Hi, I got news: dovecot is the one that is broken, i got setup all other stuff updated to latest BUT not dovecot, and i got working system. if I upgrade dovecot, the installation breaks. I'm using letencrypt's certs. The version that is good is 2.3.7.2 (3c910f64b) Heiko Schlittermann kirjoitti 12.4.2021 klo 23:20:> Hi, > >> In our case this is an internally used Dovecot Mail server that's used for > ? >> certificates worth the expense? Just curious on what everyone's opinion is >> of Digital Certs signed by certificate authorities that are only used inside >> the LAN. Thoughts? > Aki is right. On the long run it's easier to use "offcial" certs. Since > the advent of Let's encrypt it is cheap. > > Of course, getting a certificate from Let's Encrypt for an internal > service isn't as easy as for a public HTTP server, but it is possible. > > (We use a dedicated machine, requesting certs for all our internal > services, employing the DNS challenge with Let's Encrypt. From this > dedicated machine then we deploy the certs into our internal > infrastructure using https://gitea.schlittermann.de/heiko/cert-proxy.git) > >>>> I also tried creating new .crt and key files using this tutorial: >>>> https://msol.io/blog/tech/create-a-self-signed-ssl-certificate-with-openssl/ > No need to use tech blogs. Use "man req" and brain. > > openssl req -x509 -new \ > -out ssl.pem \ > -keyout ssl.pem -newkey rsa:4096 -nodes \ > -subj /CN=example.com -days 365 > > (or two distinct files for crt and key).
Uh. You are practically proposing that all versions after 2.3.7.2 would be serving expired SSL certs, due to some bug? It that was the case, then I would believe we would've been inundated with bug reports for the past year or so. Installation probably breaks because you are using expired cert, from wrong path. Doublecheck output of `doveconf -nP` and `openssl x509 -text` to make sure you are indeed using correct, non-expired certificate. Aki> On 13/04/2021 07:16 gmail <ljakku77 at gmail.com> wrote: > > > Hi, > > I got news: dovecot is the one that is broken, i got setup all other > stuff updated to latest BUT not dovecot, and i got working system. > > > if I upgrade dovecot, the installation breaks. I'm using letencrypt's certs. > > > The version that is good is 2.3.7.2 (3c910f64b) > > > Heiko Schlittermann kirjoitti 12.4.2021 klo 23:20: > > Hi, > > > >> In our case this is an internally used Dovecot Mail server that's used for > > ? > >> certificates worth the expense? Just curious on what everyone's opinion is > >> of Digital Certs signed by certificate authorities that are only used inside > >> the LAN. Thoughts? > > Aki is right. On the long run it's easier to use "offcial" certs. Since > > the advent of Let's encrypt it is cheap. > > > > Of course, getting a certificate from Let's Encrypt for an internal > > service isn't as easy as for a public HTTP server, but it is possible. > > > > (We use a dedicated machine, requesting certs for all our internal > > services, employing the DNS challenge with Let's Encrypt. From this > > dedicated machine then we deploy the certs into our internal > > infrastructure using https://gitea.schlittermann.de/heiko/cert-proxy.git) > > > >>>> I also tried creating new .crt and key files using this tutorial: > >>>> https://msol.io/blog/tech/create-a-self-signed-ssl-certificate-with-openssl/ > > No need to use tech blogs. Use "man req" and brain. > > > > openssl req -x509 -new \ > > -out ssl.pem \ > > -keyout ssl.pem -newkey rsa:4096 -nodes \ > > -subj /CN=example.com -days 365 > > > > (or two distinct files for crt and key).
gmail <ljakku77 at gmail.com> (Di 13 Apr 2021 06:16:38 CEST):> Hi, > > I got news: dovecot is the one that is broken, i got setup all other stuff > updated to latest BUT not dovecot, and i got working system.Are you referring to the original topic of this thread? Or is this a new issue? I'm asking, because your address doesn't match the OP's address and somehow the information you're presenting doesn't fit the OP's information (Self signed certs vs LE certs) Best regards from Dresden/Germany Viele Gr??e aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de ---------------------------- internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --------------- key ID: F69376CE - -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: not available URL: <https://dovecot.org/pipermail/dovecot/attachments/20210413/084fe93f/attachment.sig>