |
boisbleu
Messages: 62
Registered: May 2015
|
|
|
|
Seeds wrote on Tue, 01 February 2022 17:14Let's Encrypt's ACME client in Kerio Connect 9.4.0 only has the HTTP challenge, which is an insecure port (i.e port 80/8880). Requiring Encryption or Secure authorization while divert the HTTP challenge to a secure port while the Let's Encrypt Acme client will listen on an insecure port. Thus, Let's Encrypt's ACME client will never receive any communication and no certificate.
I think you'r wrong. These settings are relevant to the mail communication only. These settings have nothing to do with the certificate.
|
|
|
|
| Re: Kerio connect 9.4 new Let's encrypt certificate error [message #151002 is a reply to message #150993] |
Wed, 02 February 2022 23:09 |
Seeds
Messages: 3
Registered: January 2022
|
|
|
|
dbosiljevac wrote on Tue, 01 February 2022 22:56I think where my LetsEcnrypt renewals are getting hung up is on the redirect. I have both 443 and 8843 open (for ActiveSync) and, for some reason, my redirect goes to 8843 whenever I go to the unsecured login page with "Require encrypted connection" turned on. I believe LetsEncrypt supports being redirected to 443, but not to 8843. I'm not sure if there's a way to force a redirection to 443.
If you are only using port 443 for Kerio Connect and not IIS or anything else on the same server installation, then you can remove 8843 from the Kerio Connect services and only use 443 for ActiveSync and secure webmail. Then, Let's Encrypt should be redirected successfully to port 443.
Also, you can try removing Port 443 and 8843 from Kerio Connect services, then add 443 and 8843 in that order so that 443 is listed first. Restart the HTTPS service and see if 443 is now the default HTTPS port. If it is, then the redirect to HTTPS should work with Let's Encrypt ACME client in Kerio Connect 9.4.0.
|
|
|
|
| Re: Kerio connect 9.4 new Let's encrypt certificate error [message #151008 is a reply to message #151002] |
Thu, 03 February 2022 14:45 |
dbosiljevac
Messages: 14
Registered: April 2015
|
|
|
|
|
Hey there, thanks for the removing/adding tip. I actually ended up doing that a few days ago and now 443 shows up before 8843 in my secure HTTP service. It looks like LetsEncrypt is now issuing certificates while getting redirected to port 443. Definitely prefer having the setting to redirect http to https enabled on my server.
|
|
|
|
|
|
|
|
Members
Search
Help
Register
Login
Home
