Pour les administrateurs systèmes page à jour : AdminSys

LinuxAzurAdminSys

30 aout 2019

Reste à faire :

problème avec le certifcat de mail sur h24.linux-azur.org:993 périmé le 28 aout 2019.

sudo netstat -ntlp | grep 993
tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN      1/init          
tcp6       0      0 :::993                  :::*                    LISTEN      1/init 

lhardy@h24:~/letsencrypt$ sudo netstat -ntp | grep 993
tcp        0      0 185.45.253.51:993       91.166.171.228:52336    ESTABLISHED 2306/imap-login 
tcp        0      0 185.45.253.51:993       91.166.171.228:52340    ESTABLISHED 2310/imap-login 
tcp        0      0 185.45.253.51:993       91.166.171.228:52346    ESTABLISHED 3154/imap-login 
tcp        0      0 185.45.253.51:993       91.166.171.228:52348    ESTABLISHED 3156/imap-login 
tcp        0      0 185.45.253.51:993       91.166.171.228:52338    ESTABLISHED 2307/imap-login 

plhardy@h24:~$ sudo ls -la /proc/2306/exe
lrwxrwxrwx 1 root root 0 août  30 09:28 /proc/2306/exe -> /usr/lib/dovecot/imap-login


configuration de dovecot

10-ssl.conf:ssl_cert = </etc/ssl/certs/dovecot.pem


plhardy@h24:/etc/dovecot$ ls -la /etc/ssl/certs/dovecot.pem
-rw-r--r-- 1 root root 1472 août 28 2017 /etc/ssl/certs/dovecot.pem

certificat autosigné Subject: C=FR, ST=PACA, L=ANTIBES, O=Linux Azur, OU=MAIL Server, CN=
  • .linux-azur.org/emailAddress=postmaster@linux-azur.org
    • Validity
      • Not Before: Aug 28 20:07:39 2017 GMT
      • Not After : Aug 28 20:07:39 2019 GMT
    • Subject: C=FR, ST=PACA, L=ANTIBES, O=Linux Azur, OU=MAIL Server, CN=
    • arrêt de apache2 pour pouvoir faire la certification en local.
  • A FAIRE : nettoyage des configurations letsencrypt inutilisées.// Juillet 2019 etherpad ne semble pas avoir été configuré en https , en tout cas je n\'ai pas trouvé le certificat qui validerait pad.linux-azur.org. voir [[etherpad]] Certificat qui périme les sites à vérifier https://linux-azur.org https://www.linux-azur.org https://blog.linux-azur.org https://webmail.linux-azur.org https://secure.linux-azur.org/webmail/ ATTENTION nous sommes plusieurs ( philippe & fx ) à mettre cela à jour cela a entrainé des incohérences. Renouvelé jusqu\"au 28 septembre 2019
    • 18 septembre 2019 Ceci veut dire qu\'il faudra le renouveller fin aout.*

Les certificats letsencrypt ont une durée de validité de 3 mois, il est conseillé de les renouveller un mois à l\'avance, donc tous les deux mois il faut s\'assurer de bien faire le travail.

En pratique PhilippeLhardy s\'en occupe en ssh en utilisant letsencrypt certbot-auto

nom principal blog.linux-azur.org
nom secondaires ( X509v3 Subject Alternative Name )
blog.linux-azur.org compta.linux-azur.org git.linux-azur.org jm2l.linux-azur.org linux-azur.org lists.linux-azur.org secure.linux-azur.org stats.linux-azur.org webmail.linux-azur.org wiki.linux-azur.org www.linux-azur.org

blank to select all options shown (Enter \'c\' to cancel): 4,5,6,7,8,13,14,15,16,17

Si on oubli un mail de letsencrypt nous le rappelle :

Hello,

Your certificate (or certificates) for the names listed below will expire in 20 days (on 10 Jul 19 10:36 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.

We recommend renewing certificates automatically when they have a third of their
total lifetime left. For Let\'s Encrypt\'s current 90-day certificates, that means
renewing 30 days before expiration. See
https://letsencrypt.org/docs/integration-guide/ for details.

blog.linux-azur.org
compta.linux-azur.org
git.linux-azur.org
jm2l.linux-azur.org
linux-azur.org
lists.linux-azur.org
secure.linux-azur.org
stats.linux-azur.org
webmail.linux-azur.org
wiki.linux-azur.org
www.linux-azur.org

For any questions or support, please visit https://community.letsencrypt.org/. Unfortunately, we can\'t provide support by email.

For details about when we send these emails, please visit https://letsencrypt.org/docs/expiration-emails/. In particular, note that this reminder email is still sent if you\'ve obtained a slightly different certificate by adding or removing names. If you\'ve replaced this certificate with a newer one that covers more or fewer names than the list above, you may be able to ignore this message.

If you are receiving this email in error, unsubscribe at http://mandrillapp.com/track/unsub.php?u=30850198&id=f117ae2d86b6498dae984035e1518f02.xv1f%2FR%2FvJfm%2FQBJppCrM7eUOmY8%3D&r=https%3A%2F%2Fmandrillapp.com%2Funsub%3Fmd_email%3Dadmin%2540linux-azur.org

You may need to update your client to the latest version in case it is still using the deprecated TLS-SNI-01 validation method. https://community.letsencrypt.org/t/february-13-2019-end-of-life-for-all-tls-sni-01-validation-support/74209

Step-by-step instructions for updating Certbot are here: https://community.letsencrypt.org/t/how-to-stop-using-tls-sni-01-with-certbot/83210

Regards,
The Let\'s Encrypt Team