repo.dovecot.org expired certificate

Gerald Galster list+dovecot at gcore.biz
Thu Jan 10 11:14:38 EET 2019 

Hi Aki,

it doesn't happen very often but the certificate renew can fail, so it's best to check daily. certbot will only try to renew those certificates that are about to expire in a few weeks.

I'm using a little perl script via cron which may be more flexible:


#!/usr/bin/perl

my $reload_count;

open(FF, "find /etc/letsencrypt/live -mtime -1 -name cert.pem |");
while(<FF>){
	chomp;
	next if !$_;
	system("/usr/bin/logger \"sslreload: ssl certificate $_ needs reload after renew\"");
	$reload_count++;
}
close(FF);

if($reload_count){
	system("/usr/bin/logger \"sslreload: $reload_count certificates changed, reloading services\"");
	# list all your affected services or rsync/reload on other nodes
	# some services need restart, not reload
	system("/usr/bin/systemctl reload httpd");
	system("/usr/bin/systemctl reload postfix");
	system("/usr/bin/systemctl restart vsftpd");
} else {
	system("/usr/bin/logger \"sslreload: nothing to reload\"");
}


Save to /usr/bin/sslreload and chmod 700

crontab -e

0 18 * * * /usr/bin/certbot renew --quiet --no-self-upgrade --allow-subset-of-names; /usr/bin/sslreload


Best regards
Gerald




> Am 10.01.2019 um 09:14 schrieb Aki Tuomi <aki.tuomi at open-xchange.com>:
> 
> Would be better if it would happen automatically though.
> 
> Aki
> 
> On 10.1.2019 10.04, Filipe Carvalho wrote:
>> Yup, that did the trick.
>> 
>> Thanks!
>> 
>> Filipe
>> 
>> 
>> On 1/10/19 7:47 AM, Aki Tuomi wrote:
>>> 
>>> 
>>> On 10.1.2019 9.42, Filipe Carvalho wrote:
>>>> Hello,
>>>> 
>>>> Not sure if this is the right place to post this, but the ssl certificate of the repo.dovecot.org server expired on the 9th of January.
>>>> 
>>>> It's giving an error via the browser and via the apt command in Debian:
>>>> 
>>>> W: Failed to fetch https://repo.dovecot.org/ce-2.3-latest/debian/jessie/dists/jessie/main/binary-amd64/Packages  server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
>>>> 
>>>> Cheers!
>>>> 
>>>> Filipe Carvalho
>>>> 
>>>> -- 
>>>> <pnhmgoiocebmonnh.png> 
>>>> Filipe Carvalho
>>>> Infraestruturas Tecnológicas / IT infrastructures 
>>>> 
>>>> filipec at uporto.pt 
>>> 
>>> 
>>> Amazing this certbot thing...
>>> 
>>> [Unit]
>>> Description=Certbot
>>> Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html
>>> Documentation=https://letsencrypt.readthedocs.io/en/latest/
>>> [Service]
>>> Type=oneshot
>>> ExecStart=/usr/bin/certbot -q renew --post-hook /etc/letsencrypt/post.hooks.d/reload
>>> PrivateTmp=true
>>> 
>>> one would think this would work and reload nginx after the cert has been renewed... 
>>> 
>>> Aki
>>>

More information about the dovecot mailing list