1

Topic: Odd behavior after renewing LetsEncrypt certs using iPhone email

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release):
- Deployed with iRedMail Easy or the downloadable installer?
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

v 1.31 w LDAP
Server works  fine; not anxious to upgrade since I'm not 'missing' any features that I need.

I'm using a LetsEncrypt SSL cert on my site and it works.  My auto renew doesn't seem work for the SSL.
My process is to stop the service Nginx; run certbot renew and restart nginx.
The new certificate shows up and all is well.

On the day AFTER the certificate *would* have expired, the iPhone won't access the mail server.  Somehow, it still thinks the 'old' certificate is in use and expired (SOGo shows the cert is up to date and webmail works fine).

If I reboot the server, the iphone will accept email from that point forward.

Is this a solvable problem?  Restarting the server is fine, but it doesn't seem as though it should be required.

Thanks for your thoughts.

Andrew

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 (edited by Cthulhu 2022-04-07 02:22:04)

Re: Odd behavior after renewing LetsEncrypt certs using iPhone email

it seems that you heavy lack of basics when you asume that the mailserver is ran by nginx (which is a http server) and literally has NOTHING to do with a mailserver at all


this may sound a bit rude, but it makes me angry to see so much spam and unsecured/misconfigured servers due to the fact that it is "so easy" to set up and operate one, but most that do so dont even have basic knowlege on how to secure and maintain it

3

Re: Odd behavior after renewing LetsEncrypt certs using iPhone email

Cthulhu wrote:

it seems that you heavy lack of basics when you asume that the mailserver is ran by nginx (which is a http server) and literally has NOTHING to do with a mailserver at all


this may sound a bit rude, but it makes me angry to see so much spam and unsecured/misconfigured servers due to the fact that it is "so easy" to set up and operate one, but most that do so dont even have basic knowlege on how to secure and maintain it

Based on how I installed the ssl certificate, certbot as part of the renewal process needs to create a temp webserver; if I don't disable nginx prior to running the renewal, certbot will fail.  The renewal hooks, which my certbot doesn't like (which is why I do it manually instead of allowing the cron job which is supposed to handle it), in fact temporarily disable nginx (or apache2) in order to run the renewal.

And the mailserver does use nginx in order to support webmail; the iphone, when retrieving mail, uses the ssl certificate as well.

I believe the answer may be, based on some subsequent sleuthing, that I need to reload dovecot (per a posting on LetsEncrypt's forums).  I'm not sure if other services need to be reloaded as well to force them to 'see' the new ssl cert.

So yes, you do come across as rude.  In this case, you're also off the mark.


So, to re-ask the question, what services should i reload after renewing my certs?


Andrew

4

Re: Odd behavior after renewing LetsEncrypt certs using iPhone email

There is a guide:
https://docs.iredmail.org/letsencrypt.html

5 (edited by GerryM 2022-04-07 07:49:24)

Re: Odd behavior after renewing LetsEncrypt certs using iPhone email

Following the link Cthulhu posted, I have no issue renewing my certificate. I have the script run weekly. At the bottom is my log for a certificate renewal, and as you see near the bottom, the nginx server restarts automatically. No renewal- no restart needed.

And after reviewing my log- if you disable the nginx server- the verification cannot proceed! (Moot point if you are manually updating the certificates- but why bother?)

AndyInNYC wrote:

..So, to re-ask the question, what services should i reload after renewing my certs?

Andrew

Why not let the cron script do it?
My log follows:

Cron <root@plankton> certbot renew --post-hook '/usr/sbin/service postfix restart; /usr/sbin/service nginx restart; /usr/sbin/service dovecot restart'

From Cron Daemon <root@plankton.massat.net> on 2022-02-26 03:01
Details
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /usr/local/etc/letsencrypt/renewal/test.massat.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Non-interactive renewal: random delay of 186.67843357862066 seconds
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate for test.massat.net
Performing the following challenges:
http-01 challenge for test.massat.net
Using the webroot path /usr/local/www/htdocs for all unmatched domains.
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/usr/local/etc/letsencrypt/live/test.massat.net/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded:
  /usr/local/etc/letsencrypt/live/test.massat.net/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Running post-hook command: /usr/sbin/service postfix restart; /usr/sbin/service nginx restart; /usr/sbin/service dovecot restart
Output from post-hook command service:
Performing sanity check on nginx configuration:
Stopping nginx.
Waiting for PIDS: 98144.
Performing sanity check on nginx configuration:
Starting nginx.
Stopping dovecot.
Waiting for PIDS: 69861.
Starting dovecot.

Error output from post-hook command service:
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful