repo.dovecot.org expired certificate
Hello,
Not sure if this is the right place to post this, but the ssl certificate of the repo.dovecot.org server expired on the 9th of January.
It's giving an error via the browser and via the apt command in Debian:
W: Failed to fetch https://repo.dovecot.org/ce-2.3-latest/debian/jessie/dists/jessie/main/binar... server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
Cheers!
Filipe Carvalho
--
UP Digital Filipe Carvalho
Infraestruturas Tecnológicas / IT infrastructures
filipec@uporto.pt <mailto:filipec@uporto.pt>
On 10.1.2019 9.42, Filipe Carvalho wrote:
Hello,
Not sure if this is the right place to post this, but the ssl certificate of the repo.dovecot.org server expired on the 9th of January.
It's giving an error via the browser and via the apt command in Debian:
W: Failed to fetch https://repo.dovecot.org/ce-2.3-latest/debian/jessie/dists/jessie/main/binar... server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
Cheers!
Filipe Carvalho
--
UP Digital Filipe Carvalho
Infraestruturas Tecnológicas / IT infrastructures
filipec@uporto.pt <mailto:filipec@uporto.pt>
Amazing this certbot thing...
[Unit] Description=Certbot Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html Documentation=https://letsencrypt.readthedocs.io/en/latest/ [Service] Type=oneshot ExecStart=/usr/bin/certbot -q renew --post-hook /etc/letsencrypt/post.hooks.d/reload PrivateTmp=true
one would think this would work and reload nginx after the cert has been renewed...
Aki
Yup, that did the trick.
Thanks!
Filipe
On 1/10/19 7:47 AM, Aki Tuomi wrote:
On 10.1.2019 9.42, Filipe Carvalho wrote:
Hello,
Not sure if this is the right place to post this, but the ssl certificate of the repo.dovecot.org server expired on the 9th of January.
It's giving an error via the browser and via the apt command in Debian:
W: Failed to fetch https://repo.dovecot.org/ce-2.3-latest/debian/jessie/dists/jessie/main/binar... server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
Cheers!
Filipe Carvalho
--
UP Digital Filipe Carvalho
Infraestruturas Tecnológicas / IT infrastructures
filipec@uporto.pt <mailto:filipec@uporto.pt>
Amazing this certbot thing...
[Unit] Description=Certbot Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html Documentation=https://letsencrypt.readthedocs.io/en/latest/ [Service] Type=oneshot ExecStart=/usr/bin/certbot -q renew --post-hook /etc/letsencrypt/post.hooks.d/reload PrivateTmp=true
one would think this would work and reload nginx after the cert has been renewed...
Aki
Would be better if it would happen automatically though.
Aki
On 10.1.2019 10.04, Filipe Carvalho wrote:
Yup, that did the trick.
Thanks!
Filipe
On 1/10/19 7:47 AM, Aki Tuomi wrote:
On 10.1.2019 9.42, Filipe Carvalho wrote:
Hello,
Not sure if this is the right place to post this, but the ssl certificate of the repo.dovecot.org server expired on the 9th of January.
It's giving an error via the browser and via the apt command in Debian:
W: Failed to fetch https://repo.dovecot.org/ce-2.3-latest/debian/jessie/dists/jessie/main/binar... server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
Cheers!
Filipe Carvalho
--
UP Digital Filipe Carvalho
Infraestruturas Tecnológicas / IT infrastructures
filipec@uporto.pt <mailto:filipec@uporto.pt>
Amazing this certbot thing...
[Unit] Description=Certbot Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html Documentation=https://letsencrypt.readthedocs.io/en/latest/ [Service] Type=oneshot ExecStart=/usr/bin/certbot -q renew --post-hook /etc/letsencrypt/post.hooks.d/reload PrivateTmp=true
one would think this would work and reload nginx after the cert has been renewed...
Aki
Hello,
in the ExecStart I use also "--agree-tos"
Instead of --post-hook, maybe --deploy-hook it's better
I usually put my scripts in the folder /etc/letsencrypt/renewal-hooks/deploy/ instead of use --deploy-hook
Andrea
Il 10/01/19 09:14, Aki Tuomi ha scritto:
Would be better if it would happen automatically though.
