LetsEncrypt stooped working with error: Cannot validate argument on parameter 'Value'.
-
Arron Staff
I am still unable to get to http://autodiscover.cfts.co.
Are you able to get to it from the internet. Are you able to connect to it from the local machine?
https works for me with a certificate error but not http. So if the redirect is off something else must be blocking the traffic.
-
I have installed wacs v2.2.5.1541 (x64, ReleaseTrimmed) installed on the same server as MDaemon and generated the certificates without issue?
Enter email(s) for notifications about problems and abuse (comma-separated): peter@cfts.co Plugin Manual generated source mail2.cfts.co with 4 identifiers Plugin Single created 1 order [autodiscover.cfts.co] Authorizing... [autodiscover.cfts.co] Authorizing using http-01 validation (SelfHosting) [autodiscover.cfts.co] Authorization result: valid [mail1.cfts.co] Authorizing... [mail1.cfts.co] Authorizing using http-01 validation (SelfHosting) [mail1.cfts.co] Authorization result: valid [mail2.cfts.co] Authorizing... [mail2.cfts.co] Authorizing using http-01 validation (SelfHosting) [mail2.cfts.co] Authorization result: valid [webmail.cfts.co] Authorizing... [webmail.cfts.co] Authorizing using http-01 validation (SelfHosting) [webmail.cfts.co] Authorization result: valid Downloading certificate [Manual] mail2.cfts.co Store with CentralSsl... Copying certificate to the CentralSsl store Saving certificate to CentralSsl location D:\ssl\autodiscover.cfts.co.pfx Saving certificate to CentralSsl location D:\ssl\mail1.cfts.co.pfx Saving certificate to CentralSsl location D:\ssl\mail2.cfts.co.pfx Saving certificate to CentralSsl location D:\ssl\webmail.cfts.co.pfx Scheduled task looks healthy Adding renewal for [Manual] mail2.cfts.co Next renewal due after 2023/10/16 Certificate [Manual] mail2.cfts.co created N: Create certificate (default settings) M: Create certificate (full options)
I really like to get to the bottom of this? it clearly not a firewall issue, any advise would be good.
I have generated and tested the required ssl via wacs, all seems well, the issue seems to be somthing to do with mdaemon, but at least I have a usable fall back option now, was much easer than I thought it would be.the steps to the working solution:
A simple Windows ACMEv2 client (WACS) Software version 2.2.5.1541 (release, trimmed, standalone, 64-bit) Connecting to https://acme-v02.api.letsencrypt.org/... Connection OK! Scheduled task looks healthy Please report issues at https://github.com/win-acme/win-acme N: Create certificate (default settings) << M: Create certificate (full options) R: Run renewals (0 currently due) A: Manage renewals (1 total) O: More options... Q: Quit Please choose from the menu: Running in mode: Interactive, Simple Source plugin IIS not available: No supported version of IIS detected. Please specify how the list of domain names that will be included in the certificate should be determined. If you choose for one of the "all bindings" options, the list will automatically be updated for future renewals to reflect the bindings at that time. 1: Read bindings from IIS 2: Manual input << 3: CSR created by another program C: Abort How shall we determine the domain(s) to include in the certificate?: Description: A host name to get a certificate for. This may be a comma-separated list. Host: mail1.cfts.co,mail2.cfts.co,autodiscover.cfts.co,webmail.cfts.co Source generated using plugin Manual: mail1.cfts.co and 3 alternatives Installation plugin IIS not available: No supported version of IIS detected. With the certificate saved to the store(s) of your choice, you may choose one or more steps to update your applications, e.g. to configure the new thumbprint, or to update bindings. 1: Create or update bindings in IIS 2: Start external script or program 3: No (additional) installation steps << Which installation step should run first?: Plugin Manual generated source mail1.cfts.co with 4 identifiers Plugin Single created 1 order Downloading certificate [Manual] mail1.cfts.co Store with CertificateStore... Installing certificate in the certificate store Adding certificate [Manual] mail1.cfts.co @ 2023/8/22 to store My Scheduled task looks healthy Adding renewal for [Manual] mail1.cfts.co Next renewal due after 2023/10/16 Certificate [Manual] mail1.cfts.co created N: Create certificate (default settings) << M: Create certificate (full options) R: Run renewals (0 currently due) A: Manage renewals (2 total) O: More options... Q: Quit Please choose from the menu:
'<<' mark the options I used, once done just pop back into mdaemon and check it picked up the SSL's from the windows CertificateStore.
So now I can go back and get autodiscovery working :)
-
Arron Staff
While testing this morning, I noticed that I can now get to http://autodiscover.cfts.co and it redirects to https://autodiscover.cfts.co, most likely because of the new certificate that you put in place. Since challenges have now been completed for your hostnames, they will remain valid for a while and letsencrypt will not require new challenges to be completed. We can try testing it, but until the LetsEncrypt challenges are expired, we won't know for sure.
If you'd like to do more testing, turn off the redirect to HTTPS and change the certificate. To do this open MDaemon and go to Security / Security Settings / SSL & TLS / Webmail, select the radio button for HTTP and HTTPS. Then check the box next to your old certificate to activate it and uncheck the box next to your new certificate to deactivate it. Then restart webmail. Once webmail has restarted make sure you can connect to http://autodiscover.cfts.co and you are not redirected to https.
Then run the LetsEncrypt process in MDaemon. You'll have to look at the log to see if LetsEncrypt required new challenges be completed.
-
Thanks Arron, I think i just keep using the 3rd party SSL tool, allowing http does not seems like a good idea, I gone to great lenghts to secure our system that seems like a step backwards, unless you tell me differnt?
-
Arron Staff
To be clear, I'm not suggesting that you leave it configured to not redirect HTTP to HTTPS. I'm just saying to allow HTTP so that you can test to make sure its working.
-
Ahh my bad, understood.
-
Should you be interested, I've compiled a Statement of Process (SOP) for implementing auto-discovery with MDaemon its very specific to CFTS but should point you in the right direction :) it's quite comprehensive and covers the entire process, I'm more than willing to share a copy. Due to its length, I hesitate to post it here, but here is a link to the Autodiscover document
- 1
- 2 / 2