Pour les administrateurs systèmes page à jour : AdminSys
LinuxAzurAdminSys
30 aout 2019
Reste à faire :
problème avec le certifcat de mail sur h24.linux-azur.org:993 périmé le 28 aout 2019.
sudo netstat -ntlp | grep 993 tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 1/init tcp6 0 0 :::993 :::* LISTEN 1/init lhardy@h24:~/letsencrypt$ sudo netstat -ntp | grep 993 tcp 0 0 185.45.253.51:993 91.166.171.228:52336 ESTABLISHED 2306/imap-login tcp 0 0 185.45.253.51:993 91.166.171.228:52340 ESTABLISHED 2310/imap-login tcp 0 0 185.45.253.51:993 91.166.171.228:52346 ESTABLISHED 3154/imap-login tcp 0 0 185.45.253.51:993 91.166.171.228:52348 ESTABLISHED 3156/imap-login tcp 0 0 185.45.253.51:993 91.166.171.228:52338 ESTABLISHED 2307/imap-login plhardy@h24:~$ sudo ls -la /proc/2306/exe lrwxrwxrwx 1 root root 0 août 30 09:28 /proc/2306/exe -> /usr/lib/dovecot/imap-login
configuration de dovecot
10-ssl.conf:ssl_cert = </etc/ssl/certs/dovecot.pem
plhardy@h24:/etc/dovecot$ ls -la /etc/ssl/certs/dovecot.pem
-rw-r--r-- 1 root root 1472 août 28 2017 /etc/ssl/certs/dovecot.pem
certificat autosigné Subject: C=FR, ST=PACA, L=ANTIBES, O=Linux Azur, OU=MAIL Server, CN=*.linux-azur.org/emailAddress=postmaster@linux-azur.org
openssl x509 -text -in /etc/ssl/certs/dovecot.pem Certificate: Data: Version: 3 (0x2) Serial Number: af:2c:c2:c0:79:a8:6b:b5 Signature Algorithm: sha256WithRSAEncryption Issuer: C=FR, ST=PACA, L=ANTIBES, O=Linux Azur, OU=MAIL Server, CN=*.linux-azur.org/emailAddress=postmaster@linux-azur.org Validity Not Before: Aug 28 20:07:39 2017 GMT Not After : Aug 28 20:07:39 2019 GMT Subject: C=FR, ST=PACA, L=ANTIBES, O=Linux Azur, OU=MAIL Server, CN=*.linux-azur.org/emailAddress=postmaster@linux-azur.org Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:ca:2f:40:65:e2:f3:12:b8:6b:29:f0:e0:06:6b: 31:31:8a:16:6a:36:4e:ba:b2:8f:d2:30:d9:90:28: ba:e0:90:b4:86:e3:6d:41:38:98:28:83:b0:2c:48: 4c:07:ed:d9:df:cf:57:bf:c4:b4:26:d4:30:9f:a6: d4:df:c6:48:2c:54:c6:ff:a4:1b:56:30:f5:13:2b: 20:1a:23:1e:cb:aa:be:27:d1:9f:60:6f:fc:79:9c: 6c:bf:42:41:45:32:42:4b:69:f7:66:cf:bf:03:58: ee:4c:3a:8d:0a:75:7a:2b:d9:95:f9:9c:92:77:4f: 80:9a:3b:de:ed:3a:03:27:a5:99:94:9c:d4:90:ed: 50:19:61:20:3d:81:39:5d:fb:3a:3e:51:91:2f:a0: 11:b0:4a:1b:c8:fa:83:99:b8:af:c6:88:8c:bf:89: fd:3f:bc:ed:ed:5d:98:43:cb:d9:6f:ba:d5:bb:3e: f7:2f:4f:5f:66:92:5e:98:63:22:13:4c:5a:15:f0: f2:df:58:f0:64:5b:ee:04:16:5e:25:5f:28:af:e8: 0d:b2:32:62:59:f7:a7:28:9b:de:00:6c:13:5f:7e: 38:83:c8:7d:00:53:6a:1b:5c:3b:a2:e8:b1:36:fb: 34:40:bb:4c:aa:b2:b2:7a:9f:21:49:e3:bd:ee:c1: d4:e3 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: A1:38:9C:2F:4F:78:3C:94:58:A4:C0:D1:9F:04:02:FD:15:7D:07:D9 X509v3 Authority Key Identifier: keyid:A1:38:9C:2F:4F:78:3C:94:58:A4:C0:D1:9F:04:02:FD:15:7D:07:D9 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha256WithRSAEncryption 2e:a5:12:85:4e:af:cc:c9:df:67:9a:07:28:27:34:be:de:4b: b3:50:90:81:e5:c9:f5:98:a3:73:03:62:1d:4a:fd:46:61:83: a4:60:a9:12:9b:f7:11:da:ee:32:44:d2:46:f3:10:23:d8:08: ef:55:06:18:0a:b5:05:ea:f7:d7:62:aa:e4:61:3d:f4:cf:fb: 92:df:38:97:f6:12:4e:82:2c:fd:b2:59:89:d6:cf:a5:55:bc: 51:cf:ed:43:24:21:e1:04:3a:b0:c3:0a:6c:08:ed:20:70:21: b3:15:ce:ec:29:ba:87:01:e2:d1:c5:72:6d:89:c2:db:46:d8: a2:89:71:aa:ae:51:f2:84:ed:29:4e:d8:91:1c:d5:f7:30:70: c3:55:3f:79:21:90:e9:b1:e7:67:e6:f1:3c:64:11:89:a8:cf: 05:08:64:58:1b:a6:ea:96:0c:76:17:bd:12:0c:d8:9a:ad:17: 38:e2:5c:ed:08:cf:60:51:af:38:a1:84:dd:d1:3f:36:64:23: 95:da:42:c3:db:75:7d:a4:ba:49:ff:cc:5f:8d:93:fc:ee:87: b7:6f:67:9c:cf:9c:6e:f6:b2:43:59:47:13:e9:b4:a1:0b:ca: c2:22:d8:a2:89:f0:1e:5f:3d:82:bf:04:c0:93:d6:b1:39:89: 67:d5:9a:82 -----BEGIN CERTIFICATE----- MIIEETCCAvmgAwIBAgIJAK8swsB5qGu1MA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD VQQGEwJGUjENMAsGA1UECAwEUEFDQTEQMA4GA1UEBwwHQU5USUJFUzETMBEGA1UE CgwKTGludXggQXp1cjEUMBIGA1UECwwLTUFJTCBTZXJ2ZXIxGTAXBgNVBAMMECou bGludXgtYXp1ci5vcmcxKDAmBgkqhkiG9w0BCQEWGXBvc3RtYXN0ZXJAbGludXgt YXp1ci5vcmcwHhcNMTcwODI4MjAwNzM5WhcNMTkwODI4MjAwNzM5WjCBnjELMAkG A1UEBhMCRlIxDTALBgNVBAgMBFBBQ0ExEDAOBgNVBAcMB0FOVElCRVMxEzARBgNV BAoMCkxpbnV4IEF6dXIxFDASBgNVBAsMC01BSUwgU2VydmVyMRkwFwYDVQQDDBAq LmxpbnV4LWF6dXIub3JnMSgwJgYJKoZIhvcNAQkBFhlwb3N0bWFzdGVyQGxpbnV4 LWF6dXIub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyi9AZeLz ErhrKfDgBmsxMYoWajZOurKP0jDZkCi64JC0huNtQTiYKIOwLEhMB+3Z389Xv8S0 JtQwn6bU38ZILFTG/6QbVjD1EysgGiMey6q+J9GfYG/8eZxsv0JBRTJCS2n3Zs+/ A1juTDqNCnV6K9mV+ZySd0+Amjve7ToDJ6WZlJzUkO1QGWEgPYE5Xfs6PlGRL6AR sEobyPqDmbivxoiMv4n9P7zt7V2YQ8vZb7rVuz73L09fZpJemGMiE0xaFfDy31jw ZFvuBBZeJV8or+gNsjJiWfenKJveAGwTX344g8h9AFNqG1w7ouixNvs0QLtMqrKy ep8hSeO97sHU4wIDAQABo1AwTjAdBgNVHQ4EFgQUoTicL094PJRYpMDRnwQC/RV9 B9kwHwYDVR0jBBgwFoAUoTicL094PJRYpMDRnwQC/RV9B9kwDAYDVR0TBAUwAwEB /zANBgkqhkiG9w0BAQsFAAOCAQEALqUShU6vzMnfZ5oHKCc0vt5Ls1CQgeXJ9Zij cwNiHUr9RmGDpGCpEpv3EdruMkTSRvMQI9gI71UGGAq1Ber312Kq5GE99M/7kt84 l/YSToIs/bJZidbPpVW8Uc/tQyQh4QQ6sMMKbAjtIHAhsxXO7Cm6hwHi0cVybYnC 20bYoolxqq5R8oTtKU7YkRzV9zBww1U/eSGQ6bHnZ+bxPGQRiajPBQhkWBum6pYM dhe9EgzYmq0XOOJc7QjPYFGvOKGE3dE/NmQjldpCw9t1faS6Sf/MX42T/O6Ht29n nM+cbvayQ1lHE+m0oQvKwiLYoonwHl89gr8EwJPWsTmJZ9Wagg== -----END CERTIFICATE-----
utilisation de ce tuto : https://aoeex.com/phile/postfix-dovecot-and-lets-encrypt-certificates/
arrêt de apache2 pour pouvoir faire la certification en local.
reboot ( uptime de 417 jours )
renouvellement des certificats
cd /home/plhardy cd letsencrypt git pull ./certbot-auto renew
résultat :
The following certs could not be renewed: /etc/letsencrypt/live/stats.linux-azur.org/fullchain.pem (failure) /etc/letsencrypt/live/webmail.linux-azur.org/fullchain.pem (failure) /etc/letsencrypt/live/wiki.linux-azur.org/fullchain.pem (failure) The following certs were successfully renewed: /etc/letsencrypt/live/blog.linux-azur.org/fullchain.pem (success) /etc/letsencrypt/live/jm2l.linux-azur.org/fullchain.pem (success) /etc/letsencrypt/live/lists.linux-azur.org/fullchain.pem (success) The following certs could not be renewed: /etc/letsencrypt/live/stats.linux-azur.org/fullchain.pem (failure) /etc/letsencrypt/live/webmail.linux-azur.org/fullchain.pem (failure) /etc/letsencrypt/live/wiki.linux-azur.org/fullchain.pem (failure) Additionally, the following renewal configurations were invalid: /etc/letsencrypt/renewal/prototype.linux-azur.org.conf (parsefail) /etc/letsencrypt/renewal/www.linux-azur.org.conf (parsefail) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3 renew failure(s), 2 parse failure(s)
sites renouvelés et vérifié depuis mon client à la maison :
https://www.linux-azur.org/
https://secure.linux-azur.org/webmail/
https://wiki.linux-azur.org
A FAIRE : nettoyage des configurations letsencrypt inutilisées.
Juillet 2019
etherpad ne semble pas avoir été configuré en https , en tout cas je n\'ai pas trouvé le certificat qui validerait pad.linux-azur.org.
voir etherpad
Certificat qui périme
les sites à vérifier
https://linux-azur.org
https://www.linux-azur.org
https://blog.linux-azur.org
https://webmail.linux-azur.org
https://secure.linux-azur.org/webmail/
ATTENTION nous sommes plusieurs ( philippe & fx ) à mettre cela à jour cela a entrainé des incohérences.
