Verify that dovecot picked up the new cert?

About half an hour ago, I succesfully made a new LE cert for my domain, with a command like certbot certonly --reuse-key --webroot --webroot-path /var/www/lego -d -d -d --webroot-path /var/www/docs -d’ve removed a couple of paths and names, they only make the command longer, and doesn’t really matter for this).

Afterwards I ran a script to restart nginx+postfix+dovecot and import the new cert in prosody. (I plan to use that as a deploy-hook, when I run certbot renew). I’ve verified that nginx, postfix and prosody picked up the new cert, but how do I verify that dovecot has?

I use thunderbird as my MUA, and it hasn’t complained, but I can’t find a function to make it show me what certifcate it was presented with.

I found out that openssl s_client -showcerts -starttls imap -connect shows a certificate (that looks similar to the one shown by openssl s_client -showcerts -connect - “similar” because I’ve only compared small substrings), but not the validity period, or fingerprint).

(I’ve chosen to delete all the standard questions, as I believe they don’t make much sense here, as my problem isn’t with let’s encrypt - but I suspect there might be people here with relevant knowledge, so I posted here even if it’s on the border of off-topic)

Hi @grove

perhaps may have the right tool to check hat.

I can’t see that any of their many tests considers IMAP.

openssl s_client -connect -starttls smtp
openssl s_client -connect -starttls imap

Both of which return the same cert:

You can pipe the output of s_client to the x509 module of OpenSSL:

openssl s_client -connect -starttls imap | openssl x509 -noout -text

That way, you can easily see the validity dates et cetera, perhaps use grep for the relevant info.

1 Like

Piping the output of s_client to openssl x509 was just what I needed.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.