Ah, right. Actually it looks like I can just place my script that
I currently run in my cron job in the
/etc/letsencrypt/renewal-hooks/post/ directory and it will run as
a "post renew" script.
Thanks for that.
Gary
On 4/15/2024 1:04 PM, William
Silverstein wrote:
--------------------------------------------------------------------- To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.comI would not use a cron script. I use --deploy-hook option on the certbot-auto to handle it.On Mon, April 15, 2024 9:59 am, Gary Bowling wrote:Great. One question. Seems like everything on my server uses /var/qmail/control/servercert.pem for the cert. Dovecot and qmail all use that file. And I have a cron job that runs once a month to check for a new letsencrypt cert and if there is one it copies it over to servercert.pem to update my mail server. Is that the correct way to handle that? Or is that something that is left over from my old server that I moved over? Thanks, Gary On 4/15/2024 12:44 PM, Eric Broch wrote: Neither, /var/qmail/control/dh2048.pem /var/qmail/control/rsa2048.pem On 4/15/2024 10:33 AM, Gary Bowling wrote: Thanks, will still require rsa? On 4/15/2024 10:47 AM, Eric Broch wrote: My next iteration on EL9 will remove keysize it's deprecated, has been for a while. Should have the new code out within the week. SSL_CTX_set_tmp_rsa_callback · openssl/openssl · Discussion #23769 (github.com) On 4/15/2024 6:25 AM, Gary Bowling wrote: Hey Jeff, glad you're making progress. Be aware that when you get a new cert from Letsencrypt that the default now retrieves an ECDSA cert. Which is fine for apache, but doesn't work on qmail, or at least it didn't for me. To fix that you'll need to configure letsencrypt to give you an RSA 2048 cert. There are two ways to do that. If you want all your certs to be RSA 2048, you can add this to the /etc/letsencrypt/cli.ini file. key-type = rsa rsa-key-size = 2048 If you just want to do that for your keys you use in qmail, then you can put the above in the /etc/letsencrypt/renewal/domain.conf file. Where "domain" is the name of the cert you're renewing. Certbot creates the file so it should already be there. Gary On 4/14/2024 10:39 PM, Jeff Koch wrote: I may have resolved this. I did the Rocy9 distro install of apache and copied the mod_http2.so file over to our install of apache. Seems to work (no errors) but I won't know for sure until we setup Lets Encrypt SSL certbot tomorrow Jeff On 4/14/2024 3:11 PM, Jeff Koch wrote: Hi - we're setting up a new mailserver with Rocky 9 and the learning curve is slow as is usual with the first time with a new distro. Anyway because our various scripts look for apache at /usr/local/apache/ we've decided to compile our own binary with the latest apache and have run into trouble / errors related to 'nghttp2'. We did download, compile and install the latest nghttp2-1.61.0 from github. The configure and make went well and http1.1 works but apache generates the following error when we activate mod_http2  (Cannot load modules/mod_http2.so into server: /usr/local/apache2/modules/mod_http2.so: undefined symbol: nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation) If anyone on the list has compiled their own httpd 2.4.59 with Rocky 9 would you mind sharing the details ? Thanks, Jeff Koch --------------------------------------------------------------------- To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com --------------------------------------------------------------------- To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com --------------------------------------------------------------------- To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com