TheHolbi

Resolved:The solution of TLSv1.3 in AlmaLinux 9.5 with CWP Pro was reinstall hostname certificates (for all services) in the Change Hostname menu with 4096 size key. After then all issue was resolved, and the TLSv1.3 check was pass in both way, from terminal and from browser also. Of course in all templates and Nginx config files was changed the setting to ssl_protocols TLSv1.2 TLSv1.3;

The output of command: `update-crypto-policies --show` is “DEFAULT“ In addition I tried to set in AlmaLinux 9.5 the following settings: `sudo update-crypto-policies --set FUTURE` and it cause error on Nginx configuration: `2025/01/25 13:01:53 [emerg] 69470#69470: SSL_CTX_use_certificate("/etc/pki/tls/certs/hostname.bundle") failed (SSL: error:0A00018F:SSL routines::ee key too small)`

Yes, it would be good to extend this guide for http3 support and AlmaLinux 9.x support, with OpenSSL 3.x.

@Sandeep B. How to modify the sequence described in this post, if using AlmaLinux 9.5 with latest CWP and the OpenSSL version in the server is 3.2.2 ? The TLSv1.2 with HTTP\2 is running well, and all CWP Nginx templates was modified to use ssl_protocols TLSv1.2 TLSv1.3; but TLS v 1.3 failed on the tests at https://www.cdn77.com/tls-test and also failed with terminal tests like: openssl s_client -connect example.com:443 -tls1_3 -debug while openssl s_client -connect example.com:443 -tls1_2 -debug is OK. And no error messages in the nginx log. Do you have any suggestion or my missing some necessary component in AlmaLinux 9.x ? Any help or ideas will be appreciated. Thanks for advance.

Hello, I am also using several Contabo VPS with AlmaLinux 9.x and CWP but the install issues (only 1 or 2 occurred) can be handled with some little correction. If you will be more specific with your issues may I can help you. So, I suggest to use AlmaLinux 9.x (latest). There may some issue with mod_security install (the mod_security config file have to be corrected manually) And there may some issue with postfix - openssl install, the config files have to be corrected manually, And there may some issue with amavis install, the config file have to be corrected manually. And finalizing the component install, the server with CWP and AlmaLinux 9.x running very well and stable. So, what were your issues?

The DKIM signature issue was resolved as follow: There were missing lines from the /etc/postfix/main.cf : #DKIM milter_default_action = accept milter_protocol = 6 smtpd_milters = inet:localhost:8891 non_smtpd_milters = inet:localhost:8891 and the correct /etc/opendkim.conf was : AutoRestart Yes AutoRestartRate 10/1h LogWhy Yes Syslog Yes SyslogSuccess Yes Mode sv Canonicalization relaxed/simple ExternalIgnoreList refile:/etc/opendkim/TrustedHosts InternalHosts refile:/etc/opendkim/TrustedHosts KeyTable refile:/etc/opendkim/KeyTable SigningTable refile:/etc/opendkim/SigningTable SignatureAlgorithm rsa-sha256 Socket inet:8891@localhost PidFile /var/run/opendkim/opendkim.pid UMask 022 UserID opendkim:opendkim TemporaryDirectory /var/tmp After completed /etc/postfix/main.cf and restarted services, the DKIM signature was properly inserted to the outgoing emails.

Hi @Netino The output is the following: -o content_filter=smtp-amavis:127.0.0.1:10024 -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o content_filter= -o content_filter= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_client_restrictions=

I have just migrated a CWP installation from Centos 7 to AlmaLinux 9.4 by migrating the /home directory, the /var/vmail directory, and the databases. All the features have been configured, but I have two problems that I have not yet managed to solve. AlmaLinux 9.4 was installed with OpenSSL 3.0.7 1 Nov 2022 by CWP, and none of the programs, even a Laravel 11.x app under PHP 8.3.12, can send mail over port 465. Error message: Connection could not be established with host "ssl://mail.example.com:465": stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed {"exception":"[object] (Symfony\\Component\\Mailer\\Exception\\TransportException(code: 0): Connection could not be established with host \"ssl://mail.example.com:465\": stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed at /home/user/laravel/vendor/symfony/mailer/Transport/Smtp/Stream/SocketStream.php:154) I had to temporarily switch to using port 25 in the SMTP service. The other problem is that postfix does not put DKIM signatures on the mails, even though all elements of the system, OpenDKIM, etc. are installed and running. What should the config file of postfix and opendkim look like in CWP to get this service working properly?

Hello @Sandeep B. I started to move all my CWP based servers the CWP el9 with AlmaLinux 9.4.x Is there any update to the tutorial described above? The Apache or the NGINX version of HTTP2 recommended by you? Thank you for advance.

Thank you. I will back soon after tests.

Hi @Sandeep B. Did you find any solutions to this issue? Kindest regards: TheHolbi

Hi @Sandeep B. do you find any solutions to handle this issue?

Other data: The HTTP2 installation deletes the mod_security2.so file from the modules folder. And if mod_security is installed again, it will incompatible and won't load.

Hi @Sandeep B. The process in the tutorial was tested in an other CWPPro instance of my services. The mod_security was installed on the server before this test. The error appeared after running Goto Apache Settings >> Apache Re-Build >> Select Next : Next delete/replace all with this flags/lines under “Additional configuration” (the config was changed properly) -- then Click on Start Compiler in background. Feb 06 12:55:27 vps.trianity.dev systemd[1]: Stopped Web server Apache. Feb 06 12:55:27 vps.trianity.dev systemd[1]: Unit httpd.service entered failed state. Feb 06 12:55:27 vps.trianity.dev systemd[1]: httpd.service failed. Feb 06 12:55:27 vps.trianity.dev systemd[1]: Starting Web server Apache... Feb 06 12:55:27 vps.trianity.dev apachectl[30361]: httpd: Syntax error on line 511 of /usr/local/apache/conf/httpd.conf: Syntax error on line 9 of /usr/local/apache/conf.d/mod_security.conf: Cannot load modules/mod_security2.so into server: /usr/local/apache/modules/mod_security2.so: undefined symbol: apr_crypto_block_cleanup Feb 06 12:55:27 vps.trianity.dev systemd[1]: httpd.service: control process exited, code=exited status=1 Feb 06 12:55:27 vps.trianity.dev systemd[1]: Failed to start Web server Apache. Feb 06 12:55:27 vps.trianity.dev systemd[1]: Unit httpd.service entered failed state. Feb 06 12:55:27 vps.trianity.dev systemd[1]: httpd.service failed.

OK, thank you. Is there a special reason to use Nghttp2 version 1.42.0, and not the latest, available Nghttp2 v1.59.0 in the tutorial? It is true, the Nghttp2 v1.59.0 dropped the support old OpenSSL (< 1.1.1) but we uses 1.1.1u in the build and it can be good.