Page MenuHomeDevCentral
Create Task
Maniphest T2132

Propagate acme.sh certificate so Dovecot can read it
Open, HighPublic
Actions

Description

Dovecot didn't have the new certificate but was still serving an old one, now expired.

Check:
openssl s_client -connect mail.nasqueron.org:993 < /dev/null | openssl x509 -noout -subject -issuer -dates -serial

We solved that directly on the server doing those steps:

  • Dovecot configuration: update filename from privkey.pem to key.pem (Certbot -> acme.sh change)
  • Common group mail with 3 users: -> D3712 as candidate
    • postfix (already set up)
    • dovecot (to read key.pem)
    • acme (so they can set the file with the right group)
  • Permissions:
    • /var/certificates 700 -> 711 (D3712)
    • /var/certificates/mail.nasqueron.org group wheel -> mail, group chmod 700 -> 750 (D3712)
    • /var/certificates/mail.nasqueron.org/key.pem chmod 600 -> 640 (D3732)

Salt configuration need to be updated accordingly.

Revisions and Commits

rOPS Nasqueron Operations
D3732rOPS358d87a18155 Enforce correct attributes for acme.sh private keys
D3712rOPS421712d5da56 Share /var/certificates/<domain> for all mail services
D3711rOPS60b302b26f91 Correct path for dovecot certificates

Related Objects

Event Timeline

dereckson triaged this task as High priority.Mon, Sep 22, 21:32
dereckson created this task.
dereckson added a revision: D3711: Correct path for dovecot certificates.Tue, Sep 23, 16:19
DorianWinty added a commit: rOPS60b302b26f91: Correct path for dovecot certificates.Tue, Sep 23, 16:19
dereckson moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Tue, Sep 23, 16:21
dereckson updated the task description. (Show Details)
dereckson updated the task description. (Show Details)Tue, Sep 23, 16:42
dereckson updated the task description. (Show Details)
dereckson added a revision: D3712: Share /var/certificates/<domain> for all mail services.Tue, Sep 23, 17:14
dereckson updated the task description. (Show Details)Tue, Sep 23, 17:18
dereckson updated the task description. (Show Details)
dereckson added a commit: rOPS421712d5da56: Share /var/certificates/<domain> for all mail services.Mon, Oct 6, 09:43
dereckson updated the task description. (Show Details)Mon, Oct 6, 09:43
dereckson claimed this task.Fri, Oct 10, 22:07
dereckson added a revision: D3732: Enforce correct attributes for acme.sh private keys.Fri, Oct 10, 22:19
dereckson moved this task from Backlog - On hold pending T1475 to Pending review on the Mail board.Fri, Oct 10, 22:24
dereckson moved this task from Backlog to Pending review on the security board.
dereckson updated the task description. (Show Details)
dereckson added a commit: rOPS358d87a18155: Enforce correct attributes for acme.sh private keys.Tue, Oct 14, 17:11
Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator