Yup, that did the trick. Thanks! Filipe On 1/10/19 7:47 AM, Aki Tuomi wrote:> > > On 10.1.2019 9.42, Filipe Carvalho wrote: >> >> Hello, >> >> Not sure if this is the right place to post this, but the ssl >> certificate of the repo.dovecot.org server expired on the 9th of January. >> >> It's giving an error via the browser and via the apt command in Debian: >> >> W: Failed to fetch >> https://repo.dovecot.org/ce-2.3-latest/debian/jessie/dists/jessie/main/binary-amd64/Packages? >> server certificate verification failed. CAfile: >> /etc/ssl/certs/ca-certificates.crt CRLfile: none >> >> Cheers! >> >> Filipe Carvalho >> >> -- >> >> UP Digital >> Filipe Carvalho >> >> Infraestruturas Tecnol?gicas / IT infrastructures >> >> filipec at uporto.pt <mailto:filipec at uporto.pt> >> > > Amazing this certbot thing... > > [Unit] > Description=Certbot > Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html > Documentation=https://letsencrypt.readthedocs.io/en/latest/ > [Service] > Type=oneshot > ExecStart=/usr/bin/certbot -q renew --post-hook > /etc/letsencrypt/post.hooks.d/reload > PrivateTmp=true > > one would think this would work and reload nginx after the cert has > been renewed... > > Aki >-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190110/63c108b9/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: pnhmgoiocebmonnh.png Type: image/png Size: 2590 bytes Desc: not available URL: <https://dovecot.org/pipermail/dovecot/attachments/20190110/63c108b9/attachment.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: <https://dovecot.org/pipermail/dovecot/attachments/20190110/63c108b9/attachment.sig>
Would be better if it would happen automatically though. Aki On 10.1.2019 10.04, Filipe Carvalho wrote:> > Yup, that did the trick. > > Thanks! > > Filipe > > > On 1/10/19 7:47 AM, Aki Tuomi wrote: >> >> >> On 10.1.2019 9.42, Filipe Carvalho wrote: >>> >>> Hello, >>> >>> Not sure if this is the right place to post this, but the ssl >>> certificate of the repo.dovecot.org server expired on the 9th of >>> January. >>> >>> It's giving an error via the browser and via the apt command in Debian: >>> >>> W: Failed to fetch >>> https://repo.dovecot.org/ce-2.3-latest/debian/jessie/dists/jessie/main/binary-amd64/Packages? >>> server certificate verification failed. CAfile: >>> /etc/ssl/certs/ca-certificates.crt CRLfile: none >>> >>> Cheers! >>> >>> Filipe Carvalho >>> >>> -- >>> >>> UP Digital >>> Filipe Carvalho >>> >>> Infraestruturas Tecnol?gicas / IT infrastructures >>> >>> filipec at uporto.pt <mailto:filipec at uporto.pt> >>> >> >> Amazing this certbot thing... >> >> [Unit] >> Description=Certbot >> Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html >> Documentation=https://letsencrypt.readthedocs.io/en/latest/ >> [Service] >> Type=oneshot >> ExecStart=/usr/bin/certbot -q renew --post-hook >> /etc/letsencrypt/post.hooks.d/reload >> PrivateTmp=true >> >> one would think this would work and reload nginx after the cert has >> been renewed... >> >> Aki >>-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190110/49c303cd/attachment-0001.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: pnhmgoiocebmonnh.png Type: image/png Size: 2590 bytes Desc: not available URL: <https://dovecot.org/pipermail/dovecot/attachments/20190110/49c303cd/attachment-0001.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: <https://dovecot.org/pipermail/dovecot/attachments/20190110/49c303cd/attachment-0001.sig>
Hello, in the ExecStart I use also "--agree-tos" Instead of --post-hook, maybe --deploy-hook it's better I usually put my scripts in the folder /etc/letsencrypt/renewal-hooks/deploy/ instead of use --deploy-hook Andrea Il 10/01/19 09:14, Aki Tuomi ha scritto:> > Would be better if it would happen automatically though. > > Aki > > On 10.1.2019 10.04, Filipe Carvalho wrote: >> >> Yup, that did the trick. >> >> Thanks! >> >> Filipe >> >> >> On 1/10/19 7:47 AM, Aki Tuomi wrote: >>> >>> >>> On 10.1.2019 9.42, Filipe Carvalho wrote: >>>> >>>> Hello, >>>> >>>> Not sure if this is the right place to post this, but the ssl >>>> certificate of the repo.dovecot.org server expired on the 9th of >>>> January. >>>> >>>> It's giving an error via the browser and via the apt command in Debian: >>>> >>>> W: Failed to fetch >>>> https://repo.dovecot.org/ce-2.3-latest/debian/jessie/dists/jessie/main/binary-amd64/Packages? >>>> server certificate verification