Re: [qmailtoaster] Certificate expired

Cinghiuz Fri, 20 Jun 2025 06:57:12 -0700

Every certificate is valid:

notAfter=Aug 16 14:45:40 2025 GMT
notAfter=Aug 16 14:45:58 2025 GMT
notAfter=Aug 16 14:46:11 2025 GMT
notAfter=Aug 16 14:45:25 2025 GMT
notAfter=Jul 14 19:07:08 2025 GMT
notAfter=Jul 14 18:57:36 2025 GMT
notAfter=Jul 14 18:57:28 2025 GMT
notAfter=Jul 14 18:57:18 2025 GMT
notAfter=Jul 11 16:57:23 2025 GMT
notAfter=Jul 14 18:59:29 2025 GMT
notAfter=Sep 12 21:57:56 2025 GMT
notAfter=Jul 14 18:56:29 2025 GMT
notAfter=Aug 16 14:46:23 2025 GMT
notAfter=Jul 14 18:58:55 2025 GMT
notAfter=Jul 14 18:59:10 2025 GMT
notAfter=Sep 12 21:57:08 2025 GMT

the only expired certificate is /etc/pki/dovecot/certs/dovecot.pem butit expired 2 years ago.


Cesare

Il 20/06/2025 15:45, [email protected] ha scritto:

Now check every file and find out which is expired:

openssl x509 -enddate -noout -in/etc/letsencrypt/live/'domain'/fullchain.pem

June 20, 2025 7:32 AM, "Cinghiuz" <[email protected]<mailto:[email protected]?to=%22Cinghiuz%22%20<[email protected]>>>wrote:


    Hi Carl,

    thank you for your reply!

    I confirm that I mean that EMAIL clients are getting the warning.

    I checked /etc/dovecot/dovecot.conf and I read this:

    ssl_cert = </var/qmail/control/servercert.pem
    ssl_key = </var/qmail/control/servercert.pem

    moreover at the bottom of this file I have these lines:

    local_name maindomain.it {
    ssl_cert = </etc/letsencrypt/live/maindomain.it-0001/fullchain.pem
    ssl_key = </etc/letsencrypt/live/maindomain.it-0001/privkey.pem
    }
    local_name mail.maindomain.it {
    ssl_cert = </etc/letsencrypt/live/maindomain.it-0001/fullchain.pem
    ssl_key = </etc/letsencrypt/live/maindomain.it-0001/privkey.pem
    }
    local_name otherdomain.it {
    ssl_cert = </etc/letsencrypt/live/otherdomain.it/fullchain.pem
    ssl_key = </etc/letsencrypt/live/otherdomain.it/privkey.pem
    }
    local_name mail.otherdomain.it {
    ssl_cert = </etc/letsencrypt/live/otherdomain.it/fullchain.pem
    ssl_key = </etc/letsencrypt/live/otherdomain.it/privkey.pem
    }

    all lines in /etc/dovecot/conf.d/10-ssl.conf are commented out
    except these 2 lines:
    ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
    ssl_key = </etc/pki/dovecot/private/dovecot.pem

    but these 2 files are dated Jan 15 2022 so I think they aren't used...

    Cesare
    Il 20/06/2025 14:26, CarlC Internet Services Service Desk ha scritto:


    Cesare,

    Do you mean EMAIL clients are getting the warnings?

    If so, it could be dovecot which supplies the setups for
    POP3/IMAP… What certs are you using for those? Look in
    /etc/dovecot/conf.d/10-ssl.conf or /etc/dovecot/dovecot.conf to
    see if your using the correct certs…

    Also, you could look at IMAP directly via:

    openssl s_client -crlf -connect imap.example.com:993

    Just replace imap.example.com with your domain or 127.0.0.1

    Carl

    *From:*Cinghiuz [mailto:[email protected]
    <mailto:[email protected]>]
    *Sent:* Friday, June 20, 2025 03:25 AM
    *To:* [email protected]
    *Subject:* [qmailtoaster] Certificate expired

    Hi there,

    I've got a strange issue with my production Qmail server: email
    clients say that the certificate is expired, but if I check on
    Qmail server I get this result:

    [root@mail ~]# certbot certificates|grep days
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Expiry Date: 2025-07-14 19:07:08+00:00 (VALID: 24 days)
    Expiry Date: 2025-09-12 21:57:08+00:00 (VALID: 84 days)
    Expiry Date: 2025-07-14 18:56:29+00:00 (VALID: 24 days)
    Expiry Date: 2025-07-14 18:57:18+00:00 (VALID: 24 days)
    Expiry Date: 2025-07-14 18:57:28+00:00 (VALID: 24 days)
    Expiry Date: 2025-07-14 18:57:36+00:00 (VALID: 24 days)
    Expiry Date: 2025-09-12 21:57:56+00:00 (VALID: 84 days)
    Expiry Date: 2025-08-16 14:45:25+00:00 (VALID: 57 days)
    Expiry Date: 2025-07-14 18:58:55+00:00 (VALID: 24 days)
    Expiry Date: 2025-07-11 16:57:23+00:00 (VALID: 21 days)
    Expiry Date: 2025-07-14 18:59:10+00:00 (VALID: 24 days)
    Expiry Date: 2025-08-16 14:45:40+00:00 (VALID: 57 days)
    Expiry Date: 2025-08-16 14:45:58+00:00 (VALID: 57 days)
    Expiry Date: 2025-07-14 18:59:29+00:00 (VALID: 24 days)
    Expiry Date: 2025-08-16 14:46:11+00:00 (VALID: 57 days)
    Expiry Date: 2025-08-16 14:46:23+00:00 (VALID: 57 days)


    If I check the validity of /var/qmail/control/servercert.pem I
    got this result:
    Common Name : maindomain.it
    Alternative Names : maindomain.it, otherdomain.com,
    alternativedomain.it, xyz.com, [...], mail.maindomain.it,
    mail.otherdomain.com, mail.alternativedomain.it, mail.xyz.com, [...]
    Valid From : Apr 15,2025
    Valid To : Jul 14,2025
    Issuer : Let's Encrypt
    Serial Number : 0x06[...]253

    Also if I go to https://mail.maindomain.it I see that the
    certificate is valid:


    But email clients (Outlook, Thunderbird, etc.) say that there is
    something wrong with the certificate:




    What can I check to fix this issue?

    Thanks a lot!

    Cesare

Re: [qmailtoaster] Certificate expired

Reply via email to