Page MenuHomeDevCentral
Create Task
Maniphest T2132

Propagate acme.sh certificate so Dovecot can read it
Open, HighPublic
Actions

Description

Dovecot didn't have the new certificate but was still serving an old one, now expired.

Check:
openssl s_client -connect mail.nasqueron.org:993 < /dev/null | openssl x509 -noout -subject -issuer -dates -serial

We solved that directly on the server doing those steps:

  • Dovecot configuration: update filename from privkey.pem to key.pem (Certbot -> acme.sh change)
  • Common group mail with 3 users:
    • postfix (already set up)
    • dovecot (to read key.pem)
    • acme (so they can set the file with the right group)
  • Permissions:
    • /var/certificates 700 -> 711
    • /var/certificates/mail.nasqueron.org group wheel -> mail
    • /var/certificates/mail.nasqueron.org/key.pem chmod 600 -> 640

Salt configuration need to be updated accordingly.

Event Timeline

dereckson triaged this task as High priority.Mon, Sep 22, 21:32
dereckson created this task.
Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator