Letsencrypt tip

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
27 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Letsencrypt tip

lists@lazygranch.com
As you know, letsencrypt certs can be automatically updated. However, you need to reload/restart Postfix/Dovecot to use the new cert. My email client insisted I had an expired cert. I couldn't download or send email. (Fortunately I'm on a test domain, getting ready for the Oct 1st Google insistence on encryption.)

Letsencrypt suggests running acme on a daily basis, so just do the same for Postfix and Dovecot.

Reply | Threaded
Open this post in threaded view
|

Change of SMTP encryption policy at Google? (was: Letsencrypt tip)

Paul Menzel
Dear Gary,


On 09/11/17 10:59, Gary wrote:

[…]

> (Fortunately I'm on a test domain, getting ready for the Oct 1st Google > insistence on encryption.)
Could you please point me to the relevant announcement about that policy
change?

[…]


Kind regards,

Paul
Reply | Threaded
Open this post in threaded view
|

Re: Change of SMTP encryption policy at Google? (was: Letsencrypt tip)

lists@lazygranch.com
https://threatpost.com/google-reminding-admins-http-pages-will-be-marked-not-secure-in-october/127709/

This site says Oct 24. I recall Oct 1.  Maybe it was pushed back.

Yes for those of us that don't do e-commerce or something that requires encryption, this is a PITA. For my email, I had to accept the new cert, which would be the case if I used a traditional cert provider. But letsencrypt is talking about going to monthly updates.

Supposedly Google is going to make a big stink in the chrome browser if you don't do encryption. Your perfectly safe website will look toxic.

First world problem! Grumble grumble.

Anyway it was a forehead slap to restart the email programs, hence the PSA. I had to restart nginx as well. All this makes sense since you never know what the programmer holds in ram, so of course if you make a change, do a reload.


  Original Message  
From: [hidden email]
Sent: September 11, 2017 2:06 AM
To: [hidden email]
Cc: [hidden email]
Subject: Change of SMTP encryption policy at Google? (was: Letsencrypt tip)

Dear Gary,


On 09/11/17 10:59, Gary wrote:

[…]

> (Fortunately I'm on a test domain, getting ready for the Oct 1st Google > insistence on encryption.)
Could you please point me to the relevant announcement about that policy
change?

[…]


Kind regards,

Paul
Reply | Threaded
Open this post in threaded view
|

Re: Letsencrypt tip

Dominic Raferd
In reply to this post by lists@lazygranch.com


On 11 September 2017 at 11:59, Gary <[hidden email]> wrote:
As you know, letsencrypt certs can be automatically updated. However, you need to reload/restart Postfix/Dovecot to use the new cert. My email client insisted I had an expired cert. I couldn't download or send email. (Fortunately I'm on a test domain, getting ready for the Oct 1st Google insistence on encryption.)

Letsencrypt suggests running acme on a daily basis, so just do the same for Postfix and Dovecot.

​Does anyone know a way to detect if the certificate currently being used by Postfix and/or Dovecot is nearing expiry (esp. in case they haven't picked up the updated letsencrypt certificate)?

Reply | Threaded
Open this post in threaded view
|

Re: Change of SMTP encryption policy at Google?

Paul Menzel
In reply to this post by lists@lazygranch.com
Dear Gary,


On 09/11/17 11:20, Gary wrote:
> https://threatpost.com/google-reminding-admins-http-pages-will-be-marked-not-secure-in-october/127709/
>
> This site says Oct 24. I recall Oct 1.  Maybe it was pushed back.

Please note, this is about the HTTP/HTTPS protocols and not SMTP.

[…]


Kind regards,

Paul
Reply | Threaded
Open this post in threaded view
|

Re: Letsencrypt tip

Christian Kivalo
In reply to this post by Dominic Raferd


On 2017-09-11 11:21, Dominic Raferd wrote:
> ​Does anyone know a way to detect if the certificate currently being
> used by Postfix and/or Dovecot is nearing expiry (esp. in case they
> haven't picked up the updated letsencrypt certificate)?
You mean like this from the letsencrypt forum

adapted for submission on port 587 with starttls:
openssl s_client -connect yourdomain.tld:587 -starttls smtp -servername
yourdomain.tld 2>/dev/null | openssl x509 -noout -dates

https://community.letsencrypt.org/t/it-there-a-command-to-show-how-many-days-certificate-you-have/11351/2

--
  Christian Kivalo
Reply | Threaded
Open this post in threaded view
|

Re: Change of SMTP encryption policy at Google?

lists@lazygranch.com
In reply to this post by Paul Menzel

Yes. You are absolutely correct regarding SMTP. However I suspect many people will switch to Letsencrypt for everything (web and mail).

I for one set up a self signed email certificate with a 10 year lifetime because this is work. That isn't really a good plan. Letsencrypt, once it works, seems like the way to go.

  Original Message  
From: [hidden email]
Sent: September 11, 2017 2:23 AM
To: [hidden email]
Cc: [hidden email]
Subject: Re: Change of SMTP encryption policy at Google?

Dear Gary,


On 09/11/17 11:20, Gary wrote:
> https://threatpost.com/google-reminding-admins-http-pages-will-be-marked-not-secure-in-october/127709/
>
> This site says Oct 24. I recall Oct 1.  Maybe it was pushed back.

Please note, this is about the HTTP/HTTPS protocols and not SMTP.

[…]


Kind regards,

Paul
Reply | Threaded
Open this post in threaded view
|

Re: Letsencrypt tip

Petri Riihikallio
In reply to this post by lists@lazygranch.com

> Gary <[hidden email]> kirjoitti 11.09.2017 kello 11:59:
>
> As you know, letsencrypt certs can be automatically updated. However, you need to reload/restart Postfix/Dovecot to use the new cert. My email client insisted I had an expired cert. I couldn't download or send email. (Fortunately I'm on a test domain, getting ready for the Oct 1st Google insistence on encryption.)
>
> Letsencrypt suggests running acme on a daily basis, so just do the same for Postfix and Dovecot.

If you are running Certbot by EFF you should to take a look at post-hook and deploy-hook options for renew. There you can set a script to run after Certbot to restart or reload services as required.

--
Cheers
Petri
https://metis.fi/en/petri
tel:+358400505939



smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Letsencrypt tip

Ralph Seichter
In reply to this post by Dominic Raferd
On 11.09.2017 11:21, Dominic Raferd wrote:

> ​Does anyone know a way to detect if the certificate currently being
> used by Postfix and/or Dovecot is nearing expiry (esp. in case they
> haven't picked up the updated letsencrypt certificate)?

See https://www.monitoring-plugins.org/ -- The plugins check_smtp and
check_http, which I use via Icinga to monitor my servers, can verify if
a certificate nears its expiry date in less than N days, as a byproduct
of checking if the respective services are actually up and running.

-Ralph
Reply | Threaded
Open this post in threaded view
|

Re: Letsencrypt tip

Administrator Beckspaced.com
In reply to this post by lists@lazygranch.com

On 11.09.2017 10:59, Gary wrote:
> As you know, letsencrypt certs can be automatically updated. However,
> you need to reload/restart Postfix/Dovecot to use the new cert. My
> email client insisted I had an expired cert. I couldn't download or
> send email. (Fortunately I'm on a test domain, getting ready for the
> Oct 1st Google insistence on encryption.)
>
> Letsencrypt suggests running acme on a daily basis, so just do the
> same for Postfix and Dovecot.
>
I use acme client dehydrated

https://github.com/lukas2511/dehydrated

There you have the options of a hook to restart services after
certificate renew

Works like a charm ;)

Reply | Threaded
Open this post in threaded view
|

Re: Letsencrypt tip

Dominic Raferd
In reply to this post by Christian Kivalo
On 11/09/2017 12:33, Christian Kivalo wrote:

> On 2017-09-11 11:21, Dominic Raferd wrote:
>> ​Does anyone know a way to detect if the certificate currently being
>> used by Postfix and/or Dovecot is nearing expiry (esp. in case they
>> haven't picked up the updated letsencrypt certificate)?
> You mean like this from the letsencrypt forum
>
> adapted for submission on port 587 with starttls:
> openssl s_client -connect yourdomain.tld:587 -starttls smtp
> -servername yourdomain.tld 2>/dev/null | openssl x509 -noout -dates
>
> https://community.letsencrypt.org/t/it-there-a-command-to-show-how-many-days-certificate-you-have/11351/2 
>
>
Thanks to all for the great tips. This example gives exit code 1 if the
certificate has less than 3 days (259200 seconds) to expiry:

echo|sudo openssl s_client -connect 127.0.0.1:587 -starttls smtp
-servername my.domain.tld 2>/dev/null|openssl x509 -noout -checkend 259200
Reply | Threaded
Open this post in threaded view
|

Re: Letsencrypt tip

Viktor Dukhovni
In reply to this post by lists@lazygranch.com

> On Sep 11, 2017, at 4:59 AM, Gary <[hidden email]> wrote:
>
> As you know, letsencrypt certs can be automatically updated. However, you need to reload/restart Postfix/Dovecot to use the new cert.

