I found the expired certificate it is in the archive folder
/etc/letsencrypt/archive/mydomain.it/
[root@mail mydomain.it]# ls
cert10.pem cert6.pem chain2.pem fullchain20.pem privkey17.pem
cert11.pem cert7.pem chain3.pem fullchain21.pem privkey18.pem
cert12.pem cert8.pem chain4.pem fullchain22.pem privkey19.pem
cert13.pem cert9.pem chain5.pem fullchain23.pem privkey1.pem
cert14.pem chain10.pem chain6.pem fullchain2.pem privkey20.pem
cert15.pem chain11.pem chain7.pem fullchain3.pem privkey21.pem
cert16.pem chain12.pem chain8.pem fullchain4.pem privkey22.pem
cert17.pem chain13.pem chain9.pem fullchain5.pem privkey23.pem
cert18.pem chain14.pem fullchain10.pem fullchain6.pem privkey2.pem
cert19.pem chain15.pem fullchain11.pem fullchain7.pem privkey3.pem
cert1.pem chain16.pem fullchain12.pem fullchain8.pem privkey4.pem
cert20.pem chain17.pem fullchain13.pem fullchain9.pem privkey5.pem
cert21.pem chain18.pem fullchain14.pem privkey10.pem privkey6.pem
cert22.pem chain19.pem fullchain15.pem privkey11.pem privkey7.pem
cert23.pem chain1.pem fullchain16.pem privkey12.pem privkey8.pem
cert2.pem chain20.pem fullchain17.pem privkey13.pem privkey9.pem
cert3.pem chain21.pem fullchain18.pem privkey14.pem
cert4.pem chain22.pem fullchain19.pem privkey15.pem
cert5.pem chain23.pem fullchain1.pem privkey16.pem
the expired certificate is cert22.pem but in
/etc/letsencrypt/live/mydomain.it folder I see this:
lrwxrwxrwx 1 root root 32 May 18 17:44 cert.pem ->
../../archive/mydomain.it/cert23.pem
lrwxrwxrwx 1 root root 33 May 18 17:44 chain.pem ->
../../archive/mydomain.it/chain23.pem
lrwxrwxrwx 1 root root 37 May 18 17:44 fullchain.pem ->
../../archive/mydomain.it/fullchain23.pem
lrwxrwxrwx 1 root root 35 May 18 17:44 privkey.pem ->
../../archive/mydomain.it/privkey23.pem
-rw-r--r-- 1 root root 692 Jan 17 2022 README
So cert.pem is linked to the valid certificate cert23.pem:
[root@mail mydomain.it]# openssl x509 -enddate -noout -in
/etc/letsencrypt/live/mydomain.it/cert.pem
notAfter=Aug 16 14:45:40 2025 GMT
[root@mail mydomain.it]# openssl x509 -enddate -noout -in
/etc/letsencrypt/archive/mydomain.it/cert22.pem
notAfter=Jun 17 12:27:45 2025 GMT
I really don't understand why EMAIL clients receive the expired
certificate...
If I use webmail, I get the valid certificate...
Cesare
Il 20/06/2025 15:45, [email protected] ha scritto:
Now check every file and find out which is expired:
openssl x509 -enddate -noout -in
/etc/letsencrypt/live/'domain'/fullchain.pem
June 20, 2025 7:32 AM, "Cinghiuz" <[email protected]
<mailto:[email protected]?to=%22Cinghiuz%22%20<[email protected]>>>
wrote:
Hi Carl,
thank you for your reply!
I confirm that I mean that EMAIL clients are getting the warning.
I checked /etc/dovecot/dovecot.conf and I read this:
ssl_cert = </var/qmail/control/servercert.pem
ssl_key = </var/qmail/control/servercert.pem
moreover at the bottom of this file I have these lines:
local_name maindomain.it {
ssl_cert = </etc/letsencrypt/live/maindomain.it-0001/fullchain.pem
ssl_key = </etc/letsencrypt/live/maindomain.it-0001/privkey.pem
}
local_name mail.maindomain.it {
ssl_cert = </etc/letsencrypt/live/maindomain.it-0001/fullchain.pem
ssl_key = </etc/letsencrypt/live/maindomain.it-0001/privkey.pem
}
local_name otherdomain.it {
ssl_cert = </etc/letsencrypt/live/otherdomain.it/fullchain.pem
ssl_key = </etc/letsencrypt/live/otherdomain.it/privkey.pem
}
local_name mail.otherdomain.it {
ssl_cert = </etc/letsencrypt/live/otherdomain.it/fullchain.pem
ssl_key = </etc/letsencrypt/live/otherdomain.it/privkey.pem
}
all lines in /etc/dovecot/conf.d/10-ssl.conf are commented out
except these 2 lines:
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
but these 2 files are dated Jan 15 2022 so I think they aren't used...
Cesare
Il 20/06/2025 14:26, CarlC Internet Services Service Desk ha scritto:
Cesare,
Do you mean EMAIL clients are getting the warnings?
If so, it could be dovecot which supplies the setups for
POP3/IMAP… What certs are you using for those? Look in
/etc/dovecot/conf.d/10-ssl.conf or /etc/dovecot/dovecot.conf to
see if your using the correct certs…
Also, you could look at IMAP directly via:
openssl s_client -crlf -connect imap.example.com:993
Just replace imap.example.com with your domain or 127.0.0.1
Carl
*From:*Cinghiuz [mailto:[email protected]
<mailto:[email protected]>]
*Sent:* Friday, June 20, 2025 03:25 AM
*To:* [email protected]
*Subject:* [qmailtoaster] Certificate expired
Hi there,
I've got a strange issue with my production Qmail server: email
clients say that the certificate is expired, but if I check on
Qmail server I get this result:
[root@mail ~]# certbot certificates|grep days
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Expiry Date: 2025-07-14 19:07:08+00:00 (VALID: 24 days)
Expiry Date: 2025-09-12 21:57:08+00:00 (VALID: 84 days)
Expiry Date: 2025-07-14 18:56:29+00:00 (VALID: 24 days)
Expiry Date: 2025-07-14 18:57:18+00:00 (VALID: 24 days)
Expiry Date: 2025-07-14 18:57:28+00:00 (VALID: 24 days)
Expiry Date: 2025-07-14 18:57:36+00:00 (VALID: 24 days)
Expiry Date: 2025-09-12 21:57:56+00:00 (VALID: 84 days)
Expiry Date: 2025-08-16 14:45:25+00:00 (VALID: 57 days)
Expiry Date: 2025-07-14 18:58:55+00:00 (VALID: 24 days)
Expiry Date: 2025-07-11 16:57:23+00:00 (VALID: 21 days)
Expiry Date: 2025-07-14 18:59:10+00:00 (VALID: 24 days)
Expiry Date: 2025-08-16 14:45:40+00:00 (VALID: 57 days)
Expiry Date: 2025-08-16 14:45:58+00:00 (VALID: 57 days)
Expiry Date: 2025-07-14 18:59:29+00:00 (VALID: 24 days)
Expiry Date: 2025-08-16 14:46:11+00:00 (VALID: 57 days)
Expiry Date: 2025-08-16 14:46:23+00:00 (VALID: 57 days)
If I check the validity of /var/qmail/control/servercert.pem I
got this result:
Common Name : maindomain.it
Alternative Names : maindomain.it, otherdomain.com,
alternativedomain.it, xyz.com, [...], mail.maindomain.it,
mail.otherdomain.com, mail.alternativedomain.it, mail.xyz.com, [...]
Valid From : Apr 15,2025
Valid To : Jul 14,2025
Issuer : Let's Encrypt
Serial Number : 0x06[...]253
Also if I go to https://mail.maindomain.it I see that the
certificate is valid:
But email clients (Outlook, Thunderbird, etc.) say that there is
something wrong with the certificate:
What can I check to fix this issue?
Thanks a lot!
Cesare
