letsencrypt issue on a Linux server

Danil · December 6, 2021, 8:27am

Hello, I’m new to Axigen, please, help me. I´m trying to install Letsencrypt on a Linux server via Axigen CLI using or via WebAdmin, the instructions here Let's Encrypt Support | Axigen Documentation
DNS is working, 80, 443, 53 ports is open.
axigen 1453 axigen 55u IPv4 21327 0t0 TCP *:80 (LISTEN)
axigen 1453 axigen 56u IPv4 21328 0t0 TCP *:443 (LISTEN)
axigen 1453 axigen 57u IPv6 21329 0t0 TCP *:80 (LISTEN)
axigen 1453 axigen 58u IPv6 21330 0t0 TCP *:443 (LISTEN)

When I try generating “LetsEncrypt” certificate I get only account_priv.key on folder /var/opt/axigen/letsencrypt/mail.example.com

I can post only two link on a post, I split my log so Here is logs:
2021-12-05 21:07:47 +0100 04 linux WEBMAIL:00000000: TCPListener[0.0.0.0:80]: connection from [18.159.196.172:44196] rejected due to service-level rules
2021-12-05 21:07:47 +0100 08 linux WEBADMIN:00000009: LetsE: Found current request
2021-12-05 21:07:47 +0100 04 linux WEBMAIL:00000000: TCPListener[0.0.0.0:80]: connection from [3.142.122.14:30662] rejected due to service-level rules
2021-12-05 21:07:47 +0100 04 linux WEBMAIL:00000000: TCPListener[0.0.0.0:80]: connection from [66.133.109.36:16958] rejected due to service-level rules
2021-12-05 21:07:51 +0100 08 linux WEBADMIN:00000009: previous line is repeated 8 times.
2021-12-05 21:07:52 +0100 02 linux WEBADMIN:00000009: LetsE: Could not open file /var/opt/axigen/letsencrypt/mail.example.com/cert.pem to check its header for letsencrypt
2021-12-05 21:07:52 +0100 02 linux WEBADMIN:00000009: LetsE: Could not open file /var/opt/axigen/letsencrypt/mail.example.com/cert.pem to check its header for letsencrypt

indreias · December 6, 2021, 8:38am

Hello Danil

Based on the logs you shared we see that connection from Let’s Encypt servers (that tries to check the authentication token) are rejected by your Axigen server (check those log lines like: TCPListener connection from ... rejected due to service-level rules).

How could you see that those are from Let’s Encrypt servers? You may just check their reverse DNS entries (called PTR), for example like:

$ host 66.133.109.36
36.109.133.66.in-addr.arpa is an alias for ip36-109-133-66.letsencrypt.org.
ip36-109-133-66.letsencrypt.org domain name pointer outbound1.letsencrypt.org.

You may have created some strict accepting rules for the Axigen WebMail service so you may have to review them and allow those ones coming from Let’s Encrypt servers (most probably they have published somewhere their IP addresses so other ones like you may configure into their firewall / acceptance policy).

HTH,
Ioan

Danil · December 6, 2021, 11:02am

Hi,
It is go out. It was my stupid mistake. I made access restriction on WebMail so it dropped all connections.
Anyway, thanks for help.