subject:"ot\: LE server conf setup\/ iPhone 'expired cert' message"

Re: ot: LE server conf setup/ iPhone 'expired cert' message

2018-07-22 Thread Juri Haberland

On 22/07/18 16:35, arthurjohns...@verizon.net wrote:
> Remember to restart your webserver.
> 
> The following is my hook for Certbot in Apache.
> 
> ==
> #!/bin/sh
> service postfix restart
> service dovecot restart
> service apache2 restart
> =

A "postfix restart" is not necessary - see Viktor Dukhovni's post
(co-developer of Postfix) on the Postfix ML:

http://postfix.1071664.n5.nabble.com/Letsencrypt-tip-tp92584p92604.html


Cheers,
  Juri

RE: ot: LE server conf setup/ iPhone 'expired cert' message

2018-07-22 Thread arthurjohnston

Remember to restart your webserver.

The following is my hook for Certbot in Apache.

==
#!/bin/sh
service postfix restart
service dovecot restart
service apache2 restart
=





-Original Message-
From: dovecot  On Behalf Of B. Reino
Sent: Sunday, July 22, 2018 7:16 AM
To: Dovecot Mailing List 
Cc: Voytek Eymont 
Subject: Re: ot: LE server conf setup/ iPhone 'expired cert' message

On Sun, 22 Jul 2018, B. Reino wrote:

> You can add a hook (script) to /etc/letsencrypt/renewal-hooks/deply/

I meant, of course "deploy" and not "deply" :)

Sorry about that.

Re: ot: LE server conf setup/ iPhone 'expired cert' message

2018-07-22 Thread B. Reino


On Sun, 22 Jul 2018, B. Reino wrote:


You can add a hook (script) to /etc/letsencrypt/renewal-hooks/deply/


I meant, of course "deploy" and not "deply" :)

Sorry about that.

Re: ot: LE server conf setup/ iPhone 'expired cert' message

2018-07-22 Thread B. Reino


On Sun, 22 Jul 2018, Voytek Eymont wrote:


[...]
so, basically, after each renewal of server's cert I should remember to
reload Dovecot (and maybe Postfix too?)


You can add a hook (script) to /etc/letsencrypt/renewal-hooks/deply/
which restarts the services you need.

In my case, I have

/usr/sbin/apache2ctl graceful
/usr/sbin/dovecot reload
/usr/sbin/postfix reload

This way the services pickup the renewed certificate when it is renewed.

Re: ot: LE server conf setup/ iPhone 'expired cert' message

2018-07-22 Thread Voytek Eymont

On Sun, July 22, 2018 11:22 pm, dcl...@list.jmatt.net wrote:

> Usually, a browser connects to a web server on port 443, while an email
> client connects to an IMAP or POP server on a different port, served by
> different software.  Just because your browser receives a current/valid
> cert, that doesn’t mean your dovecot server is sending the same
> certificate.
>
> Assuming the sbt.net.au  in your email address is the
> address of your dovecot server, I tried
>
> openssl s_client -connect sbt.net.au:143 -starttls imap
>
> And received a cert which includes:
>
>
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> 03:5b:41:a6:f4:a6:33:eb:5b:ac:af:b8:20:96:f4:0e:20:b9
> Signature Algorithm: sha256WithRSAEncryption
> Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
> Validity
> Not Before: Apr 23 11:11:28 2018 GMT
> Not After : Jul 22 11:11:28 2018 GMT
> Subject: CN=geko.sbt.net.au 
>
>
>
> Dovecot is sending an expired cert.  Pascai is correct; you need to
> restart it.

Pascal, "dclist", thanks!!

