Re: Letsencrypt tip

2017-09-14 Thread Dominic Raferd
On 13 September 2017 at 19:54, Viktor Dukhovni wrote: > > > On Sep 13, 2017, at 4:10 AM, Dominic Raferd > wrote: > > > > As Postfix SMTP server does not support SNI I think there is no point > using > > -servername option above, so the above can be shortened to: > > > > ​echo | > > sudo openssl

Re: Letsencrypt tip

2017-09-13 Thread Viktor Dukhovni
> On Sep 13, 2017, at 4:10 AM, Dominic Raferd wrote: > > As Postfix SMTP server does not support SNI I think there is no point using > -servername option above, so the above can be shortened to: > > ​echo | > sudo openssl s_client -connect 127.0.0.1:587 -starttls smtp 2>/dev/null | > openssl x5

Re: Letsencrypt tip

2017-09-13 Thread Dominic Raferd
On 11 September 2017 at 17:22, Dominic Raferd wrote: > On 11/09/2017 12:33, Christian Kivalo wrote: > >> On 2017-09-11 11:21, Dominic Raferd wrote: >> >>> ​Does anyone know a way to detect if the certificate currently being >>> used by Postfix and/or Dovecot is nearing expiry (esp. in case they >

Re: Letsencrypt tip

2017-09-11 Thread Viktor Dukhovni
> On Sep 11, 2017, at 1:37 PM, Bill Shirley wrote: > > Thanks for the info. > > With acme.sh, reloads are only done when the certificate is renewed. It is best to just leave Postfix alone, and not reload even then. If you run certbot often enough to renew well in advance of expiration, reload

Re: Letsencrypt tip

2017-09-11 Thread Bill Shirley
Thanks for the info. With acme.sh, reloads are only done when the certificate is renewed. Bill On 9/11/2017 1:18 PM, Viktor Dukhovni wrote: On Sep 11, 2017, at 1:10 PM, Bill Shirley wrote: acme.sh can issue the reload command (--reloadcmd): https://www.mail-archive.com/dovecot@dovecot.org/ms

Re: Letsencrypt tip

2017-09-11 Thread Viktor Dukhovni
> On Sep 11, 2017, at 1:10 PM, Bill Shirley wrote: > > acme.sh can issue the reload command (--reloadcmd): > https://www.mail-archive.com/dovecot@dovecot.org/msg70894.html This is NOT needed for Postfix. The certificate file is not held in memory for a sufficiently long time to make routine re

Re: Letsencrypt tip

2017-09-11 Thread Bill Shirley
acme.sh can issue the reload command (--reloadcmd): https://www.mail-archive.com/dovecot@dovecot.org/msg70894.html Get an email from acme.sh: https://www.mail-archive.com/dovecot@dovecot.org/msg70895.html Bill On 9/11/2017 4:59 AM, Gary wrote: As you know, letsencrypt certs can be automaticall

Re: Letsencrypt tip

2017-09-11 Thread Marat Khalili
Real-world example (ugly but works): letsencrypt -tn --apache renew | tee "$LOG_FILE" if ! grep -q '^No renewals were attempted.$' "$LOG_FILE"; then CERTIFICATES_PATH='/etc/letsencrypt/live/example.com' RENEWAL_STATUS=`sed -nr 's#^ '"$CERTIFICATES_PATH"'/fullchain.pem \((.*)\)$#\1#p' "

Re: Letsencrypt tip

2017-09-11 Thread Mike
On 9/11/2017 5:21 AM, Dominic Raferd wrote: > > > On 11 September 2017 at 11:59, Gary > wrote: > > As you know, letsencrypt certs can be automatically updated. > However, you need to reload/restart Postfix/Dovecot to use the new > cert. My email client i

Re: Letsencrypt tip

2017-09-11 Thread Viktor Dukhovni
> On Sep 11, 2017, at 4:59 AM, Gary wrote: > > As you know, letsencrypt certs can be automatically updated. However, you > need to reload/restart Postfix/Dovecot to use the new cert. This is false for Postfix. The Postfix SMTP server processes (smtpd(8) and tlsproxy(8)) that use the server ce

Re: Letsencrypt tip

2017-09-11 Thread Dominic Raferd
On 11/09/2017 12:33, Christian Kivalo wrote: On 2017-09-11 11:21, Dominic Raferd wrote: ​Does anyone know a way to detect if the certificate currently being used by Postfix and/or Dovecot is nearing expiry (esp. in case they haven't picked up the updated letsencrypt certificate)? You mean like

Re: Letsencrypt tip

2017-09-11 Thread Admin Beckspaced
On 11.09.2017 10:59, Gary wrote: As you know, letsencrypt certs can be automatically updated. However, you need to reload/restart Postfix/Dovecot to use the new cert. My email client insisted I had an expired cert. I couldn't download or send email. (Fortunately I'm on a test domain, getting r

Re: Letsencrypt tip

2017-09-11 Thread Ralph Seichter
On 11.09.2017 11:21, Dominic Raferd wrote: > ​Does anyone know a way to detect if the certificate currently being > used by Postfix and/or Dovecot is nearing expiry (esp. in case they > haven't picked up the updated letsencrypt certificate)? See https://www.monitoring-plugins.org/ -- The plugins

Re: Letsencrypt tip

2017-09-11 Thread Petri Riihikallio
> Gary kirjoitti 11.09.2017 kello 11:59: > > As you know, letsencrypt certs can be automatically updated. However, you > need to reload/restart Postfix/Dovecot to use the new cert. My email client > insisted I had an expired cert. I couldn't download or send email. > (Fortunately I'm on a tes

Re: Letsencrypt tip

2017-09-11 Thread Christian Kivalo
On 2017-09-11 11:21, Dominic Raferd wrote: ​Does anyone know a way to detect if the certificate currently being used by Postfix and/or Dovecot is nearing expiry (esp. in case they haven't picked up the updated letsencrypt certificate)? You mean like this from the letsencrypt forum adapted for

Re: Letsencrypt tip

2017-09-11 Thread Dominic Raferd
On 11 September 2017 at 11:59, Gary wrote: > As you know, letsencrypt certs can be automatically updated. However, you > need to reload/restart Postfix/Dovecot to use the new cert. My email client > insisted I had an expired cert. I couldn't download or send email. > (Fortunately I'm on a test do