dovecot - Apr 2021 - error 42 ssl certificate expired

Uh. You are practically proposing that all versions after 2.3.7.2 would be
serving expired SSL certs, due to some bug? It that was the case, then I would
believe we would've been inundated with bug reports for the past year or so.
Installation probably breaks because you are using expired cert, from wrong
path.

Doublecheck output of `doveconf -nP` and `openssl x509 -text` to make sure you
are indeed using correct, non-expired certificate.

Aki
> On 13/04/2021 07:16 gmail <ljakku77 at gmail.com> wrote:
> 
>  
> Hi,
> 
> I got news: dovecot is the one that is broken, i got setup all other 
> stuff updated to latest BUT not dovecot, and i got working system.
> 
> 
> if I upgrade dovecot, the installation breaks. I'm using
letencrypt's certs.
> 
> 
> The version that is good is 2.3.7.2 (3c910f64b)
> 
> 
> Heiko Schlittermann kirjoitti 12.4.2021 klo 23:20:
> > Hi,
> >
> >> In our case this is an internally used Dovecot Mail server
that's used for
> > ?
> >> certificates worth the expense? Just curious on what
everyone's opinion is
> >> of Digital Certs signed by certificate authorities that are only
used inside
> >> the LAN. Thoughts?
> > Aki is right. On the long run it's easier to use
"offcial" certs. Since
> > the advent of Let's encrypt it is cheap.
> >
> > Of course, getting a certificate from Let's Encrypt for an
internal
> > service isn't as easy as for a public HTTP server, but it is
possible.
> >
> > (We use a dedicated machine, requesting certs for all our internal
> > services, employing the DNS challenge with Let's Encrypt. From
this
> > dedicated machine then we deploy the certs into our internal
> > infrastructure using
https://gitea.schlittermann.de/heiko/cert-proxy.git)
> >
> >>>> I also tried creating new .crt and key files using this
tutorial:
> >>>>
https://msol.io/blog/tech/create-a-self-signed-ssl-certificate-with-openssl/
> > No need to use tech blogs. Use "man req" and brain.
> >
> >          openssl req -x509 -new \
> >                  -out ssl.pem \
> >                  -keyout ssl.pem -newkey rsa:4096 -nodes \
> >                  -subj /CN=example.com -days 365
> >
> >          (or two distinct files for crt and key).

I got forcibly renewed my certs.

dovecot -nP:

# 2.3.7.2 (3c910f64b): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.7.2 ()
# OS: Linux 5.9.0-rc5-lja-tv+ x86_64 Ubuntu 20.04.2 LTS
# Hostname: superman.sillywalk.org
auth_debug = yes
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_username_format = %Ln
auth_verbose = yes
auth_verbose_passwords = plain
debug_log_path = /var/log/dovecot-debug.log
info_log_path = /var/log/dovecot-info.log
log_path = /var/log/dovecot.log
mail_debug = yes
mail_location = maildir:~/Maildir/
mbox_write_locks = fcntl
namespace inbox {
 ? inbox = yes
 ? location  ? mailbox Drafts {
 ??? special_use = \Drafts
 ? }
 ? mailbox Junk {
 ??? special_use = \Junk
 ? }
 ? mailbox Sent {
 ??? special_use = \Sent
 ? }
 ? mailbox "Sent Messages" {
 ??? special_use = \Sent
 ? }
 ? mailbox Trash {
 ??? special_use = \Trash
 ? }
 ? prefix }
passdb {
 ? driver = pam
}
protocols = imap pop3 lmtp
service auth {
 ? unix_listener /var/spool/postfix/private/auth {
 ??? group = mail
 ??? mode = 0660
 ??? user = postfix
 ? }
}
service lmtp {
 ? unix_listener /var/spool/postfix/private/dovecot-lmtp {
 ??? group = mail
 ??? mode = 0660
 ??? user = postfix
 ? }
}
ssl_cert = </etc/letsencrypt/live/lja.fi/fullchain.pem
ssl_dh = </usr/share/dovecot/dh.pem
ssl_key = </etc/letsencrypt/live/lja.fi/privkey.pem
userdb {
 ? args = username_format=%Ln
 ? driver = passwd
}
protocol lmtp {
 ? postmaster_address = postmaster at localhost
}
protocol imap {
 ? imap_metadata = yes
}
local_name domainA.fi {
 ? ssl_cert = </etc/letsencrypt/live/informaatiotiili.fi/fullchain.pem
 ? ssl_dh = </usr/share/dovecot/dh.pem
 ? ssl_key = </etc/letsencrypt/live/informaatiotiili.fi/privkey.pem
}
local_name informationbrick.com {
 ? ssl_cert = </etc/letsencrypt/live/informationbrick.com/fullchain.pem
 ? ssl_dh = </usr/share/dovecot/dh.pem
 ? ssl_key = </etc/letsencrypt/live/informationbrick.com/privkey.pem
}
local_name paxsudos.fi {
 ? ssl_cert = </etc/letsencrypt/live/paxsudos.fi/fullchain.pem
 ? ssl_dh = </usr/share/dovecot/dh.pem
 ? ssl_key = </etc/letsencrypt/live/paxsudos.fi/privkey.pem
}