failed. CAfile: >>>> /etc/ssl/certs/ca-certificates.crt CRLfile: none >>>> >>>> Cheers! >>>> >>>> Filipe Carvalho >>>> >>>> -- >>>> >>>> UP Digital >>>> Filipe Carvalho >>>> >>>> Infraestruturas Tecnol?gicas / IT infrastructures >>>> >>>> filipec at uporto.pt <mailto:filipec at uporto.pt> >>>> >>> >>> Amazing this certbot thing... >>> >>> [Unit] >>> Description=Certbot >>> Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html >>> Documentation=https://letsencrypt.readthedocs.io/en/latest/ >>> [Service] >>> Type=oneshot >>> ExecStart=/usr/bin/certbot -q renew --post-hook >>> /etc/letsencrypt/post.hooks.d/reload >>> PrivateTmp=true >>> >>> one would think this would work and reload nginx after the cert has >>> been renewed... >>> >>> Aki >>>-- ---------------------------------------------------------------- What's right isn't always popular, what's popular isn't always right. ---------------------------------------------------------------- Ing. Andrea Gabellini Email: andrea.gabellini at telecomitalia.sm Skype: andreagabellini Tel: (+378) 0549 886111 Fax: (+378) 0549 886188 Telecom Italia San Marino S.p.A. Via XXVIII Luglio, 212 - Piano -2 47893 Borgo Maggiore Republic of San Marino http://www.telecomitalia.sm -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190110/93277a84/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: pnhmgoiocebmonnh.png Type: image/png Size: 2590 bytes Desc: not available URL: <https://dovecot.org/pipermail/dovecot/attachments/20190110/93277a84/attachment.png>
Hi Aki,
it doesn't happen very often but the certificate renew can fail, so it's
best to check daily. certbot will only try to renew those certificates that are
about to expire in a few weeks.
I'm using a little perl script via cron which may be more flexible:
#!/usr/bin/perl
my $reload_count;
open(FF, "find /etc/letsencrypt/live -mtime -1 -name cert.pem |");
while(<FF>){
chomp;
next if !$_;
system("/usr/bin/logger \"sslreload: ssl certificate $_ needs reload
after renew\"");
$reload_count++;
}
close(FF);
if($reload_count){
system("/usr/bin/logger \"sslreload: $reload_count certificates
changed, reloading services\"");
# list all your affected services or rsync/reload on other nodes
# some services need restart, not reload
system("/usr/bin/systemctl reload httpd");
system("/usr/bin/systemctl reload postfix");
system("/usr/bin/systemctl restart vsftpd");
} else {
system("/usr/bin/logger \"sslreload: nothing to reload\"");
}
Save to /usr/bin/sslreload and chmod 700
crontab -e
0 18 * * * /usr/bin/certbot renew --quiet --no-self-upgrade
--allow-subset-of-names; /usr/bin/sslreload
Best regards
Gerald
> Am 10.01.2019 um 09:14 schrieb Aki Tuomi <aki.tuomi at
open-xchange.com>:
>
> Would be better if it would happen automatically though.
>
> Aki
>
> On 10.1.2019 10.04, Filipe Carvalho wrote:
>> Yup, that did the trick.
>>
>> Thanks!
>>
>> Filipe
>>
>>
>> On 1/10/19 7:47 AM, Aki Tuomi wrote:
>>>
>>>
>>> On 10.1.2019 9.42, Filipe Carvalho wrote:
>>>> Hello,
>>>>
>>>> Not sure if this is the right place to post this, but the ssl
certificate of the repo.dovecot.org server expired on the 9th of January.
>>>>
>>>> It's giving an error via the browser and via the apt
command in Debian:
>>>>
>>>> W: Failed to fetch
https://repo.dovecot.org/ce-2.3-latest/debian/jessie/dists/jessie/main/binary-amd64/Packages
server certificate verification failed. CAfile:
/etc/ssl/certs/ca-certificates.crt CRLfile: none
>>>>
>>>> Cheers!
>>>>
>>>> Filipe Carvalho
>>>>
>>>> --
>>>> <pnhmgoiocebmonnh.png>
>>>> Filipe Carvalho
>>>> Infraestruturas Tecnol?gicas / IT infrastructures
>>>>
>>>> filipec at uporto.pt
>>>
>>>
>>> Amazing this certbot thing...
>>>
>>> [Unit]
>>> Description=Certbot
>>>
Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html
>>> Documentation=https://letsencrypt.readthedocs.io/en/latest/
>>> [Service]
>>> Type=oneshot
>>> ExecStart=/usr/bin/certbot -q renew --post-hook
/etc/letsencrypt/post.hooks.d/reload
>>> PrivateTmp=true
>>>
>>> one would think this would work and reload nginx after the cert has
been renewed...
>>>
>>> Aki
>>>
Reasonably Related Threads
- repo.dovecot.org expired certificate
- repo.dovecot.org expired certificate
- repo.dovecot.org expired certificate
- certbot stopped working on CentOS 7: pyOpenSSL module missing required functionality
- certbot stopped working on CentOS 7: pyOpenSSL module missing required functionality