Monday, June 15, 2020

If I remember well, we got the mail on SR to work last Friday. Test:

$ echo "body text" | mail -s "some test" luc.saffre@gmx.net luc@lino-framework.org luc.saffre@gmail.com

The /var/log/mail.log looks good:

Jun 15 04:41:55 localhost postfix/pickup[29082]: 6290E4058C: uid=1002 from=<luc>
Jun 15 04:41:55 localhost postfix/cleanup[29175]: 6290E4058C: message-id=<20200615044155.6290E4058C@mail.saffre-rumma.net>
Jun 15 04:41:55 localhost postfix/qmgr[18118]: 6290E4058C: from=<luc@saffre-rumma.net>, size=500, nrcpt=3 (queue active)
Jun 15 04:41:56 localhost postfix/smtp[29179]: 6290E4058C: to=<luc@lino-framework.org>, relay=mail.lino-framework.org[167.114.229.225]:25, delay=0.68, delays=0.08/0.11/0.34/0.16, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 0F50812D0)
Jun 15 04:41:56 localhost postfix/smtp[29178]: 6290E4058C: to=<luc.saffre@gmx.net>, relay=mx00.emig.gmx.net[212.227.15.9]:25, delay=0.97, delays=0.08/0.09/0.28/0.52, dsn=2.0.0, status=sent (250 Requested mail action okay, completed: id=1Mf1FQ-1jHNnd3vJq-00gVUT)
Jun 15 04:41:56 localhost postfix/smtp[29177]: 6290E4058C: to=<luc.saffre@gmail.com>, relay=gmail-smtp-in.l.google.com[173.194.76.26]:25, delay=1.3, delays=0.08/0.06/0.61/0.53, dsn=2.0.0, status=sent (250 2.0.0 OK  1592196116 h10si13922398wrs.275 - gsmtp)
Jun 15 04:41:56 localhost postfix/qmgr[18118]: 6290E4058C: removed

Why does the mail certificate for LF not renew?

I decided to take back #3687 because I cannot expect the mail server at LF to work when the certificate is outdated. (I had assigned this ticket to Hamza in the hope that he would do it, but obviously he had not more time than I).

The /usr/bin/certbot is some very old certbot version 0.31.0, we want to run the newer certbot-auto command:

$ certbot-auto
Requesting to rerun /usr/local/bin/certbot-auto with root privileges...
[sudo] password for luc:
Upgrading certbot-auto 1.3.0 to 1.5.0...
Replacing certbot-auto...
Creating virtual environment...
Installing Python packages...
DEPRECATION: Python 2.7 will reach the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 won't be maintained after that date. A future version of pip will drop support for Python 2.7. More details about Python 2 support in pip, can be found at https://pip.pypa.io/en/latest/development/release-process/#python-2-support

But oops: at this point the process hangs. And an ssh in another terminal fails to connect. After a timeout it says Connection closed by 167.114.229.225 port 22. And Apache doesn’t answer (e.g. https://www.lino-framework.org/). What’s going on there? Maybe the server ran out of disk space? Nope. Later it turned out that this was obviously an issue at the data center.

Continued next day:

$ certbot-auto
Requesting to rerun /usr/local/bin/certbot-auto with root privileges...
[sudo] password for luc:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: lino-framework.org
...
27: mail.lino-framework.org
...
52: www.lino-framework.org
53: xl.lino-framework.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):

I answer 27:

Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/mail.lino-framework.org.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

I interrupt the script at this point and have a look at that “certificate”:

$ cat /etc/letsencrypt/renewal/mail.lino-framework.org.conf
# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/mail.lino-framework.org
cert = /etc/letsencrypt/live/mail.lino-framework.org/cert.pem
privkey = /etc/letsencrypt/live/mail.lino-framework.org/privkey.pem
chain = /etc/letsencrypt/live/mail.lino-framework.org/chain.pem
fullchain = /etc/letsencrypt/live/mail.lino-framework.org/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = c8f78de26a6889d32df8d35cf6b9dbcb
authenticator = nginx
installer = nginx
server = https://acme-v02.api.letsencrypt.org/directory

I restart the script and continue where I interrupted:

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/mail-lino-framework-org.conf
nginx: [warn] conflicting server name "timtools.lino-framework.org" on 0.0.0.0:80, ignored
Traffic on port 80 already redirecting to ssl in /etc/nginx/sites-enabled/mail-lino-framework-org.conf
nginx: [warn] conflicting server name "timtools.lino-framework.org" on 0.0.0.0:80, ignored

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://mail.lino-framework.org

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=mail.lino-framework.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The only thing changed is that /etc/letsencrypt/renewal/mail.lino-framework.org.conf now contains:

version = 1.5.0

But TB continues to complain that the information is outdated.