Issue #2253

Multiple issues with certificates updates

Added by Denis 'GNUtoo' Carikli 4 months ago. Updated about 1 month ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Hosting infrastructure:
Type of work:
System administration

Updated by Denis 'GNUtoo' Carikli 4 months ago

  • Subject changed from Docecot requires a restart after new certificates to Multiple issues with certificates updates

With fdm (the mail fetch program that I use), I had the following error:

version is: fdm 2.0, started at: Mon May 24 12:28:59 2021 certificate verification failed: certificate has expired fetching error. aborted 0 messages processed in 0.893 seconds

So I tried to manually update the certificates as root with:

apt install certbot # For some reason certbot was removed
certbot renew

It had some errors like:

FileNotFoundError: [Errno 2] No such file or directory: '/var/www/letsencrypt/'

  /etc/letsencrypt/live/ (failure)

So I tried to workaround like that and it also updated the one or two failing cert(s):

systemctl stop apache2
certbot --standalone renew
systemctl start apache2

But I still had the issue with dovecot.

So I had to restart dovecot to be able to download the mails again.

So we probably need to:
  • Investigate why certbot is gone (again?), look if we are still using FAI somehow, and if so fix it there.
  • Fix the letsencrypt errors by creating the directory needed and do a certbot renew without stopping apache for testing if it works.
  • Find a way to have hooks run once the certificates are obtained. Guix for instance has bindings to do that, so it's probably a common use case. We just have to find how to do it with Trisquel / systemd.

Updated by Denis 'GNUtoo' Carikli about 1 month ago

In the last set of issues with letsencrypt, I managed to make all the current certificates use webroot.

I went into /etc/letsencrypt/renewal and switched all the remaining config files to webroot (I already did the infrastructure for that in apache long time ago but I didn't switch the config files yet)/

All the certificates uses webroot for renewal, even the ones that don't have web interfaces like the various ones of the mail system.

So now the certbot/letsencrypt systemd timer should at least work.

What remains is to restart the other daemons when new certificates have been obtained.

it might be possible to fork the .service file in /etc/systemd/system and make it restart the daemons that depends on letsencrypt certificates somehow.


Also available in: Atom PDF