This is false for Postfix.  The Postfix SMTP server processes
(smtpd(8) and tlsproxy(8)) that use the server certificate
are short-lived (lifetime depends on the max_use and max_idle
parameters).  As new processes are spawned they use the
new certificate.

A reload is only needed if you've messed and are replacing your
submission service certificate in a hurry after it has expired
and you're already having problems.  Otherwise, you can replace
your certificate a week or so in advance, and no restarts are
needed for Postfix.

> Letsencrypt suggests running acme on a daily basis, so just do the same for Postfix and Dovecot.

If you are also publishing TLSA records, see:

   http://postfix.1071664.n5.nabble.com/WoSign-StartCom-CA-in-the-news-td86436.html#a86444
   https://community.letsencrypt.org/t/new-certbot-client-and-csr-option/15766
   https://www.internetsociety.org/deploy360/blog/2016/03/lets-encrypt-certificates-for-mail-servers-and-dane-part-2-of-2/
   https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022
   http://tools.ietf.org/html/rfc7671#section-8.1
   http://tools.ietf.org/html/rfc7671#section-8.4

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Letsencrypt tip

Mike.
In reply to this post by Dominic Raferd
On 9/11/2017 5:21 AM, Dominic Raferd wrote:

>
>
> On 11 September 2017 at 11:59, Gary <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     As you know, letsencrypt certs can be automatically updated.
>     However, you need to reload/restart Postfix/Dovecot to use the new
>     cert. My email client insisted I had an expired cert. I couldn't
>     download or send email. (Fortunately I'm on a test domain, getting
>     ready for the Oct 1st Google insistence on encryption.)
>
>     Letsencrypt suggests running acme on a daily basis, so just do the
>     same for Postfix and Dovecot.
>
>
> ​Does anyone know a way to detect if the certificate currently being
> used by Postfix and/or Dovecot is nearing expiry (esp. in case they
> haven't picked up the updated letsencrypt certificate)?
>

Why not use entr (http://entrproject.org/) to detect when there is a new
certificate file, and restart Dovecot/Postfix?
Reply | Threaded
Open this post in threaded view
|

How to check for upcoming certificate expiration...

Viktor Dukhovni
In reply to this post by Dominic Raferd

> On Sep 11, 2017, at 5:21 AM, Dominic Raferd <[hidden email]> wrote:
>
> Does anyone know a way to detect if the certificate currently being used by Postfix and/or Dovecot is nearing expiry (esp. in case they haven't picked up the updated letsencrypt certificate)?

See below for OpenSSL 1.0.2 or later.  Earlier versions don't
have the "-verify_hostname" option, you can delete it if you
like, and omit that part of the certificate check, in which
case the code will also work for OpenSSL 1.0.1 and earlier
(which are EOL).

--
        Viktor.

#! /bin/bash

if [ $# -lt 3 -o $# -gt 4 ]; then
  printf "Usage: %s <CAfile> <days> <host> [port]\n" "$0" >&2
  exit 1
fi

# default
port=587

trusted=$1; shift
days=$1; shift
host=$1; shift
if [ $# -gt 0 ]; then port=$1; shift; fi

detail=$(
  (
    raw=$(
      (sleep 2; printf "QUIT\r\n") |
      openssl s_client -connect "$host:$port" -starttls smtp \
        -CAfile "$trusted" \
        -servername "$host" \
        -verify 9 \
        -verify_return_error \
        -verify_hostname "$host" \
        -showcerts 2>&3
    )

    if [ $? -ne 0 ]; then
       printf -- "%s\n" "$raw" >&3
       printf -- "SSL handshake failed\n" >&3
       exit 1
    fi

    chain=$(
      printf -- "%s\n" "$raw" | tee /dev/fd/3 |
      openssl crl2pkcs7 -nocrl -certfile /dev/stdin |
      openssl pkcs7 -print_certs
    )

    if [ -z "$chain" ]; then
      printf "Error getting server chain\n" >&2; exit 1
    else
      # Sadly, verify(1) prior to OpenSSL 1.1.0 did not return
      # meaningful exit codes.   So we look instead for output
      # lines that start with "error".
      #
      openssl verify \
        -trusted "$CAfile" \
        -attime $(( $(date +%s) + 86400 * $days )) \
        -untrusted <(printf -- "%s\n" "$chain") \
        <(printf -- "%s\n" "$chain") 2>&1 | tee /dev/fd/3 |
      if grep -i '^error' >/dev/null; then
        printf -- "Verification failed\n" >&2; exit 1
      fi
    fi
  ) 3>&1
)
if [ $? -ne 0 ]; then printf -- "%s\n" "$detail"; exit 1; fi
Reply | Threaded
Open this post in threaded view
|

