About half an hour ago, I succesfully made a new LE cert for my domain, with a command like
certbot certonly --reuse-key --webroot --webroot-path /var/www/lego -d 3001.dk -d teresa.3001.dk -d lego.3001.dk --webroot-path /var/www/docs -d docs.3001.dk(I’ve removed a couple of paths and names, they only make the command longer, and doesn’t really matter for this).
Afterwards I ran a script to restart nginx+postfix+dovecot and import the new cert in prosody. (I plan to use that as a deploy-hook, when I run
certbot renew). I’ve verified that nginx, postfix and prosody picked up the new cert, but how do I verify that dovecot has?
I use thunderbird as my MUA, and it hasn’t complained, but I can’t find a function to make it show me what certifcate it was presented with.
I found out that
openssl s_client -showcerts -starttls imap -connect teresa.3001.dk:143 shows a certificate (that looks similar to the one shown by
openssl s_client -showcerts -connect teresa.3001.dk:443 - “similar” because I’ve only compared small substrings), but not the validity period, or fingerprint).
(I’ve chosen to delete all the standard questions, as I believe they don’t make much sense here, as my problem isn’t with let’s encrypt - but I suspect there might be people here with relevant knowledge, so I posted here even if it’s on the border of off-topic)