error 42 ssl certificate expired

gmail ljakku77 at gmail.com
Tue Apr 13 07:59:52 EEST 2021


I got forcibly renewed my certs.

dovecot -nP:

# 2.3.7.2 (3c910f64b): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.7.2 ()
# OS: Linux 5.9.0-rc5-lja-tv+ x86_64 Ubuntu 20.04.2 LTS
# Hostname: superman.sillywalk.org
auth_debug = yes
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_username_format = %Ln
auth_verbose = yes
auth_verbose_passwords = plain
debug_log_path = /var/log/dovecot-debug.log
info_log_path = /var/log/dovecot-info.log
log_path = /var/log/dovecot.log
mail_debug = yes
mail_location = maildir:~/Maildir/
mbox_write_locks = fcntl
namespace inbox {
   inbox = yes
   location =
   mailbox Drafts {
     special_use = \Drafts
   }
   mailbox Junk {
     special_use = \Junk
   }
   mailbox Sent {
     special_use = \Sent
   }
   mailbox "Sent Messages" {
     special_use = \Sent
   }
   mailbox Trash {
     special_use = \Trash
   }
   prefix =
}
passdb {
   driver = pam
}
protocols = imap pop3 lmtp
service auth {
   unix_listener /var/spool/postfix/private/auth {
     group = mail
     mode = 0660
     user = postfix
   }
}
service lmtp {
   unix_listener /var/spool/postfix/private/dovecot-lmtp {
     group = mail
     mode = 0660
     user = postfix
   }
}
ssl_cert = </etc/letsencrypt/live/lja.fi/fullchain.pem
ssl_dh = </usr/share/dovecot/dh.pem
ssl_key = </etc/letsencrypt/live/lja.fi/privkey.pem
userdb {
   args = username_format=%Ln
   driver = passwd
}
protocol lmtp {
   postmaster_address = postmaster at localhost
}
protocol imap {
   imap_metadata = yes
}
local_name domainA.fi {
   ssl_cert = </etc/letsencrypt/live/informaatiotiili.fi/fullchain.pem
   ssl_dh = </usr/share/dovecot/dh.pem
   ssl_key = </etc/letsencrypt/live/informaatiotiili.fi/privkey.pem
}
local_name informationbrick.com {
   ssl_cert = </etc/letsencrypt/live/informationbrick.com/fullchain.pem
   ssl_dh = </usr/share/dovecot/dh.pem
   ssl_key = </etc/letsencrypt/live/informationbrick.com/privkey.pem
}
local_name paxsudos.fi {
   ssl_cert = </etc/letsencrypt/live/paxsudos.fi/fullchain.pem
   ssl_dh = </usr/share/dovecot/dh.pem
   ssl_key = </etc/letsencrypt/live/paxsudos.fi/privkey.pem
}

local_name paxsudos.com {
   ssl_cert = </etc/letsencrypt/live/paxsudos.com/fullchain.pem
   ssl_dh = </usr/share/dovecot/dh.pem
   ssl_key = </etc/letsencrypt/live/paxsudos.com/privkey.pem
}

local_name lja.fi {
   ssl_cert = </etc/letsencrypt/live/lja.fi/fullchain.pem
   ssl_dh = </usr/share/dovecot/dh.pem
   ssl_key = </etc/letsencrypt/live/lja.fi/privkey.pem
}

The certs are working fine and are up to date. (Apache2 with same certs 
for domains works ok)


I not know howto use openssl x509 -text command, if i run it like

echo "" | openssl x509 -text

I get loads of errors.


My distro:

Distributor ID: Ubuntu
Description:    Ubuntu 20.04.2 LTS
Release:        20.04
Codename:       focal

Aki Tuomi kirjoitti 13.4.2021 klo 7:40:
> Uh. You are practically proposing that all versions after 2.3.7.2 would 
be serving expired SSL certs, due to some bug? It that was the case, then 
I would believe we would've been inundated with bug reports for the past year or so. Installation probably breaks because you are using expired cert, from wrong path.
>
> Doublecheck output of `doveconf -nP` and `openssl x509 -text` to make sure you are indeed using correct, non-expired certificate.
>
> Aki
>
>> On 13/04/2021 07:16 gmail <ljakku77 at gmail.com> wrote:
>>
>>   
>> Hi,
>>
>> I got news: dovecot is the one that is broken, i got setup all other
>> stuff updated to latest BUT not dovecot, and i got working system.
>>
>>
>> if I upgrade dovecot, the installation breaks. I'm using letencrypt's certs.
>>
>>
>> The version that is good is 2.3.7.2 (3c910f64b)
>>
>>
>> Heiko Schlittermann kirjoitti 12.4.2021 klo 23:20:
>>> Hi,
>>>
>>>> In our case this is an internally used Dovecot Mail server that's used for
>>>>>>> certificates worth the expense? Just curious on what everyone's opinion is
>>>> of Digital Certs signed by certificate authorities that are only used inside
>>>> the LAN. Thoughts?
>>> Aki is right. On the long run it's easier to use "offcial" certs. Since
>>> the advent of Let's encrypt it is cheap.
>>>
>>> Of course, getting a certificate from Let's Encrypt for an internal
>>> service isn't as easy as for a public HTTP server, but it is possible.
>>>
>>> (We use a dedicated machine, requesting certs for all our internal
>>> services, employing the DNS challenge with Let's Encrypt. From this
>>> dedicated machine then we deploy the certs into our internal
>>> infrastructure using https://gitea.schlittermann.de/heiko/cert-proxy.git)
>>>
>>>>>> I also tried creating new .crt and key files using this tutorial:
>>>>>> https://msol.io/blog/tech/create-a-self-signed-ssl-certificate-with-openssl/
>>> No need to use tech blogs. Use "man req" and brain.
>>>
>>>           openssl req -x509 -new \
>>>                   -out ssl.pem \
>>>                   -keyout ssl.pem -newkey rsa:4096 -nodes \
>>>                   -subj /CN=example.com -days 365
>>>
>>>           (or two distinct files for crt and key).



More information about the dovecot mailing list