Re: [qmailtoaster] Re: Rocky9 - new mailserver setup - off topic

Mon, 15 Apr 2024 10:34:08 -0700 

Anyone feel like doing a write-up and I'll put it on the wiki?

On 4/15/2024 11:18 AM, Gary Bowling wrote:
Ah, right. Actually it looks like I can just place my script that I currently run in my cron job in the /etc/letsencrypt/renewal-hooks/post/ directory and it will run as a "post renew" script. 


Thanks for that.

Gary


On 4/15/2024 1:04 PM, William Silverstein wrote:

I would not use a cron script. I use --deploy-hook option on the
certbot-auto to handle it.


On Mon, April 15, 2024 9:59 am, Gary Bowling wrote:

Great. One question. Seems like everything on my server uses
/var/qmail/control/servercert.pem for the cert. Dovecot and qmail
all use that file. And I have a cron job that runs once a month to
check for a new letsencrypt cert and if there is one it copies it
over to servercert.pem to update my mail server.





Is that the correct way to handle that? Or is that something that       is
left over from my old server that I moved over?




Thanks, Gary




      On 4/15/2024 12:44 PM, Eric Broch       wrote:


Neither,

/var/qmail/control/dh2048.pem
          /var/qmail/control/rsa2048.pem


        On 4/15/2024 10:33 AM, Gary Bowling         wrote:





Thanks, will still require rsa?



          On 4/15/2024 10:47 AM, Eric Broch           wrote:


My next iteration on EL9 will remove keysize it's             deprecated,
has been for a while. Should have the new code             out within the
week.

SSL_CTX_set_tmp_rsa_callback ·               openssl/openssl ·
Discussion #23769 (github.com)



            On 4/15/2024 6:25 AM, Gary             Bowling wrote:





Hey Jeff, glad you're making progress. Be aware that when
you get a new cert from Letsencrypt that the default now
retrieves an ECDSA cert. Which is fine for apache, but
doesn't work on qmail, or at least it didn't for me. To               fix
that you'll need to configure letsencrypt to give you               an RSA
2048 cert.





There are two ways to do that. If you want all your certs               to
be RSA 2048, you can add this to the
/etc/letsencrypt/cli.ini file.

key-type = rsa
                rsa-key-size = 2048




If you just want to do that for your keys you use in               qmail,
then you can put the above in the
/etc/letsencrypt/renewal/domain.conf file. Where "domain"               is
the name of the cert you're renewing. Certbot creates               the
file so it should already be there.




Gary




              On 4/14/2024 10:39 PM, Jeff               Koch wrote:

                                            I may have resolved this. I did
the                 Rocy9
distro install of apache and
copied the
mod_http2.so file over to our
install of apache. Seems
          to work (no errors)
but I won't know for sure until
we                 setup Lets
Encrypt SSL certbot tomorrow

                  Jeff

                On 4/14/2024 3:11 PM, Jeff                 Koch wrote:


                  Hi - we're setting up a new mailserver with Rocky 9 and
               the learning curve is slow as is usual with
the first                 time with a new distro.

                  Anyway because our various scripts look for apache at
             /usr/local/apache/ we've decided to compile
our own                 binary with the latest apache and
have run into trouble                 / errors related to
'nghttp2'.

                  We did download, compile and install the latest
       nghttp2-1.61.0 from github. The configure and make
went                 well and http1.1 works but apache
generates the                 following error when we
activate  mod_http2

                   (Cannot load modules/mod_http2.so into server:
        /usr/local/apache2/modules/mod_http2.so: undefined
                 symbol:
nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation)

                  If anyone on the list has compiled their own httpd
          2.4.59 with Rocky 9 would you mind sharing the
details ?

                  Thanks, Jeff Koch



               
---------------------------------------------------------------------
To             unsubscribe, e-mail:
qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail:
qmailtoaster-list-h...@qmailtoaster.com
---------------------------------------------------------------------
To         unsubscribe, e-mail:
qmailtoaster-list-unsubscr...@qmailtoaster.com          For
additional commands, e-mail:
qmailtoaster-list-h...@qmailtoaster.com
---------------------------------------------------------------------
To unsubscribe, e-mail:
qmailtoaster-list-unsubscr...@qmailtoaster.com  For
additional commands, e-mail:
qmailtoaster-list-h...@qmailtoaster.com
--------------------------------------------------------------------- To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com 

---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Reply via email to