Voytek Eymont
2018-Jul-22 13:04 UTC
ot: LE server conf setup/ iPhone 'expired cert' message
I've installed LE certs on my Dovecot a while back, and, it has been working OK since, but, today, an iPhone user said he can't get emails as iphone says 'cert is expired', searching around, I see some other iPhone similar issues reported, do I have my conf correct, I have; # cat dovecot.conf | grep ssl ssl = required verbose_ssl = no ssl_cert = </etc/letsencrypt/live/fqn.myserver/fullchain.pem ssl_key = </etc/letsencrypt/live/fqn.myserver/privkey.pem is fullchain.pem and privkey.pem is what I should be using ? anythought how to force an iphone to reload cert ? actual cert was renewed 15/7, old/previous one expired earlier today ls /etc/letsencrypt/live/fqn.myserver/ cert.pem chain.pem fullchain.pem privkey.pem (if I open mailserver host in browser, padlock shows current/valid cert) -- Voytek
Do you have restarted Dovecot to reload the renewed certificate? Am 22. Juli 2018, 15:04, um 15:04, Voytek Eymont <voytek at sbt.net.au> schrieb:>I've installed LE certs on my Dovecot a while back, and, it has been >working OK since, but, today, an iPhone user said he can't get emails >as >iphone says 'cert is expired', searching around, I see some other >iPhone >similar issues reported, do I have my conf correct, I have; > ># cat dovecot.conf | grep ssl >ssl = required >verbose_ssl = no > >ssl_cert = </etc/letsencrypt/live/fqn.myserver/fullchain.pem >ssl_key = </etc/letsencrypt/live/fqn.myserver/privkey.pem > >is fullchain.pem and privkey.pem is what I should be using ? > >anythought how to force an iphone to reload cert ? > >actual cert was renewed 15/7, old/previous one expired earlier today > >ls /etc/letsencrypt/live/fqn.myserver/ >cert.pem chain.pem fullchain.pem privkey.pem > >(if I open mailserver host in browser, padlock shows current/valid >cert) > >-- >Voytek-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20180722/c2c2c9f9/attachment.html>
Voytek Eymont
2018-Jul-22 13:21 UTC
ot: LE server conf setup/ iPhone 'expired cert' message
On Sun, July 22, 2018 11:08 pm, Pascal wrote:> Do you have restarted Dovecot to reload the renewed certificate?no, though, I don't think I've restarted after previous renewals... I'll restart now, and, see> Am 22. Juli 2018, 15:04, um 15:04, Voytek Eymont <voytek at sbt.net.au> > schrieb: > >> I've installed LE certs on my Dovecot a while back, and, it has been >> working OK since, but, today, an iPhone user said he can't get emails as >> iphone says 'cert is expired', searching around, I see some other iPhoneVoytek
dclist at list.jmatt.net
2018-Jul-22 13:22 UTC
ot: LE server conf setup/ iPhone 'expired cert' message
> On Jul 22, 2018, at 9:04 AM, Voytek Eymont <voytek at sbt.net.au> wrote: > > I've installed LE certs on my Dovecot a while back, and, it has been > working OK since, but, today, an iPhone user said he can't get emails as > iphone says 'cert is expired', > (if I open mailserver host in browser, padlock shows current/valid cert) >Usually, a browser connects to a web server on port 443, while an email client connects to an IMAP or POP server on a different port, served by different software. Just because your browser receives a current/valid cert, that doesn?t mean your dovecot server is sending the same certificate. Assuming the sbt.net.au <http://sbt.net.au/> in your email address is the address of your dovecot server, I tried openssl s_client -connect sbt.net.au:143 -starttls imap And received a cert which includes: Certificate: Data: Version: 3 (0x2) Serial Number: 03:5b:41:a6:f4:a6:33:eb:5b:ac:af:b8:20:96:f4:0e:20:b9 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3 Validity Not Before: Apr 23 11:11:28 2018 GMT Not After : Jul 22 11:11:28 2018 GMT Subject: CN=geko.sbt.net.au <http://geko.sbt.net.au/> Dovecot is sending an expired cert. Pascai is correct; you need to restart it. -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20180722/2f062927/attachment.html>
Voytek Eymont
2018-Jul-22 13:52 UTC
ot: LE server conf setup/ iPhone 'expired cert' message
On Sun, July 22, 2018 11:22 pm, dclist at list.jmatt.net wrote:> Usually, a browser connects to a web server on port 443, while an email > client connects to an IMAP or POP server on a different port, served by > different software. Just because your browser receives a current/valid > cert, that doesn?t mean your dovecot server is sending the same > certificate. > > Assuming the sbt.net.au <http://sbt.net.au/> in your email address is the > address of your dovecot server, I tried > > openssl s_client -connect sbt.net.au:143 -starttls imap > > And received a cert which includes: > > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: > 03:5b:41:a6:f4:a6:33:eb:5b:ac:af:b8:20:96:f4:0e:20:b9 > Signature Algorithm: sha256WithRSAEncryption > Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3 > Validity > Not Before: Apr 23 11:11:28 2018 GMT > Not After : Jul 22 11:11:28 2018 GMT > Subject: CN=geko.sbt.net.au <http://geko.sbt.net.au/> > > > > Dovecot is sending an expired cert. Pascai is correct; you need to > restart it.Pascal, "dclist", thanks!! I've restarted Dovecot, and, I think it's OK now sorry, I've panicked as googling turned multiple iphone/certs issue, and, rather than properly testing first, I stupidly panicked... thanks for explanation, thanks for testing!! so, basically, after each renewal of server's cert I should remember to reload Dovecot (and maybe Postfix too?) thanks again, -- Voytek
Maybe Matching Threads
- ot: LE server conf setup/ iPhone 'expired cert' message
- ot: LE server conf setup/ iPhone 'expired cert' message
- ot: LE server conf setup/ iPhone 'expired cert' message
- getting rid of old spam from +spam Maildir ?
- ot: LE server conf setup/ iPhone 'expired cert' message