Wiki de Linux Azur : MaintenanceLaz

Pour les administrateurs systèmes page à jour : AdminSys

LinuxAzurAdminSys

30 aout 2019

Reste à faire :

problème avec le certifcat de mail sur h24.linux-azur.org:993 périmé le 28 aout 2019.

sudo netstat -ntlp | grep 993
tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN      1/init          
tcp6       0      0 :::993                  :::*                    LISTEN      1/init 

lhardy@h24:~/letsencrypt$ sudo netstat -ntp | grep 993
tcp        0      0 185.45.253.51:993       91.166.171.228:52336    ESTABLISHED 2306/imap-login 
tcp        0      0 185.45.253.51:993       91.166.171.228:52340    ESTABLISHED 2310/imap-login 
tcp        0      0 185.45.253.51:993       91.166.171.228:52346    ESTABLISHED 3154/imap-login 
tcp        0      0 185.45.253.51:993       91.166.171.228:52348    ESTABLISHED 3156/imap-login 
tcp        0      0 185.45.253.51:993       91.166.171.228:52338    ESTABLISHED 2307/imap-login 

plhardy@h24:~$ sudo ls -la /proc/2306/exe
lrwxrwxrwx 1 root root 0 aoÃ»t  30 09:28 /proc/2306/exe -> /usr/lib/dovecot/imap-login

configuration de dovecot

10-ssl.conf:ssl_cert = </etc/ssl/certs/dovecot.pem

plhardy@h24:/etc/dovecot$ ls -la /etc/ssl/certs/dovecot.pem
-rw-r--r-- 1 root root 1472 aoÃ»t 28 2017 /etc/ssl/certs/dovecot.pem

certificat autosigné Subject: C=FR, ST=PACA, L=ANTIBES, O=Linux Azur, OU=MAIL Server, CN=*.linux-azur.org/emailAddress=postmaster@linux-azur.org

openssl x509 -text -in /etc/ssl/certs/dovecot.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            af:2c:c2:c0:79:a8:6b:b5
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=FR, ST=PACA, L=ANTIBES, O=Linux Azur, OU=MAIL Server, CN=*.linux-azur.org/emailAddress=postmaster@linux-azur.org
        Validity
            Not Before: Aug 28 20:07:39 2017 GMT
            Not After : Aug 28 20:07:39 2019 GMT
        Subject: C=FR, ST=PACA, L=ANTIBES, O=Linux Azur, OU=MAIL Server, CN=*.linux-azur.org/emailAddress=postmaster@linux-azur.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ca:2f:40:65:e2:f3:12:b8:6b:29:f0:e0:06:6b:
                    31:31:8a:16:6a:36:4e:ba:b2:8f:d2:30:d9:90:28:
                    ba:e0:90:b4:86:e3:6d:41:38:98:28:83:b0:2c:48:
                    4c:07:ed:d9:df:cf:57:bf:c4:b4:26:d4:30:9f:a6:
                    d4:df:c6:48:2c:54:c6:ff:a4:1b:56:30:f5:13:2b:
                    20:1a:23:1e:cb:aa:be:27:d1:9f:60:6f:fc:79:9c:
                    6c:bf:42:41:45:32:42:4b:69:f7:66:cf:bf:03:58:
                    ee:4c:3a:8d:0a:75:7a:2b:d9:95:f9:9c:92:77:4f:
                    80:9a:3b:de:ed:3a:03:27:a5:99:94:9c:d4:90:ed:
                    50:19:61:20:3d:81:39:5d:fb:3a:3e:51:91:2f:a0:
                    11:b0:4a:1b:c8:fa:83:99:b8:af:c6:88:8c:bf:89:
                    fd:3f:bc:ed:ed:5d:98:43:cb:d9:6f:ba:d5:bb:3e:
                    f7:2f:4f:5f:66:92:5e:98:63:22:13:4c:5a:15:f0:
                    f2:df:58:f0:64:5b:ee:04:16:5e:25:5f:28:af:e8:
                    0d:b2:32:62:59:f7:a7:28:9b:de:00:6c:13:5f:7e:
                    38:83:c8:7d:00:53:6a:1b:5c:3b:a2:e8:b1:36:fb:
                    34:40:bb:4c:aa:b2:b2:7a:9f:21:49:e3:bd:ee:c1:
                    d4:e3
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                A1:38:9C:2F:4F:78:3C:94:58:A4:C0:D1:9F:04:02:FD:15:7D:07:D9
            X509v3 Authority Key Identifier: 
                keyid:A1:38:9C:2F:4F:78:3C:94:58:A4:C0:D1:9F:04:02:FD:15:7D:07:D9

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         2e:a5:12:85:4e:af:cc:c9:df:67:9a:07:28:27:34:be:de:4b:
         b3:50:90:81:e5:c9:f5:98:a3:73:03:62:1d:4a:fd:46:61:83:
         a4:60:a9:12:9b:f7:11:da:ee:32:44:d2:46:f3:10:23:d8:08:
         ef:55:06:18:0a:b5:05:ea:f7:d7:62:aa:e4:61:3d:f4:cf:fb:
         92:df:38:97:f6:12:4e:82:2c:fd:b2:59:89:d6:cf:a5:55:bc:
         51:cf:ed:43:24:21:e1:04:3a:b0:c3:0a:6c:08:ed:20:70:21:
         b3:15:ce:ec:29:ba:87:01:e2:d1:c5:72:6d:89:c2:db:46:d8:
         a2:89:71:aa:ae:51:f2:84:ed:29:4e:d8:91:1c:d5:f7:30:70:
         c3:55:3f:79:21:90:e9:b1:e7:67:e6:f1:3c:64:11:89:a8:cf:
         05:08:64:58:1b:a6:ea:96:0c:76:17:bd:12:0c:d8:9a:ad:17:
         38:e2:5c:ed:08:cf:60:51:af:38:a1:84:dd:d1:3f:36:64:23:
         95:da:42:c3:db:75:7d:a4:ba:49:ff:cc:5f:8d:93:fc:ee:87:
         b7:6f:67:9c:cf:9c:6e:f6:b2:43:59:47:13:e9:b4:a1:0b:ca:
         c2:22:d8:a2:89:f0:1e:5f:3d:82:bf:04:c0:93:d6:b1:39:89:
         67:d5:9a:82
-----BEGIN CERTIFICATE-----
MIIEETCCAvmgAwIBAgIJAK8swsB5qGu1MA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD
VQQGEwJGUjENMAsGA1UECAwEUEFDQTEQMA4GA1UEBwwHQU5USUJFUzETMBEGA1UE
CgwKTGludXggQXp1cjEUMBIGA1UECwwLTUFJTCBTZXJ2ZXIxGTAXBgNVBAMMECou
bGludXgtYXp1ci5vcmcxKDAmBgkqhkiG9w0BCQEWGXBvc3RtYXN0ZXJAbGludXgt
YXp1ci5vcmcwHhcNMTcwODI4MjAwNzM5WhcNMTkwODI4MjAwNzM5WjCBnjELMAkG
A1UEBhMCRlIxDTALBgNVBAgMBFBBQ0ExEDAOBgNVBAcMB0FOVElCRVMxEzARBgNV
BAoMCkxpbnV4IEF6dXIxFDASBgNVBAsMC01BSUwgU2VydmVyMRkwFwYDVQQDDBAq
LmxpbnV4LWF6dXIub3JnMSgwJgYJKoZIhvcNAQkBFhlwb3N0bWFzdGVyQGxpbnV4
LWF6dXIub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyi9AZeLz
ErhrKfDgBmsxMYoWajZOurKP0jDZkCi64JC0huNtQTiYKIOwLEhMB+3Z389Xv8S0
JtQwn6bU38ZILFTG/6QbVjD1EysgGiMey6q+J9GfYG/8eZxsv0JBRTJCS2n3Zs+/
A1juTDqNCnV6K9mV+ZySd0+Amjve7ToDJ6WZlJzUkO1QGWEgPYE5Xfs6PlGRL6AR
sEobyPqDmbivxoiMv4n9P7zt7V2YQ8vZb7rVuz73L09fZpJemGMiE0xaFfDy31jw
ZFvuBBZeJV8or+gNsjJiWfenKJveAGwTX344g8h9AFNqG1w7ouixNvs0QLtMqrKy
ep8hSeO97sHU4wIDAQABo1AwTjAdBgNVHQ4EFgQUoTicL094PJRYpMDRnwQC/RV9
B9kwHwYDVR0jBBgwFoAUoTicL094PJRYpMDRnwQC/RV9B9kwDAYDVR0TBAUwAwEB
/zANBgkqhkiG9w0BAQsFAAOCAQEALqUShU6vzMnfZ5oHKCc0vt5Ls1CQgeXJ9Zij
cwNiHUr9RmGDpGCpEpv3EdruMkTSRvMQI9gI71UGGAq1Ber312Kq5GE99M/7kt84
l/YSToIs/bJZidbPpVW8Uc/tQyQh4QQ6sMMKbAjtIHAhsxXO7Cm6hwHi0cVybYnC
20bYoolxqq5R8oTtKU7YkRzV9zBww1U/eSGQ6bHnZ+bxPGQRiajPBQhkWBum6pYM
dhe9EgzYmq0XOOJc7QjPYFGvOKGE3dE/NmQjldpCw9t1faS6Sf/MX42T/O6Ht29n
nM+cbvayQ1lHE+m0oQvKwiLYoonwHl89gr8EwJPWsTmJZ9Wagg==
-----END CERTIFICATE-----

utilisation de ce tuto : https://aoeex.com/phile/postfix-dovecot-and-lets-encrypt-certificates/

arrêt de apache2 pour pouvoir faire la certification en local.

reboot ( uptime de 417 jours )

renouvellement des certificats

cd /home/plhardy
cd letsencrypt
git pull
./certbot-auto renew

résultat :

The following certs could not be renewed:
  /etc/letsencrypt/live/stats.linux-azur.org/fullchain.pem (failure)
  /etc/letsencrypt/live/webmail.linux-azur.org/fullchain.pem (failure)
  /etc/letsencrypt/live/wiki.linux-azur.org/fullchain.pem (failure)



The following certs were successfully renewed:
  /etc/letsencrypt/live/blog.linux-azur.org/fullchain.pem (success)
  /etc/letsencrypt/live/jm2l.linux-azur.org/fullchain.pem (success)
  /etc/letsencrypt/live/lists.linux-azur.org/fullchain.pem (success)

The following certs could not be renewed:
  /etc/letsencrypt/live/stats.linux-azur.org/fullchain.pem (failure)
  /etc/letsencrypt/live/webmail.linux-azur.org/fullchain.pem (failure)
  /etc/letsencrypt/live/wiki.linux-azur.org/fullchain.pem (failure)

Additionally, the following renewal configurations were invalid: 
  /etc/letsencrypt/renewal/prototype.linux-azur.org.conf (parsefail)
  /etc/letsencrypt/renewal/www.linux-azur.org.conf (parsefail)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
3 renew failure(s), 2 parse failure(s)

sites renouvelés et vérifié depuis mon client à la maison :

https://www.linux-azur.org/
https://secure.linux-azur.org/webmail/
https://wiki.linux-azur.org

A FAIRE : nettoyage des configurations letsencrypt inutilisées.

Juillet 2019

etherpad ne semble pas avoir été configuré en https , en tout cas je n\'ai pas trouvé le certificat qui validerait pad.linux-azur.org.
voir etherpad

Certificat qui périme

les sites à vérifier

https://linux-azur.org
https://www.linux-azur.org
https://blog.linux-azur.org
https://webmail.linux-azur.org
https://secure.linux-azur.org/webmail/

ATTENTION nous sommes plusieurs ( philippe & fx ) à mettre cela à jour cela a entrainé des incohérences.