Re: Letsencrypt tip

Marat Khalili
In reply to this post by Dominic Raferd
Real-world example (ugly but works):

> letsencrypt -tn --apache renew | tee "$LOG_FILE"
>
> if ! grep -q '^No renewals were attempted.$' "$LOG_FILE"; then
>     CERTIFICATES_PATH='/etc/letsencrypt/live/example.com'
>     RENEWAL_STATUS=`sed -nr 's#^ '"$CERTIFICATES_PATH"'/fullchain.pem
> \((.*)\)$#\1#p' "$LOG_FILE"`
>     if [[ "$RENEWAL_STATUS" == 'success' ]]; then
[...]
>     elif [[ "$RENEWAL_STATUS" == 'skipped' ]]; then
>         echo "$CERTIFICATES_PATH not renewed, not propagating."
>     else
>         echo "ERROR: Unknown renewal status of $CERTIFICATES_PATH:
> $RENEWAL_STATUS" >&2
>     fi
> fi


--

With Best Regards,
Marat Khalili

Reply | Threaded
Open this post in threaded view
|

Re: Letsencrypt tip

Bill Shirley
In reply to this post by lists@lazygranch.com
acme.sh can issue the reload command (--reloadcmd):
https://www.mail-archive.com/dovecot@.../msg70894.html

Get an email from acme.sh:
https://www.mail-archive.com/dovecot@.../msg70895.html

Bill


On 9/11/2017 4:59 AM, Gary wrote:
As you know, letsencrypt certs can be automatically updated. However, you need to reload/restart Postfix/Dovecot to use the new cert. My email client insisted I had an expired cert. I couldn't download or send email. (Fortunately I'm on a test domain, getting ready for the Oct 1st Google insistence on encryption.)

Letsencrypt suggests running acme on a daily basis, so just do the same for Postfix and Dovecot.


Reply | Threaded
Open this post in threaded view
|

Re: Letsencrypt tip

Viktor Dukhovni

> On Sep 11, 2017, at 1:10 PM, Bill Shirley <[hidden email]> wrote:
>
> acme.sh can issue the reload command (--reloadcmd):
> https://www.mail-archive.com/dovecot@.../msg70894.html

This is NOT needed for Postfix.  The certificate file is not
held in memory for a sufficiently long time to make routine
reloads warranted.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Letsencrypt tip

Bill Shirley
Thanks for the info.

With acme.sh, reloads are only done when the certificate is renewed.

Bill

On 9/11/2017 1:18 PM, Viktor Dukhovni wrote:
>> On Sep 11, 2017, at 1:10 PM, Bill Shirley <[hidden email]> wrote:
>>
>> acme.sh can issue the reload command (--reloadcmd):
>> https://www.mail-archive.com/dovecot@.../msg70894.html
> This is NOT needed for Postfix.  The certificate file is not
> held in memory for a sufficiently long time to make routine
> reloads warranted.
>

Reply | Threaded
Open this post in threaded view
|

Re: Letsencrypt tip

Viktor Dukhovni

> On Sep 11, 2017, at 1:37 PM, Bill Shirley <[hidden email]> wrote:
>
> Thanks for the info.
>
> With acme.sh, reloads are only done when the certificate is renewed.

It is best to just leave Postfix alone, and not reload even then.

If you run certbot often enough to renew well in advance of expiration,
reloads of Postfix are unnecessary, and just needlessly interrupt orderly
processing of email by the queue manager.  Usually the new certificate will
be automatically in use within "$max_idle * $max_use" seconds, and typically
sooner, because processes either idle out quickly or reach the re-use limit
quickly, handling $max_use connections that are exactly $max_idle apart is
rather unlikely  By default that's 10000 seconds or just under 3 hours.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: How to check for upcoming certificate expiration...

Dominic Raferd
In reply to this post by Viktor Dukhovni


On 11 September 2017 at 19:25, Viktor Dukhovni <[hidden email]> wrote:

> On Sep 11, 2017, at 5:21 AM, Dominic Raferd <[hidden email]> wrote:
>
> Does anyone know a way to detect if the certificate currently being used by Postfix and/or Dovecot is nearing expiry (esp. in case they haven't picked up the updated letsencrypt certificate)?

See below for OpenSSL 1.0.2 or later. 
​..​


#! /bin/bash
​...

​Thanks Viktor I am sure I will find this helpful and I love your elegant bash coding. Can I ask a couple of dump questions?

- what do I specify for the CAfile?
- does this check against the certificates being offered both by Postfix and Dovecot (which I use for SASL) or just one of them and if so which one?​
12