Renouvelé jusqu\"au 28 septembre 2019
X509v3 Subject Alternative Name: DNS:blog.linux-azur.org, DNS:compta.linux-azur.org, DNS:git.linux-azur.org, DNS:jm2l.linux-azur.org, DNS:linux-a zur.org, DNS:lists.linux-azur.org, DNS:secure.linux-azur.org, DNS:stats.linux-azur.org, DNS:webmail.linux-azur.org, DNS:wiki.lin ux-azur.org, DNS:www.linux-azur.org
philippe :
réaligné les informations pour êtres dans /etc/letsencrypt/live/blog.linux-azur.org et non dans /etc/letsencrypt/live/blog.linux-azur.org-0002
diff blog.linux-azur.org.conf blog.linux-azur.org.conf~ 2,5c2,5 < cert = /etc/letsencrypt/live/blog.linux-azur.org/cert.pem < privkey = /etc/letsencrypt/live/blog.linux-azur.org/privkey.pem < chain = /etc/letsencrypt/live/blog.linux-azur.org/chain.pem < fullchain = /etc/letsencrypt/live/blog.linux-azur.org/fullchain.pem --- > cert = /etc/letsencrypt/live/blog.linux-azur.org-0002/cert.pem > privkey = /etc/letsencrypt/live/blog.linux-azur.org-0002/privkey.pem > chain = /etc/letsencrypt/live/blog.linux-azur.org-0002/chain.pem > fullchain = /etc/letsencrypt/live/blog.linux-azur.org-0002/fullchain.pem
Renouvelé jusqu\'au 18 septembre 2019
Ceci veut dire qu\'il faudra le renouveller fin aout.
Les certificats letsencrypt ont une durée de validité de 3 mois, il est conseillé de les renouveller un mois à l\'avance, donc tous les deux mois il faut s\'assurer de bien faire le travail.
En pratique PhilippeLhardy s\'en occupe en ssh en utilisant letsencrypt certbot-auto
nom principal blog.linux-azur.org
nom secondaires ( X509v3 Subject Alternative Name )
blog.linux-azur.org compta.linux-azur.org git.linux-azur.org jm2l.linux-azur.org linux-azur.org lists.linux-azur.org secure.linux-azur.org stats.linux-azur.org webmail.linux-azur.org wiki.linux-azur.org www.linux-azur.org
blank to select all options shown (Enter \'c\' to cancel): 4,5,6,7,8,13,14,15,16,17
Si on oubli un mail de letsencrypt nous le rappelle :
Hello, Your certificate (or certificates) for the names listed below will expire in 20 days (on 10 Jul 19 10:36 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors. We recommend renewing certificates automatically when they have a third of their total lifetime left. For Let\'s Encrypt\'s current 90-day certificates, that means renewing 30 days before expiration. See https://letsencrypt.org/docs/integration-guide/ for details. blog.linux-azur.org compta.linux-azur.org git.linux-azur.org jm2l.linux-azur.org linux-azur.org lists.linux-azur.org secure.linux-azur.org stats.linux-azur.org webmail.linux-azur.org wiki.linux-azur.org www.linux-azur.org For any questions or support, please visit https://community.letsencrypt.org/. Unfortunately, we can\'t provide support by email. For details about when we send these emails, please visit https://letsencrypt.org/docs/expiration-emails/. In particular, note that this reminder email is still sent if you\'ve obtained a slightly different certificate by adding or removing names. If you\'ve replaced this certificate with a newer one that covers more or fewer names than the list above, you may be able to ignore this message. If you are receiving this email in error, unsubscribe at http://mandrillapp.com/track/unsub.php?u=30850198&id=f117ae2d86b6498dae984035e1518f02.xv1f%2FR%2FvJfm%2FQBJppCrM7eUOmY8%3D&r=https%3A%2F%2Fmandrillapp.com%2Funsub%3Fmd_email%3Dadmin%2540linux-azur.org You may need to update your client to the latest version in case it is still using the deprecated TLS-SNI-01 validation method. https://community.letsencrypt.org/t/february-13-2019-end-of-life-for-all-tls-sni-01-validation-support/74209 Step-by-step instructions for updating Certbot are here: https://community.letsencrypt.org/t/how-to-stop-using-tls-sni-01-with-certbot/83210 Regards, The Let\'s Encrypt Team