error 42 ssl certificate expired
Aki Tuomi
aki.tuomi at open-xchange.com
Tue Apr 13 08:15:34 EEST 2021
To me it seems you are serving a valid cert, i checked with openssl s_client -connect host:443 -servername domain
Not sure why you have all those local_name blocks there when the cert you are offering covers all your names already.
Aki
> On 13/04/2021 07:59 gmail <ljakku77 at gmail.com> wrote:
>
>
> I got forcibly renewed my certs.
>
> dovecot -nP:
>
> # 2.3.7.2 (3c910f64b): /etc/dovecot/dovecot.conf
> # Pigeonhole version 0.5.7.2 ()
> # OS: Linux 5.9.0-rc5-lja-tv+ x86_64 Ubuntu 20.04.2 LTS
> # Hostname: superman.sillywalk.org
> auth_debug = yes
> auth_debug_passwords = yes
> auth_mechanisms = plain login
> auth_username_format = %Ln
> auth_verbose = yes
> auth_verbose_passwords = plain
> debug_log_path = /var/log/dovecot-debug.log
> info_log_path = /var/log/dovecot-info.log
> log_path = /var/log/dovecot.log
> mail_debug = yes
> mail_location = maildir:~/Maildir/
> mbox_write_locks = fcntl
> namespace inbox {
> inbox = yes
> location =
> mailbox Drafts {
> special_use = \Drafts
> }
> mailbox Junk {
> special_use = \Junk
> }
> mailbox Sent {
> special_use = \Sent
> }
> mailbox "Sent Messages" {
> special_use = \Sent
> }
> mailbox Trash {
> special_use = \Trash
> }
> prefix =
> }
> passdb {
> driver = pam
> }
> protocols = imap pop3 lmtp
> service auth {
> unix_listener /var/spool/postfix/private/auth {
> group = mail
> mode = 0660
> user = postfix
> }
> }
> service lmtp {
> unix_listener /var/spool/postfix/private/dovecot-lmtp {
> group = mail
> mode = 0660
> user = postfix
> }
> }
> ssl_cert = </etc/letsencrypt/live/lja.fi/fullchain.pem
> ssl_dh = </usr/share/dovecot/dh.pem
> ssl_key = </etc/letsencrypt/live/lja.fi/privkey.pem
> userdb {
> args = username_format=%Ln
> driver = passwd
> }
> protocol lmtp {
> postmaster_address = postmaster at localhost
> }
> protocol imap {
> imap_metadata = yes
> }
> local_name domainA.fi {
> ssl_cert = </etc/letsencrypt/live/informaatiotiili.fi/fullchain.pem
> ssl_dh = </usr/share/dovecot/dh.pem
> ssl_key = </etc/letsencrypt/live/informaatiotiili.fi/privkey.pem
> }
> local_name informationbrick.com {
> ssl_cert = </etc/letsencrypt/live/informationbrick.com/fullchain.pem
> ssl_dh = </usr/share/dovecot/dh.pem
> ssl_key = </etc/letsencrypt/live/informationbrick.com/privkey.pem
> }
> local_name paxsudos.fi {
> ssl_cert = </etc/letsencrypt/live/paxsudos.fi/fullchain.pem
> ssl_dh = </usr/share/dovecot/dh.pem
> ssl_key = </etc/letsencrypt/live/paxsudos.fi/privkey.pem
> }
>
> local_name paxsudos.com {
> ssl_cert = </etc/letsencrypt/live/paxsudos.com/fullchain.pem
> ssl_dh = </usr/share/dovecot/dh.pem
> ssl_key = </etc/letsencrypt/live/paxsudos.com/privkey.pem
> }
>
> local_name lja.fi {
> ssl_cert = </etc/letsencrypt/live/lja.fi/fullchain.pem
> ssl_dh = </usr/share/dovecot/dh.pem
> ssl_key = </etc/letsencrypt/live/lja.fi/privkey.pem
> }
>
> The certs are working fine and are up to date. (Apache2 with same certs
> for domains works ok)
>
>
> I not know howto use openssl x509 -text command, if i run it like
>
> echo "" | openssl x509 -text
>
> I get loads of errors.
>
>
> My distro:
>
> Distributor ID: Ubuntu
> Description: Ubuntu 20.04.2 LTS
> Release: 20.04
> Codename: focal
>
> Aki Tuomi kirjoitti 13.4.2021 klo 7:40:
> > Uh. You are practically proposing that all versions after 2.3.7.2 would
> be serving expired SSL certs, due to some bug? It that was the case, then
> I would believe we would've been inundated with bug reports for the past year or so. Installation probably breaks because you are using expired cert, from wrong path.
> >
> > Doublecheck output of `doveconf -nP` and `openssl x509 -text` to make sure you are indeed using correct, non-expired certificate.
> >
> > Aki
> >
> >> On 13/04/2021 07:16 gmail <ljakku77 at gmail.com> wrote:
> >>
> >>
> >> Hi,
> >>
> >> I got news: dovecot is the one that is broken, i got setup all other
> >> stuff updated to latest BUT not dovecot, and i got working system.
> >>
> >>
> >> if I upgrade dovecot, the installation breaks. I'm using letencrypt's certs.
> >>
> >>
> >> The version that is good is 2.3.7.2 (3c910f64b)
> >>
> >>
> >> Heiko Schlittermann kirjoitti 12.4.2021 klo 23:20:
> >>> Hi,
> >>>
> >>>> In our case this is an internally used Dovecot Mail server that's used for
> >>> …
> >>>> certificates worth the expense? Just curious on what everyone's opinion is
> >>>> of Digital Certs signed by certificate authorities that are only used inside
> >>>> the LAN. Thoughts?
> >>> Aki is right. On the long run it's easier to use "offcial" certs. Since
> >>> the advent of Let's encrypt it is cheap.
> >>>
> >>> Of course, getting a certificate from Let's Encrypt for an internal
> >>> service isn't as easy as for a public HTTP server, but it is possible.
> >>>
> >>> (We use a dedicated machine, requesting certs for all our internal
> >>> services, employing the DNS challenge with Let's Encrypt. From this
> >>> dedicated machine then we deploy the certs into our internal
> >>> infrastructure using https://gitea.schlittermann.de/heiko/cert-proxy.git)
> >>>
> >>>>>> I also tried creating new .crt and key files using this tutorial:
> >>>>>> https://msol.io/blog/tech/create-a-self-signed-ssl-certificate-with-openssl/
> >>> No need to use tech blogs. Use "man req" and brain.
> >>>
> >>> openssl req -x509 -new \
> >>> -out ssl.pem \
> >>> -keyout ssl.pem -newkey rsa:4096 -nodes \
> >>> -subj /CN=example.com -days 365
> >>>
> >>> (or two distinct files for crt and key).
More information about the dovecot
mailing list