ot: LE server conf setup/ iPhone 'expired cert' message
I've installed LE certs on my Dovecot a while back, and, it has been working OK since, but, today, an iPhone user said he can't get emails as iphone says 'cert is expired', searching around, I see some other iPhone similar issues reported, do I have my conf correct, I have;
# cat dovecot.conf | grep ssl ssl = required verbose_ssl = no
ssl_cert = </etc/letsencrypt/live/fqn.myserver/fullchain.pem ssl_key = </etc/letsencrypt/live/fqn.myserver/privkey.pem
is fullchain.pem and privkey.pem is what I should be using ?
anythought how to force an iphone to reload cert ?
actual cert was renewed 15/7, old/previous one expired earlier today
ls /etc/letsencrypt/live/fqn.myserver/ cert.pem chain.pem fullchain.pem privkey.pem
(if I open mailserver host in browser, padlock shows current/valid cert)
-- Voytek
Do you have restarted Dovecot to reload the renewed certificate?
Am 22. Juli 2018, 15:04, um 15:04, Voytek Eymont <voytek@sbt.net.au> schrieb:
I've installed LE certs on my Dovecot a while back, and, it has been working OK since, but, today, an iPhone user said he can't get emails as iphone says 'cert is expired', searching around, I see some other iPhone similar issues reported, do I have my conf correct, I have;
# cat dovecot.conf | grep ssl ssl = required verbose_ssl = no
ssl_cert = </etc/letsencrypt/live/fqn.myserver/fullchain.pem ssl_key = </etc/letsencrypt/live/fqn.myserver/privkey.pem
is fullchain.pem and privkey.pem is what I should be using ?
anythought how to force an iphone to reload cert ?
actual cert was renewed 15/7, old/previous one expired earlier today
ls /etc/letsencrypt/live/fqn.myserver/ cert.pem chain.pem fullchain.pem privkey.pem
(if I open mailserver host in browser, padlock shows current/valid cert)
-- Voytek
On Sun, July 22, 2018 11:08 pm, Pascal wrote:
Do you have restarted Dovecot to reload the renewed certificate?
no, though, I don't think I've restarted after previous renewals...
I'll restart now, and, see
Am 22. Juli 2018, 15:04, um 15:04, Voytek Eymont <voytek@sbt.net.au> schrieb:
I've installed LE certs on my Dovecot a while back, and, it has been working OK since, but, today, an iPhone user said he can't get emails as iphone says 'cert is expired', searching around, I see some other iPhone
Voytek
On Jul 22, 2018, at 9:04 AM, Voytek Eymont <voytek@sbt.net.au> wrote:
I've installed LE certs on my Dovecot a while back, and, it has been working OK since, but, today, an iPhone user said he can't get emails as iphone says 'cert is expired', (if I open mailserver host in browser, padlock shows current/valid cert)
Usually, a browser connects to a web server on port 443, while an email client connects to an IMAP or POP server on a different port, served by different software. Just because your browser receives a current/valid cert, that doesn’t mean your dovecot server is sending the same certificate.
Assuming the sbt.net.au <http://sbt.net.au/> in your email address is the address of your dovecot server, I tried
openssl s_client -connect sbt.net.au:143 -starttls imap
And received a cert which includes:
Certificate: Data: Version: 3 (0x2) Serial Number: 03:5b:41:a6:f4:a6:33:eb:5b:ac:af:b8:20:96:f4:0e:20:b9 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3 Validity Not Before: Apr 23 11:11:28 2018 GMT Not After : Jul 22 11:11:28 2018 GMT Subject: CN=geko.sbt.net.au <http://geko.sbt.net.au/>
Dovecot is sending an expired cert. Pascai is correct; you need to restart it.
On Sun, July 22, 2018 11:22 pm, dclist@list.jmatt.net wrote:
Usually, a browser connects to a web server on port 443, while an email client connects to an IMAP or POP server on a different port, served by different software. Just because your browser receives a current/valid cert, that doesn’t mean your dovecot server is sending the same certificate.
Assuming the sbt.net.au <http://sbt.net.au/> in your email address is the address of your dovecot server, I tried
openssl s_client -connect sbt.net.au:143 -starttls imap
And received a cert which includes:
Certificate: Data: Version: 3 (0x2) Serial Number: 03:5b:41:a6:f4:a6:33:eb:5b:ac:af:b8:20:96:f4:0e:20:b9 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3 Validity Not Before: Apr 23 11:11:28 2018 GMT Not After : Jul 22 11:11:28 2018 GMT Subject: CN=geko.sbt.net.au <http://geko.sbt.net.au/>
Dovecot is sending an expired cert. Pascai is correct; you need to restart it.
Pascal, "dclist", thanks!!
I've restarted Dovecot, and, I think it's OK now
sorry, I've panicked as googling turned multiple iphone/certs issue, and, rather than properly testing first, I stupidly panicked...
thanks for explanation, thanks for testing!!
so, basically, after each renewal of server's cert I should remember to reload Dovecot (and maybe Postfix too?)
thanks again,
-- Voytek
On Sun, 22 Jul 2018, Voytek Eymont wrote:
[...] so, basically, after each renewal of server's cert I should remember to reload Dovecot (and maybe Postfix too?)
You can add a hook (script) to /etc/letsencrypt/renewal-hooks/deply/ which restarts the services you need.
In my case, I have
/usr/sbin/apache2ctl graceful /usr/sbin/dovecot reload /usr/sbin/postfix reload
This way the services pickup the renewed certificate when it is renewed.
Remember to restart your webserver.
The following is my hook for Certbot in Apache.
========================== #!/bin/sh service postfix restart service dovecot restart service apache2 restart
-----Original Message----- From: dovecot <dovecot-bounces@dovecot.org> On Behalf Of B. Reino Sent: Sunday, July 22, 2018 7:16 AM To: Dovecot Mailing List <dovecot@dovecot.org> Cc: Voytek Eymont <voytek@sbt.net.au> Subject: Re: ot: LE server conf setup/ iPhone 'expired cert' message
On Sun, 22 Jul 2018, B. Reino wrote:
You can add a hook (script) to /etc/letsencrypt/renewal-hooks/deply/
I meant, of course "deploy" and not "deply" :)
Sorry about that.
On 22/07/18 16:35, arthurjohnston@verizon.net wrote:
Remember to restart your webserver.
The following is my hook for Certbot in Apache.
========================== #!/bin/sh service postfix restart service dovecot restart service apache2 restart
A "postfix restart" is not necessary - see Viktor Dukhovni's post (co-developer of Postfix) on the Postfix ML:
http://postfix.1071664.n5.nabble.com/Letsencrypt-tip-tp92584p92604.html
Cheers, Juri
participants (6)
-
arthurjohnston@verizon.net
-
B. Reino
-
dclist@list.jmatt.net
-
Juri Haberland
-
Pascal
-
Voytek Eymont