I've restarted Dovecot, and, I think it's OK now

sorry, I've panicked as googling turned multiple iphone/certs issue, and,
rather than properly testing first, I stupidly panicked...

thanks for explanation, thanks for testing!!

so, basically, after each renewal of server's cert I should remember to
reload Dovecot (and maybe Postfix too?)

thanks again,

-- 
Voytek

Re: ot: LE server conf setup/ iPhone 'expired cert' message

2018-07-22 Thread dclist

> On Jul 22, 2018, at 9:04 AM, Voytek Eymont  wrote:
> 
> I've installed LE certs on my Dovecot a while back, and, it has been
> working OK since, but, today, an iPhone user said he can't get emails as
> iphone says 'cert is expired', 
> (if I open mailserver host in browser, padlock shows current/valid cert)
> 

Usually, a browser connects to a web server on port 443, while an email client 
connects to an IMAP or POP server on a different port, served by different 
software.  Just because your browser receives a current/valid cert, that 
doesn’t mean your dovecot server is sending the same certificate.

Assuming the sbt.net.au  in your email address is the 
address of your dovecot server, I tried

openssl s_client -connect sbt.net.au:143 -starttls imap

And received a cert which includes:

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:5b:41:a6:f4:a6:33:eb:5b:ac:af:b8:20:96:f4:0e:20:b9
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
Validity
Not Before: Apr 23 11:11:28 2018 GMT
Not After : Jul 22 11:11:28 2018 GMT
Subject: CN=geko.sbt.net.au 

Dovecot is sending an expired cert.  Pascai is correct; you need to restart it.

Re: ot: LE server conf setup/ iPhone 'expired cert' message

2018-07-22 Thread Voytek Eymont




On Sun, July 22, 2018 11:08 pm, Pascal wrote:
> Do you have restarted Dovecot to reload the renewed certificate?


no, though, I don't think I've restarted after previous renewals...

I'll restart now, and, see


> Am 22. Juli 2018, 15:04, um 15:04, Voytek Eymont 
> schrieb:
>
>> I've installed LE certs on my Dovecot a while back, and, it has been
>> working OK since, but, today, an iPhone user said he can't get emails as
>> iphone says 'cert is expired', searching around, I see some other iPhone

Voytek

Re: ot: LE server conf setup/ iPhone 'expired cert' message

2018-07-22 Thread Pascal

Do you have restarted Dovecot to reload the renewed certificate?

Am 22. Juli 2018, 15:04, um 15:04, Voytek Eymont  schrieb:
>I've installed LE certs on my Dovecot a while back, and, it has been
>working OK since, but, today, an iPhone user said he can't get emails
>as
>iphone says 'cert is expired', searching around, I see some other
>iPhone
>similar issues reported, do I have my conf correct, I have;
>
># cat dovecot.conf | grep ssl
>ssl = required
>verbose_ssl = no
>
>ssl_cert = ssl_key = 
>is fullchain.pem and privkey.pem is what I should be using ?
>
>anythought how to force an iphone to reload cert ?
>
>actual cert was renewed 15/7, old/previous one expired earlier today
>
>ls /etc/letsencrypt/live/fqn.myserver/
>cert.pem  chain.pem  fullchain.pem  privkey.pem
>
>(if I open mailserver host in browser, padlock shows current/valid
>cert)
>
>--
>Voytek

ot: LE server conf setup/ iPhone 'expired cert' message

2018-07-22 Thread Voytek Eymont

I've installed LE certs on my Dovecot a while back, and, it has been
working OK since, but, today, an iPhone user said he can't get emails as
iphone says 'cert is expired', searching around, I see some other iPhone
similar issues reported, do I have my conf correct, I have;

# cat dovecot.conf | grep ssl
ssl = required
verbose_ssl = no

ssl_cert =

Re: ot: LE server conf setup/ iPhone 'expired cert' message

RE: ot: LE server conf setup/ iPhone 'expired cert' message

Re: ot: LE server conf setup/ iPhone 'expired cert' message

Re: ot: LE server conf setup/ iPhone 'expired cert' message

Re: ot: LE server conf setup/ iPhone 'expired cert' message

Re: ot: LE server conf setup/ iPhone 'expired cert' message

Re: ot: LE server conf setup/ iPhone 'expired cert' message

Re: ot: LE server conf setup/ iPhone 'expired cert' message

ot: LE server conf setup/ iPhone 'expired cert' message

9 matches

Site Navigation

Mail list logo

Footer information