error 42 ssl certificate expired
gmail
ljakku77 at gmail.com
Tue Apr 13 07:59:52 EEST 2021
I got forcibly renewed my certs.
dovecot -nP:
# 2.3.7.2 (3c910f64b): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.7.2 ()
# OS: Linux 5.9.0-rc5-lja-tv+ x86_64 Ubuntu 20.04.2 LTS
# Hostname: superman.sillywalk.org
auth_debug = yes
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_username_format = %Ln
auth_verbose = yes
auth_verbose_passwords = plain
debug_log_path = /var/log/dovecot-debug.log
info_log_path = /var/log/dovecot-info.log
log_path = /var/log/dovecot.log
mail_debug = yes
mail_location = maildir:~/Maildir/
mbox_write_locks = fcntl
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
driver = pam
}
protocols = imap pop3 lmtp
service auth {
unix_listener /var/spool/postfix/private/auth {
group = mail
mode = 0660
user = postfix
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = mail
mode = 0660
user = postfix
}
}
ssl_cert = </etc/letsencrypt/live/lja.fi/fullchain.pem
ssl_dh = </usr/share/dovecot/dh.pem
ssl_key = </etc/letsencrypt/live/lja.fi/privkey.pem
userdb {
args = username_format=%Ln
driver = passwd
}
protocol lmtp {
postmaster_address = postmaster at localhost
}
protocol imap {
imap_metadata = yes
}
local_name domainA.fi {
ssl_cert = </etc/letsencrypt/live/informaatiotiili.fi/fullchain.pem
ssl_dh = </usr/share/dovecot/dh.pem
ssl_key = </etc/letsencrypt/live/informaatiotiili.fi/privkey.pem
}
local_name informationbrick.com {
ssl_cert = </etc/letsencrypt/live/informationbrick.com/fullchain.pem
ssl_dh = </usr/share/dovecot/dh.pem
ssl_key = </etc/letsencrypt/live/informationbrick.com/privkey.pem
}
local_name paxsudos.fi {
ssl_cert = </etc/letsencrypt/live/paxsudos.fi/fullchain.pem
ssl_dh = </usr/share/dovecot/dh.pem
ssl_key = </etc/letsencrypt/live/paxsudos.fi/privkey.pem
}
local_name paxsudos.com {
ssl_cert = </etc/letsencrypt/live/paxsudos.com/fullchain.pem
ssl_dh = </usr/share/dovecot/dh.pem
ssl_key = </etc/letsencrypt/live/paxsudos.com/privkey.pem
}
local_name lja.fi {
ssl_cert = </etc/letsencrypt/live/lja.fi/fullchain.pem
ssl_dh = </usr/share/dovecot/dh.pem
ssl_key = </etc/letsencrypt/live/lja.fi/privkey.pem
}
The certs are working fine and are up to date. (Apache2 with same certs
for domains works ok)
I not know howto use openssl x509 -text command, if i run it like
echo "" | openssl x509 -text
I get loads of errors.
My distro:
Distributor ID: Ubuntu
Description: Ubuntu 20.04.2 LTS
Release: 20.04
Codename: focal
Aki Tuomi kirjoitti 13.4.2021 klo 7:40:
> Uh. You are practically proposing that all versions after 2.3.7.2 would
be serving expired SSL certs, due to some bug? It that was the case, then
I would believe we would've been inundated with bug reports for the past year or so. Installation probably breaks because you are using expired cert, from wrong path.
>
> Doublecheck output of `doveconf -nP` and `openssl x509 -text` to make sure you are indeed using correct, non-expired certificate.
>
> Aki
>
>> On 13/04/2021 07:16 gmail <ljakku77 at gmail.com> wrote:
>>
>>
>> Hi,
>>
>> I got news: dovecot is the one that is broken, i got setup all other
>> stuff updated to latest BUT not dovecot, and i got working system.
>>
>>
>> if I upgrade dovecot, the installation breaks. I'm using letencrypt's certs.
>>
>>
>> The version that is good is 2.3.7.2 (3c910f64b)
>>
>>
>> Heiko Schlittermann kirjoitti 12.4.2021 klo 23:20:
>>> Hi,
>>>
>>>> In our case this is an internally used Dovecot Mail server that's used for
>>> …
>>>> certificates worth the expense? Just curious on what everyone's opinion is
>>>> of Digital Certs signed by certificate authorities that are only used inside
>>>> the LAN. Thoughts?
>>> Aki is right. On the long run it's easier to use "offcial" certs. Since
>>> the advent of Let's encrypt it is cheap.
>>>
>>> Of course, getting a certificate from Let's Encrypt for an internal
>>> service isn't as easy as for a public HTTP server, but it is possible.
>>>
>>> (We use a dedicated machine, requesting certs for all our internal
>>> services, employing the DNS challenge with Let's Encrypt. From this
>>> dedicated machine then we deploy the certs into our internal
>>> infrastructure using https://gitea.schlittermann.de/heiko/cert-proxy.git)
>>>
>>>>>> I also tried creating new .crt and key files using this tutorial:
>>>>>> https://msol.io/blog/tech/create-a-self-signed-ssl-certificate-with-openssl/
>>> No need to use tech blogs. Use "man req" and brain.
>>>
>>> openssl req -x509 -new \
>>> -out ssl.pem \
>>> -keyout ssl.pem -newkey rsa:4096 -nodes \
>>> -subj /CN=example.com -days 365
>>>
>>> (or two distinct files for crt and key).
More information about the dovecot
mailing list