Issue #2253
openMultiple issues with certificates updates
0%
Updated by Denis 'GNUtoo' Carikli over 3 years ago
- Subject changed from Docecot requires a restart after new certificates to Multiple issues with certificates updates
With fdm (the mail fetch program that I use), I had the following error:
version is: fdm 2.0, started at: Mon May 24 12:28:59 2021 imap.replicant.us: certificate verification failed: certificate has expired imap.replicant.us: fetching error. aborted imap.replicant.us: 0 messages processed in 0.893 seconds
So I tried to manually update the certificates as root with:
apt install certbot # For some reason certbot was removed certbot renew
It had some errors like:
FileNotFoundError: [Errno 2] No such file or directory: '/var/www/letsencrypt/autoconfig.replicant.us'
And:
/etc/letsencrypt/live/mx1.replicant.us/fullchain.pem (failure)
So I tried to workaround like that and it also updated the one or two failing cert(s):
systemctl stop apache2 certbot --standalone renew systemctl start apache2
But I still had the issue with dovecot.
So I had to restart dovecot to be able to download the mails again.
So we probably need to:- Investigate why certbot is gone (again?), look if we are still using FAI somehow, and if so fix it there.
- Fix the letsencrypt errors by creating the directory needed and do a
certbot renew
without stopping apache for testing if it works. - Find a way to have hooks run once the certificates are obtained. Guix for instance has bindings to do that, so it's probably a common use case. We just have to find how to do it with Trisquel / systemd.
Updated by Denis 'GNUtoo' Carikli about 3 years ago
In the last set of issues with letsencrypt, I managed to make all the current certificates use webroot.
I went into /etc/letsencrypt/renewal and switched all the remaining config files to webroot (I already did the infrastructure for that in apache long time ago but I didn't switch the config files yet)/
All the certificates uses webroot for renewal, even the ones that don't have web interfaces like the various ones of the mail system.
So now the certbot/letsencrypt systemd timer should at least work.
What remains is to restart the other daemons when new certificates have been obtained.
it might be possible to fork the .service file in /etc/systemd/system and make it restart the daemons that depends on letsencrypt certificates somehow.
Denis.