error 42 ssl certificate expired

Aki Tuomi aki.tuomi at open-xchange.com
Tue Apr 13 07:40:23 EEST 2021 

Uh. You are practically proposing that all versions after 2.3.7.2 would be serving expired SSL certs, due to some bug? It that was the case, then I would believe we would've been inundated with bug reports for the past year or so. Installation probably breaks because you are using expired cert, from wrong path. 

Doublecheck output of `doveconf -nP` and `openssl x509 -text` to make sure you are indeed using correct, non-expired certificate.

Aki

> On 13/04/2021 07:16 gmail <ljakku77 at gmail.com> wrote:
> 
>  
> Hi,
> 
> I got news: dovecot is the one that is broken, i got setup all other 
> stuff updated to latest BUT not dovecot, and i got working system.
> 
> 
> if I upgrade dovecot, the installation breaks. I'm using letencrypt's certs.
> 
> 
> The version that is good is 2.3.7.2 (3c910f64b)
> 
> 
> Heiko Schlittermann kirjoitti 12.4.2021 klo 23:20:
> > Hi,
> >
> >> In our case this is an internally used Dovecot Mail server that's used for
> > …
> >> certificates worth the expense? Just curious on what everyone's opinion is
> >> of Digital Certs signed by certificate authorities that are only used inside
> >> the LAN. Thoughts?
> > Aki is right. On the long run it's easier to use "offcial" certs. Since
> > the advent of Let's encrypt it is cheap.
> >
> > Of course, getting a certificate from Let's Encrypt for an internal
> > service isn't as easy as for a public HTTP server, but it is possible.
> >
> > (We use a dedicated machine, requesting certs for all our internal
> > services, employing the DNS challenge with Let's Encrypt. From this
> > dedicated machine then we deploy the certs into our internal
> > infrastructure using https://gitea.schlittermann.de/heiko/cert-proxy.git)
> >
> >>>> I also tried creating new .crt and key files using this tutorial:
> >>>> https://msol.io/blog/tech/create-a-self-signed-ssl-certificate-with-openssl/
> > No need to use tech blogs. Use "man req" and brain.
> >
> >          openssl req -x509 -new \
> >                  -out ssl.pem \
> >                  -keyout ssl.pem -newkey rsa:4096 -nodes \
> >                  -subj /CN=example.com -days 365
> >
> >          (or two distinct files for crt and key).

More information about the dovecot mailing list