IMAPS certificate expired on lists.ovirt.org

Description

We've got reports about ticket creation issues from email. Looking at dovecot logs the email handler tries to connect but disconnects immediately.

Connecting to port 993 shows an expired cert:
openssl s_client lists.ovirt.org:993
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = lists.ovirt.org
verify error:num=10:certificate has expired
notAfter=Jul 1 09:47:58 2020 GMT
verify return:1
depth=0 CN = lists.ovirt.org
notAfter=Jul 1 09:47:58 2020 GMT
verify return:1

Certificate chain
0 s:CN = lists.ovirt.org
i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
i:O = Digital Signature Trust Co., CN = DST Root CA X3

Looks like dovecot is not getting restarted after a new cert is issued. Leaving as-is for now for further review. A service restart should theoretically be enough to make use of the current cert.

Activity

Show:
Marc Dequènes (Duck)
September 10, 2020, 10:40 AM

Thanks for the report.

So the renewal was done properly and the hook script called but there’s two problems in the script:

  • it uses the Apache service name used on Debian (apache2) instead of the one used on RH systems (httpd), bad copy paste

  • since the certificate is shared in between the web and mail the logic would not restart all services

I restarted dovecot and also postfix and wil fix the script.

Marc Dequènes (Duck)
September 11, 2020, 9:42 AM

I made a PR: https://gerrit.ovirt.org/111247

Assignee

Marc Dequènes (Duck)

Reporter

Evgheni Dereveanchin

Blocked By

None

Priority

Medium
Configure