Aki
On 10.1.2019 10.04, Filipe Carvalho wrote:
Yup, that did the trick.
Thanks!
Filipe
On 1/10/19 7:47 AM, Aki Tuomi wrote:
On 10.1.2019 9.42, Filipe Carvalho wrote:
Hello,
Not sure if this is the right place to post this, but the ssl certificate of the repo.dovecot.org server expired on the 9th of January.
It's giving an error via the browser and via the apt command in Debian:
W: Failed to fetch https://repo.dovecot.org/ce-2.3-latest/debian/jessie/dists/jessie/main/binar... server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
Cheers!
Filipe Carvalho
--
UP Digital Filipe Carvalho
Infraestruturas Tecnológicas / IT infrastructures
filipec@uporto.pt <mailto:filipec@uporto.pt>
Amazing this certbot thing...
[Unit] Description=Certbot Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html Documentation=https://letsencrypt.readthedocs.io/en/latest/ [Service] Type=oneshot ExecStart=/usr/bin/certbot -q renew --post-hook /etc/letsencrypt/post.hooks.d/reload PrivateTmp=true
one would think this would work and reload nginx after the cert has been renewed...
Aki
--
What's right isn't always popular, what's popular isn't always right.
Ing. Andrea Gabellini Email: andrea.gabellini@telecomitalia.sm Skype: andreagabellini Tel: (+378) 0549 886111 Fax: (+378) 0549 886188
Telecom Italia San Marino S.p.A. Via XXVIII Luglio, 212 - Piano -2 47893 Borgo Maggiore Republic of San Marino
Hi Aki,
it doesn't happen very often but the certificate renew can fail, so it's best to check daily. certbot will only try to renew those certificates that are about to expire in a few weeks.
I'm using a little perl script via cron which may be more flexible:
#!/usr/bin/perl
my $reload_count;
open(FF, "find /etc/letsencrypt/live -mtime -1 -name cert.pem |"); while(<FF>){ chomp; next if !$_; system("/usr/bin/logger \"sslreload: ssl certificate $_ needs reload after renew\""); $reload_count++; } close(FF);
if($reload_count){ system("/usr/bin/logger \"sslreload: $reload_count certificates changed, reloading services\""); # list all your affected services or rsync/reload on other nodes # some services need restart, not reload system("/usr/bin/systemctl reload httpd"); system("/usr/bin/systemctl reload postfix"); system("/usr/bin/systemctl restart vsftpd"); } else { system("/usr/bin/logger \"sslreload: nothing to reload\""); }
Save to /usr/bin/sslreload and chmod 700
crontab -e
0 18 * * * /usr/bin/certbot renew --quiet --no-self-upgrade --allow-subset-of-names; /usr/bin/sslreload
Best regards Gerald
Am 10.01.2019 um 09:14 schrieb Aki Tuomi <aki.tuomi@open-xchange.com>:
Would be better if it would happen automatically though.
Aki
On 10.1.2019 10.04, Filipe Carvalho wrote:
Yup, that did the trick.
Thanks!
Filipe
On 1/10/19 7:47 AM, Aki Tuomi wrote:
On 10.1.2019 9.42, Filipe Carvalho wrote:
Hello,
Not sure if this is the right place to post this, but the ssl certificate of the repo.dovecot.org server expired on the 9th of January.
It's giving an error via the browser and via the apt command in Debian:
W: Failed to fetch https://repo.dovecot.org/ce-2.3-latest/debian/jessie/dists/jessie/main/binar... server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
Cheers!
Filipe Carvalho
-- <pnhmgoiocebmonnh.png> Filipe Carvalho Infraestruturas Tecnológicas / IT infrastructures
filipec@uporto.pt
Amazing this certbot thing...
[Unit] Description=Certbot Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html Documentation=https://letsencrypt.readthedocs.io/en/latest/ [Service] Type=oneshot ExecStart=/usr/bin/certbot -q renew --post-hook /etc/letsencrypt/post.hooks.d/reload PrivateTmp=true
one would think this would work and reload nginx after the cert has been renewed...
Aki
participants (4)
-
Aki Tuomi
-
Andrea Gabellini
-
Filipe Carvalho
-
Gerald Galster