Verify that dovecot picked up the new cert?

About half an hour ago, I succesfully made a new LE cert for my domain, with a command like certbot certonly --reuse-key --webroot --webroot-path /var/www/lego -d 3001.dk -d teresa.3001.dk -d lego.3001.dk --webroot-path /var/www/docs -d docs.3001.dk(I’ve removed a couple of paths and names, they only make the command longer, and doesn’t really matter for this).

Afterwards I ran a script to restart nginx+postfix+dovecot and import the new cert in prosody. (I plan to use that as a deploy-hook, when I run certbot renew). I’ve verified that nginx, postfix and prosody picked up the new cert, but how do I verify that dovecot has?

I use thunderbird as my MUA, and it hasn’t complained, but I can’t find a function to make it show me what certifcate it was presented with.

I found out that openssl s_client -showcerts -starttls imap -connect teresa.3001.dk:143 shows a certificate (that looks similar to the one shown by openssl s_client -showcerts -connect teresa.3001.dk:443 - “similar” because I’ve only compared small substrings), but not the validity period, or fingerprint).

(I’ve chosen to delete all the standard questions, as I believe they don’t make much sense here, as my problem isn’t with let’s encrypt - but I suspect there might be people here with relevant knowledge, so I posted here even if it’s on the border of off-topic)

Hi @grove

perhaps https://mxtoolbox.com/ may have the right tool to check hat.

I can’t see that any of their many tests considers IMAP.

try:
openssl s_client -connect 3001.dk:25 -starttls smtp
openssl s_client -connect 3001.dk:143 -starttls imap

Both of which return the same cert:

You can pipe the output of s_client to the x509 module of OpenSSL:

openssl s_client -connect example.com:143 -starttls imap | openssl x509 -noout -text

That way, you can easily see the validity dates et cetera, perhaps use grep for the relevant info.

1 Like

Piping the output of s_client to openssl x509 was just what I needed.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.