[BlueOnyx:25142] Re: Quickfix for BO servers with certificates that are old or doesn't work anymore!!!
Michael Stauber
mstauber at blueonyx.it
Thu Sep 30 14:26:13 -05 2021
Hi Martin and all,
> we had the same problem here, but the workaround from Maurice solved the issue.
>
> The CA cert expired yesterday and renewing it using the gui did not work for dovecot.
>
>> I fixed it by
>>
>> cd /etc/pki/dovecot/certs
>> cat dovecot.pem ca.pem > new.pem
>> chmod 600 new.pem
>> rm dovecot.pem
>> mv new.pem dovecot.pem
>> service dovecot restart
I'm currently digging through the Handlers that deal with this:
https://devel.blueonyx.it/trac/browser/BlueOnyx/5210R/ui/base-email.mod/glue/handlers/copy_certs.pl
This copy_certs.pl runs when a new GUI cert is requested and it makes
sure it gets to all the right places.
# Handle Dovecot key and cert:
system("/bin/cp /etc/admserv/certs/key
/etc/pki/dovecot/private/dovecot.pem");
system("/bin/cp /etc/admserv/certs/certificate
/etc/pki/dovecot/certs/dovecot.pem");
Maurice combines the intermediate and the cert into the dovecot.pem,
whereas we used to have the in separate files. After all, our
/etc/dovecot/conf.d/10-ssl.conf tells Dovecot where to find the CA files
(via the "ssl_ca" line):
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
ssl_ca = </etc/pki/dovecot/certs/ca.pem
But if that's what it takes to get it kicking again, then we'll follow
Maurice's lead and copy_certs.pl will now chuck the CA's into
dovecot.pem as well.
--
With best regards
Michael Stauber
More information about the Blueonyx
mailing list