Renouvelé jusqu\"au 28 septembre 2019

X509v3 Subject Alternative Name: 
                DNS:blog.linux-azur.org, DNS:compta.linux-azur.org, DNS:git.linux-azur.org, DNS:jm2l.linux-azur.org, DNS:linux-a
zur.org, DNS:lists.linux-azur.org, DNS:secure.linux-azur.org, DNS:stats.linux-azur.org, DNS:webmail.linux-azur.org, DNS:wiki.lin
ux-azur.org, DNS:www.linux-azur.org

philippe :
réaligné les informations pour êtres dans /etc/letsencrypt/live/blog.linux-azur.org et non dans /etc/letsencrypt/live/blog.linux-azur.org-0002

diff blog.linux-azur.org.conf blog.linux-azur.org.conf~
2,5c2,5
< cert = /etc/letsencrypt/live/blog.linux-azur.org/cert.pem
< privkey = /etc/letsencrypt/live/blog.linux-azur.org/privkey.pem
< chain = /etc/letsencrypt/live/blog.linux-azur.org/chain.pem
< fullchain = /etc/letsencrypt/live/blog.linux-azur.org/fullchain.pem
---
> cert = /etc/letsencrypt/live/blog.linux-azur.org-0002/cert.pem
> privkey = /etc/letsencrypt/live/blog.linux-azur.org-0002/privkey.pem
> chain = /etc/letsencrypt/live/blog.linux-azur.org-0002/chain.pem
> fullchain = /etc/letsencrypt/live/blog.linux-azur.org-0002/fullchain.pem

Renouvelé jusqu\'au 18 septembre 2019

Ceci veut dire qu\'il faudra le renouveller fin aout.

Les certificats letsencrypt ont une durée de validité de 3 mois, il est conseillé de les renouveller un mois à l\'avance, donc tous les deux mois il faut s\'assurer de bien faire le travail.

En pratique PhilippeLhardy s\'en occupe en ssh en utilisant letsencrypt certbot-auto

nom principal blog.linux-azur.org
nom secondaires ( X509v3 Subject Alternative Name )
blog.linux-azur.org compta.linux-azur.org git.linux-azur.org jm2l.linux-azur.org linux-azur.org lists.linux-azur.org secure.linux-azur.org stats.linux-azur.org webmail.linux-azur.org wiki.linux-azur.org www.linux-azur.org

blank to select all options shown (Enter \'c\' to cancel): 4,5,6,7,8,13,14,15,16,17

Si on oubli un mail de letsencrypt nous le rappelle :

Hello,

Your certificate (or certificates) for the names listed below will expire in 20 days (on 10 Jul 19 10:36 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.

We recommend renewing certificates automatically when they have a third of their
total lifetime left. For Let\'s Encrypt\'s current 90-day certificates, that means
renewing 30 days before expiration. See
https://letsencrypt.org/docs/integration-guide/ for details.

blog.linux-azur.org
compta.linux-azur.org
git.linux-azur.org
jm2l.linux-azur.org
linux-azur.org
lists.linux-azur.org
secure.linux-azur.org
stats.linux-azur.org
webmail.linux-azur.org
wiki.linux-azur.org
www.linux-azur.org

For any questions or support, please visit https://community.letsencrypt.org/. Unfortunately, we can\'t provide support by email.

For details about when we send these emails, please visit https://letsencrypt.org/docs/expiration-emails/. In particular, note that this reminder email is still sent if you\'ve obtained a slightly different certificate by adding or removing names. If you\'ve replaced this certificate with a newer one that covers more or fewer names than the list above, you may be able to ignore this message.

If you are receiving this email in error, unsubscribe at http://mandrillapp.com/track/unsub.php?u=30850198&id=f117ae2d86b6498dae984035e1518f02.xv1f%2FR%2FvJfm%2FQBJppCrM7eUOmY8%3D&r=https%3A%2F%2Fmandrillapp.com%2Funsub%3Fmd_email%3Dadmin%2540linux-azur.org

You may need to update your client to the latest version in case it is still using the deprecated TLS-SNI-01 validation method. https://community.letsencrypt.org/t/february-13-2019-end-of-life-for-all-tls-sni-01-validation-support/74209

Step-by-step instructions for updating Certbot are here: https://community.letsencrypt.org/t/how-to-stop-using-tls-sni-01-with-certbot/83210

Regards,
The Let\'s Encrypt Team