Added by Denis 'GNUtoo' Carikli almost 3 years ago. Updated over 2 years ago.
0%
With fdm (the mail fetch program that I use), I had the following error:
version is: fdm 2.0, started at: Mon May 24 12:28:59 2021 imap.replicant.us: certificate verification failed: certificate has expired imap.replicant.us: fetching error. aborted imap.replicant.us: 0 messages processed in 0.893 seconds
So I tried to manually update the certificates as root with:
apt install certbot # For some reason certbot was removed certbot renew
It had some errors like:
FileNotFoundError: [Errno 2] No such file or directory: '/var/www/letsencrypt/autoconfig.replicant.us'
/etc/letsencrypt/live/mx1.replicant.us/fullchain.pem (failure)
So I tried to workaround like that and it also updated the one or two failing cert(s):
systemctl stop apache2 certbot --standalone renew systemctl start apache2
But I still had the issue with dovecot.
So I had to restart dovecot to be able to download the mails again.
So we probably need to:certbot renew without stopping apache for testing if it works.In the last set of issues with letsencrypt, I managed to make all the current certificates use webroot.
I went into /etc/letsencrypt/renewal and switched all the remaining config files to webroot (I already did the infrastructure for that in apache long time ago but I didn't switch the config files yet)/
All the certificates uses webroot for renewal, even the ones that don't have web interfaces like the various ones of the mail system.
So now the certbot/letsencrypt systemd timer should at least work.
What remains is to restart the other daemons when new certificates have been obtained.
it might be possible to fork the .service file in /etc/systemd/system and make it restart the daemons that depends on letsencrypt certificates somehow.
Denis.