IOS and letsencrypt, always troubles at renewal


#1

info

My domain is: mail.lorenzotamai.com mail.tecnodritte.it

I ran this command:
/opt/letsencrypt-sh/letsencrypt.sh --cron


It produced this output:
    # INFO: Using main config file /opt/letsencrypt-sh/config.sh
    Processing mail.tecnodritte.it with alternative names: mail.lorenzotamai.com mail.ramett.com mail.mishasrl.it
     + Checking domain name(s) of existing cert... unchanged.
     + Checking expire date of existing cert...
     + Valid till Apr 29 15:05:57 2019 GMT (Longer than 30 days). Skipping renew!

My web server is (include version):

nginx version: nginx/1.10.3 (Ubuntu)

The operating system my web server runs on is (include version):

uname -a
Linux mail 4.14.13-mainline-rev1 #1 SMP Wed Jan 10 10:31:23 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 16.04.5 LTS
Release:	16.04
Codename:	xenial

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
linux terminal

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): just letsencrypt.sh that reads from a txt the domains to be renewed


my issue:

Hello, I’m using letsencrytp since years in my mailservers and I’ve always had this problem with iOS whenever the cert is renewed:

This happens just with IOS (it doesn’t happens with other clients! such has Outlook 2013, Outlook 2016, Thunderbird or android mail app).

It seems that IOS doesn’t understands that the certificate has been renewed (it is renewed as you can see: https://www.ssllabs.com/ssltest/analyze.html?d=mail.lorenzotamai.com )

I found this topic about (I think) same issue, but doesn’t seem the author has find a solution (or @steffan did you?)

I just --forced a renew to be sure that it would work, and it does.

Just to point out, if you delete account on iphone and then add it again, the problem is gone. This problem comes out every time the certs is renewed.

Can somebody please help me find a solution?


#2

Which iOS version is that?

For me (today):
“Your iPhone has been updated to iOS 12.1.3”


#3

Happened on two iphones with 12.1.3, but I remeber this happens every time a cert expires even if it’s renewed.


#4

Does the problem go away after a few hours or a few days or doesn’t go away?


#5

Think I found the problem: dovecot and postfix needed a reload after the renewal. But I don’t get why this problem was not shown in other mail clients…


#6

If you can script those reloads, you can add it to the renewal process by adding:
--deploy-hook /path/to/your-reload-script


#7

Do you mean adding that to the cronjob?

my cronjob is like this:

/opt/letsencrypt-sh/letsencrypt.sh --cron


Should it become like this?

/opt/letsencrypt-sh/letsencrypt.sh --cron --deploy-hook /path/to/your-reload-script

Because it does’t work :confused:


#8

Did you make a script file?

Did you test the script file from the prompt?

Did you test the new full command from the prompt?

[please show the new full command line that passes such tests]


#9

yep

cat /script/reload_postfix-dovecot.sh
#!/bin/bash
#postfix+dovecot daemons reload
sleep 1
/etc/init.d/postfix force-reload
sleep 1
/etc/init.d/dovecot force-reload

yep, the script alone works:

/script/reload_postfix-dovecot.sh 
[ ok ] Reloading postfix configuration (via systemctl): postfix.service.
[ ok ] Reloading dovecot configuration (via systemctl): dovecot.service.

yep it doesn’t work, it says:

/opt/letsencrypt-sh/letsencrypt.sh --cron --deploy-hook /script/reload_postfix-dovecot.sh

Unknown parameter detected: --deploy-hook

Maybe there is another option to add a script, but I can’t find it


#10

Try again after removing this line:


#11

--deploy-hook is the right one.


#12

I don’t know why, but in my help there is no --deploy-hook :thinking:

/opt/letsencrypt-sh/letsencrypt.sh --help
Usage: /opt/letsencrypt-sh/letsencrypt.sh [-h] [command [argument]] [parameter [argument]] [parameter [argument]] ...

Default command: help

Commands:
 --cron (-c)                      Sign/renew non-existant/changed/expiring certificates.
 --signcsr (-s) path/to/csr.pem   Sign a given CSR, output CRT on stdout (advanced usage)
 --revoke (-r) path/to/cert.pem   Revoke specified certificate
 --cleanup (-gc)                  Move unused certificate files to archive directory
 --help (-h)                      Show help text
 --env (-e)                       Output configuration variables for use in other scripts

Parameters:
 --domain (-d) domain.tld         Use specified domain name(s) instead of domains.txt entry (one certificate!)
 --force (-x)                     Force renew of certificate even if it is longer valid than value in RENEW_DAYS
 --privkey (-p) path/to/key.pem   Use specified private key instead of account key (useful for revocation)
 --config (-f) path/to/config.sh  Use specified config file
 --hook (-k) path/to/hook.sh      Use specified script for hooks
 --challenge (-t) http-01|dns-01  Which challenge should be used? Currently http-01 and dns-01 are supported
 --algo (-a) rsa|prime256v1|secp384r1 Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1

Anyway I found that using --hook option will run the script just fine.

Thank you for your help


#13

–hook will always run.
–deploy-hook will only run when the cert is renewed.

So you may be right

OR
Your client is outdated…

hmm…


closed #14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.