postfix/submission/smtpd certificate expired alert number 45

I tried to configure Laravel mail client with secure connection via TLS to my email server but in email client I got:

Unable to connect with STARTTLS: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed.

At the same time on my email server in /var/log/maillog I observed the following:

Aug 8 10:05:46 mail postfix/submission/smtpd[30830]: connect from unknown[111.211.48.11]
Aug 8 10:05:46 mail postfix/submission/smtpd[30830]: SSL_accept error from unknown[111.211.48.11]: 0
Aug 8 10:05:46 mail postfix/submission/smtpd[30830]: warning: TLS library problem: 30830:error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:s3_pkt.c:1493:SSL alert number 45:
Aug 8 10:05:46 mail postfix/submission/smtpd[30830]: lost connection after STARTTLS from unknown[111.211.48.11]
Aug 8 10:05:46 mail postfix/submission/smtpd[30830]: disconnect from unknown[111.211.48.11]

But Letsencrypt certificate was up to date. Continue reading

How to create full-chain pem certificate

You can use your favourite text editor to create a combined full-chain pem certificate. The most important here is the order.

The correct order in a .crt file will be the following: Continue reading

How to create full-chain pfx certificate

Full-chain pfx certificate can be created by the one of the following methods
Continue reading

Postman Unable to verify the first certificate

The error Unable to verify the first certificate occurs in Postman cloud agent because it does not have Trusted Root certificates storage with intermediate and root CA certificates thus cannot verify client → intermediate → root CA chain. Azure Application Gateway does not have Trusted Root certificates storage as well so the error occurs under these conditions. Continue reading

HAProxy mixed content warning when using HTTPS

I use HAProxy to do SSL offloading for a WordPress site. Frontend is on 80 and 443 with redirect HAProxy redirect HTTP to HTTPS using
redirect scheme https code 301 if !{ ssl_fc }
Redirection is working well when the page is accessed on port 80.
However the pages loads incomplete and looking in the console of Firefox/Chrome it can be seen that “mixed mode content” is blocked by the browser. Some stylesheets, scripts an images are still accessed over http instead of https.
301 is permanent redirection, so why is this happening? The browser should not even try http because it should be aware of the permanent redirection. And besides that, even when http is used accidentally, it should still be redirect to https instead. Continue reading

HAProxy path-based routing with SSL in http mode with SNI on backend servers

The setup I need to build with HAProxy is the high availability solution consisting of http (http to https redirection must be configured in HAProxy) and https frontends with two backends. Backend servers have HTTPS enabled so HAProxy must establish HTTPS connection to backend servers. We have four backend servers and we want first two servers serve one specific app (/app path) and the other two – all other requests so we need path-based routing in HAProxy. In addition, there are multiple domains that must be served by backend servers (and HAProxy).

As we need path-based routing, HAProxy must operate in http mode (on the 7th level) allowing it to examine contents of HTTP headers and extract Host and Path headers. Later, the incoming request must be sent to a proper backend based on the Path header and connection to backend server must be established via HTTPS. As multiple domains must be served by HAProxy and backends we need to install multiple certificates in HAProxy and enable Server Name Indication (SNI) with backend servers.

Here is how configure HAProxy in that way step by step. Continue reading

IIS import error Failed to add duplicate collection element “mysite”

In case you try to import your website configuration on another IIS and get this error message while you don’t have “mysite” deployed on the new IIS it means that there is a website with the same ID already exists on the new IIS.  The solution to Failed to add duplicate collection element error in this case is also simple: Continue reading

IIS export import configuration

IISWhen using multiple IIS server in a Load Balanced Environment it will  be alot of work to create all your website twice with the same settings on each webserver. Therefor it is possible to export and import your configuration from one IIS webserver to the other.

When you create a website in IIS a unique application pool will also be created and used by this website, that’s why you need to import these application pools first on the second webserver before importing the website(s). Continue reading

Terraform set timezone upon virtual machine creation

terraform

Sometimes it’s important to set proper timezone on the server and recently I’ve got this task: set proper timezone automatically based on the server’s location in Azure Cloud. Moreover, I needed timezone to be set automatically by Terraform upon virtual machine creation.  In my case I had Ubuntu VMs in Azure and here is the simple and elegant solution I came with: Continue reading

How to find unattached Public IPs in Azure

Finding the Unassociated IP Addresses

  1. Open the Azure Portal.
  2. Perform a search for Public IP addresses.
  3. Click on the +Add filter option.
  4. From the drop-down for Operator, select “==”.
  5. Select “” for Value.
  6. Click Apply.

After you complete these steps, you’ll have a list of unattached Azure public IP addresses. The next phase of the operation involves selecting and deleting the addresses that the system isn’t using for any resources. Continue reading

Load more