I would not use a cron script. I use --deploy-hook option on the certbot-auto to handle it.
On Mon, April 15, 2024 9:59 am, Gary Bowling wrote: > > > > > Great. One question. Seems like everything on my server uses > /var/qmail/control/servercert.pem for the cert. Dovecot and qmail > all use that file. And I have a cron job that runs once a month to > check for a new letsencrypt cert and if there is one it copies it > over to servercert.pem to update my mail server. > > > > > > Is that the correct way to handle that? Or is that something that is > left over from my old server that I moved over? > > > > > Thanks, Gary > > > > > On 4/15/2024 12:44 PM, Eric Broch wrote: > > > Neither, > > /var/qmail/control/dh2048.pem > /var/qmail/control/rsa2048.pem > > > On 4/15/2024 10:33 AM, Gary Bowling wrote: > > > > > > Thanks, will still require rsa? > > > > On 4/15/2024 10:47 AM, Eric Broch wrote: > > > My next iteration on EL9 will remove keysize it's deprecated, > has been for a while. Should have the new code out within the > week. > > SSL_CTX_set_tmp_rsa_callback · openssl/openssl · > Discussion #23769 (github.com) > > > > On 4/15/2024 6:25 AM, Gary Bowling wrote: > > > > > > Hey Jeff, glad you're making progress. Be aware that when > you get a new cert from Letsencrypt that the default now > retrieves an ECDSA cert. Which is fine for apache, but > doesn't work on qmail, or at least it didn't for me. To fix > that you'll need to configure letsencrypt to give you an RSA > 2048 cert. > > > > > > There are two ways to do that. If you want all your certs to > be RSA 2048, you can add this to the > /etc/letsencrypt/cli.ini file. > > key-type = rsa > rsa-key-size = 2048 > > > > > If you just want to do that for your keys you use in qmail, > then you can put the above in the > /etc/letsencrypt/renewal/domain.conf file. Where "domain" is > the name of the cert you're renewing. Certbot creates the > file so it should already be there. > > > > > Gary > > > > > On 4/14/2024 10:39 PM, Jeff Koch wrote: > > I may have resolved this. I did > the Rocy9 > distro install of apache and > copied the > mod_http2.so file over to our > install of apache. Seems > to work (no errors) > but I won't know for sure until > we setup Lets > Encrypt SSL certbot tomorrow > > Jeff > > On 4/14/2024 3:11 PM, Jeff Koch wrote: > > > Hi - we're setting up a new mailserver with Rocky 9 and > the learning curve is slow as is usual with > the first time with a new distro. > > Anyway because our various scripts look for apache at > /usr/local/apache/ we've decided to compile > our own binary with the latest apache and > have run into trouble / errors related to > 'nghttp2'. > > We did download, compile and install the latest > nghttp2-1.61.0 from github. The configure and make > went well and http1.1 works but apache > generates the following error when we > activate mod_http2 > >  (Cannot load modules/mod_http2.so into server: > /usr/local/apache2/modules/mod_http2.so: undefined > symbol: > nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation) > > If anyone on the list has compiled their own httpd > 2.4.59 with Rocky 9 would you mind sharing the > details ? > > Thanks, Jeff Koch > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: > qmailtoaster-list-unsubscr...@qmailtoaster.com > For additional commands, e-mail: > qmailtoaster-list-h...@qmailtoaster.com > --------------------------------------------------------------------- > To unsubscribe, e-mail: > qmailtoaster-list-unsubscr...@qmailtoaster.com For > additional commands, e-mail: > qmailtoaster-list-h...@qmailtoaster.com > --------------------------------------------------------------------- > To unsubscribe, e-mail: > qmailtoaster-list-unsubscr...@qmailtoaster.com For > additional commands, e-mail: > qmailtoaster-list-h...@qmailtoaster.com -- William G. Silverstein, Esq. Litigation Counsel Licensed in California. --------------------------------------------------------------------- To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
