Now check every file and find out which is expired:
openssl x509 -enddate -noout -in /etc/letsencrypt/live/'domain'/fullchain.pem
June 20, 2025 7:32 AM, "Cinghiuz" <[email protected]
(mailto:[email protected]?to=%22Cinghiuz%22%20<[email protected]>)> wrote:
Hi Carl,
thank you for your reply!
I confirm that I mean that EMAIL clients are getting the warning.
I checked /etc/dovecot/dovecot.conf and I read this:
ssl_cert = </var/qmail/control/servercert.pem
ssl_key = </var/qmail/control/servercert.pem
moreover at the bottom of this file I have these lines:
local_name maindomain.it {
ssl_cert = </etc/letsencrypt/live/maindomain.it-0001/fullchain.pem
ssl_key = </etc/letsencrypt/live/maindomain.it-0001/privkey.pem
}
local_name mail.maindomain.it {
ssl_cert = </etc/letsencrypt/live/maindomain.it-0001/fullchain.pem
ssl_key = </etc/letsencrypt/live/maindomain.it-0001/privkey.pem
}
local_name otherdomain.it {
ssl_cert = </etc/letsencrypt/live/otherdomain.it/fullchain.pem
ssl_key = </etc/letsencrypt/live/otherdomain.it/privkey.pem
}
local_name mail.otherdomain.it {
ssl_cert = </etc/letsencrypt/live/otherdomain.it/fullchain.pem
ssl_key = </etc/letsencrypt/live/otherdomain.it/privkey.pem
}
all lines in /etc/dovecot/conf.d/10-ssl.conf are commented out except these 2
lines:
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
but these 2 files are dated Jan 15 2022 so I think they aren't used...
Cesare
Il 20/06/2025 14:26, CarlC Internet Services Service Desk ha scritto:
Cesare,
Do you mean EMAIL clients are getting the warnings?
If so, it could be dovecot which supplies the setups for POP3/IMAP…
What certs are you using for those? Look in /etc/dovecot/conf.d/10-ssl.conf or
/etc/dovecot/dovecot.conf to see if your using the correct certs…
Also, you could look at IMAP directly via:
openssl s_client -crlf -connect imap.example.com:993
Just replace imap.example.com with your domain or 127.0.0.1
Carl
From: Cinghiuz [mailto:[email protected] (mailto:[email protected])]
Sent: Friday, June 20, 2025 03:25 AM
To: [email protected]
(mailto:[email protected])
Subject: [qmailtoaster] Certificate expired
Hi there,
I've got a strange issue with my production Qmail server: email clients say
that the certificate is expired, but if I check on Qmail server I get this
result:
[root@mail ~]# certbot certificates|grep days
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Expiry Date: 2025-07-14 19:07:08+00:00 (VALID: 24 days)
Expiry Date: 2025-09-12 21:57:08+00:00 (VALID: 84 days)
Expiry Date: 2025-07-14 18:56:29+00:00 (VALID: 24 days)
Expiry Date: 2025-07-14 18:57:18+00:00 (VALID: 24 days)
Expiry Date: 2025-07-14 18:57:28+00:00 (VALID: 24 days)
Expiry Date: 2025-07-14 18:57:36+00:00 (VALID: 24 days)
Expiry Date: 2025-09-12 21:57:56+00:00 (VALID: 84 days)
Expiry Date: 2025-08-16 14:45:25+00:00 (VALID: 57 days)
Expiry Date: 2025-07-14 18:58:55+00:00 (VALID: 24 days)
Expiry Date: 2025-07-11 16:57:23+00:00 (VALID: 21 days)
Expiry Date: 2025-07-14 18:59:10+00:00 (VALID: 24 days)
Expiry Date: 2025-08-16 14:45:40+00:00 (VALID: 57 days)
Expiry Date: 2025-08-16 14:45:58+00:00 (VALID: 57 days)
Expiry Date: 2025-07-14 18:59:29+00:00 (VALID: 24 days)
Expiry Date: 2025-08-16 14:46:11+00:00 (VALID: 57 days)
Expiry Date: 2025-08-16 14:46:23+00:00 (VALID: 57 days)
If I check the validity of /var/qmail/control/servercert.pem I got this result:
Common Name : maindomain.it
Alternative Names : maindomain.it, otherdomain.com, alternativedomain.it,
xyz.com, [...], mail.maindomain.it, mail.otherdomain.com,
mail.alternativedomain.it, mail.xyz.com, [...]
Valid From : Apr 15,2025
Valid To : Jul 14,2025
Issuer : Let's Encrypt
Serial Number : 0x06[...]253
Also if I go to https://mail.maindomain.it (https://mail.maindomain.it) I see
that the certificate is valid:
But email clients (Outlook, Thunderbird, etc.) say that there is something
wrong with the certificate:
What can I check to fix this issue?
Thanks a lot!
Cesare
