On 09/10/2020 11:50, Plutocrat wrote:> On 09/10/2020 4:16 pm, Rogier Wolff wrote: >> It turns out that dovecot had been running uninterrupted since august >> 13th, the certificate was renewed on september 7th and I suspect it >> expired on october 7th. > I guess you could do a few things yourself to make sure the cert is valid. Thinking out loud: > > - Blunt instrument approach: Just restart/reload Dovecot once a week via a cron job. Letsencrypt will renew certs with less than 15 days to go, so once a week should catch it.If you're using Let's Encrypt, then at least the certbot client has renewal hooks that you can use to run dovecot reload etc. Good luck! Reio
I have to say I'm totally baffled since I do nothing when LetsEncrypt renews the certificate. I know the cert has been updated because the mail clients asks me if I trust the certificate. If it makes a difference I use the bash LetsEncrypt not the Python code. ? Original Message ? From: reio at mrstuudio.ee Sent: October 9, 2020 1:55 AM To: dovecot at dovecot.org Subject: Re: Feature request. On 09/10/2020 11:50, Plutocrat wrote:> On 09/10/2020 4:16 pm, Rogier Wolff wrote: >> It turns out that dovecot had been running uninterrupted since august >> 13th, the certificate was renewed on september 7th and I suspect it >> expired on october 7th. > I guess you could do a few things yourself to make sure the cert is valid. Thinking out loud: > > - Blunt instrument approach: Just restart/reload Dovecot once a week via a cron job. Letsencrypt will renew certs with less than 15 days to go, so once a week should catch it.If you're using Let's Encrypt, then at least the certbot client has renewal hooks that you can use to run dovecot reload etc. Good luck! Reio
On 09/10/2020 12:52, lists wrote:> I have to say I'm totally baffled since I do nothing when LetsEncrypt renews the certificate. > > I know the cert has been updated because the mail clients asks me if I trust the certificate.Curious. The mail clients really shouldn't ask anything when encountering a valid certificate. Are you sure the client isn't asking you to trust an expired certificate? Reio -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20201009/328e53d8/attachment.html>
> I have to say I'm totally baffled since I do nothing when LetsEncrypt renews the certificate. > > I know the cert has been updated because the mail clients asks me if I trust the certificate. > > If it makes a difference I use the bash LetsEncrypt not the Python code.I don't like all those dependencies certbot (python) installs, but it works flawlessly on CentOS. On CentOS 8 you need to enable the EPEL *and* PowerTools repositories (/etc/yum/repos.d/...) I've attached a small perl script that I call via cron 30 minutes after certbot starts which reloads services if necessary. Best regards Gerald #!/usr/bin/perl my $reload; open(FF, "find /etc/letsencrypt/live -mtime -1 -name cert.pem |"); while(<FF>){ chomp; next if !$_; $reload++; } close(FF); if($reload){ system("/usr/bin/systemctl reload httpd"); system("/usr/bin/systemctl reload postfix"); system("/usr/bin/systemctl reload dovecot"); }