local_name paxsudos.com {
 ? ssl_cert = </etc/letsencrypt/live/paxsudos.com/fullchain.pem
 ? ssl_dh = </usr/share/dovecot/dh.pem
 ? ssl_key = </etc/letsencrypt/live/paxsudos.com/privkey.pem
}

local_name lja.fi {
 ? ssl_cert = </etc/letsencrypt/live/lja.fi/fullchain.pem
 ? ssl_dh = </usr/share/dovecot/dh.pem
 ? ssl_key = </etc/letsencrypt/live/lja.fi/privkey.pem
}

The certs are working fine and are up to date. (Apache2 with same certs 
for domains works ok)


I not know howto use openssl x509 -text command, if i run it like

echo "" | openssl x509 -text

I get loads of errors.


My distro:

Distributor ID: Ubuntu
Description:??? Ubuntu 20.04.2 LTS
Release:??????? 20.04
Codename:?????? focal

Aki Tuomi kirjoitti 13.4.2021 klo 7:40:
> Uh. You are practically proposing that all versions after 2.3.7.2 would 
be serving expired SSL certs, due to some bug? It that was the case, then 
I would believe we would've been inundated with bug reports for the past
year or so. Installation probably breaks because you are using expired cert,
from wrong path.
>
> Doublecheck output of `doveconf -nP` and `openssl x509 -text` to make sure
you are indeed using correct, non-expired certificate.
>
> Aki
>
>> On 13/04/2021 07:16 gmail <ljakku77 at gmail.com> wrote:
>>
>>   
>> Hi,
>>
>> I got news: dovecot is the one that is broken, i got setup all other
>> stuff updated to latest BUT not dovecot, and i got working system.
>>
>>
>> if I upgrade dovecot, the installation breaks. I'm using
letencrypt's certs.
>>
>>
>> The version that is good is 2.3.7.2 (3c910f64b)
>>
>>
>> Heiko Schlittermann kirjoitti 12.4.2021 klo 23:20:
>>> Hi,
>>>
>>>> In our case this is an internally used Dovecot Mail server
that's used for
>>> ?
>>>> certificates worth the expense? Just curious on what
everyone's opinion is
>>>> of Digital Certs signed by certificate authorities that are
only used inside
>>>> the LAN. Thoughts?
>>> Aki is right. On the long run it's easier to use
"offcial" certs. Since
>>> the advent of Let's encrypt it is cheap.
>>>
>>> Of course, getting a certificate from Let's Encrypt for an
internal
>>> service isn't as easy as for a public HTTP server, but it is
possible.
>>>
>>> (We use a dedicated machine, requesting certs for all our internal
>>> services, employing the DNS challenge with Let's Encrypt. From
this
>>> dedicated machine then we deploy the certs into our internal
>>> infrastructure using
https://gitea.schlittermann.de/heiko/cert-proxy.git)
>>>
>>>>>> I also tried creating new .crt and key files using this
tutorial:
>>>>>>
https://msol.io/blog/tech/create-a-self-signed-ssl-certificate-with-openssl/
>>> No need to use tech blogs. Use "man req" and brain.
>>>
>>>           openssl req -x509 -new \
>>>                   -out ssl.pem \
>>>                   -keyout ssl.pem -newkey rsa:4096 -nodes \
>>>                   -subj /CN=example.com -days 365
>>>
>>>           (or two distinct files for crt and key).