Did you restart dovevot? A restart of dovevot and email is not automatically out of the box done.
Cinghiuz <[email protected]> schreef op 20 juni 2025 16:30:16 CEST: >I found the expired certificate it is in the archive folder >/etc/letsencrypt/archive/mydomain.it/ > >[root@mail mydomain.it]# ls >cert10.pem cert6.pem chain2.pem fullchain20.pem privkey17.pem >cert11.pem cert7.pem chain3.pem fullchain21.pem privkey18.pem >cert12.pem cert8.pem chain4.pem fullchain22.pem privkey19.pem >cert13.pem cert9.pem chain5.pem fullchain23.pem privkey1.pem >cert14.pem chain10.pem chain6.pem fullchain2.pem privkey20.pem >cert15.pem chain11.pem chain7.pem fullchain3.pem privkey21.pem >cert16.pem chain12.pem chain8.pem fullchain4.pem privkey22.pem >cert17.pem chain13.pem chain9.pem fullchain5.pem privkey23.pem >cert18.pem chain14.pem fullchain10.pem fullchain6.pem privkey2.pem >cert19.pem chain15.pem fullchain11.pem fullchain7.pem privkey3.pem >cert1.pem chain16.pem fullchain12.pem fullchain8.pem privkey4.pem >cert20.pem chain17.pem fullchain13.pem fullchain9.pem privkey5.pem >cert21.pem chain18.pem fullchain14.pem privkey10.pem privkey6.pem >cert22.pem chain19.pem fullchain15.pem privkey11.pem privkey7.pem >cert23.pem chain1.pem fullchain16.pem privkey12.pem privkey8.pem >cert2.pem chain20.pem fullchain17.pem privkey13.pem privkey9.pem >cert3.pem chain21.pem fullchain18.pem privkey14.pem >cert4.pem chain22.pem fullchain19.pem privkey15.pem >cert5.pem chain23.pem fullchain1.pem privkey16.pem > >the expired certificate is cert22.pem but in /etc/letsencrypt/live/mydomain.it >folder I see this: > >lrwxrwxrwx 1 root root 32 May 18 17:44 cert.pem -> >../../archive/mydomain.it/cert23.pem >lrwxrwxrwx 1 root root 33 May 18 17:44 chain.pem -> >../../archive/mydomain.it/chain23.pem >lrwxrwxrwx 1 root root 37 May 18 17:44 fullchain.pem -> >../../archive/mydomain.it/fullchain23.pem >lrwxrwxrwx 1 root root 35 May 18 17:44 privkey.pem -> >../../archive/mydomain.it/privkey23.pem >-rw-r--r-- 1 root root 692 Jan 17 2022 README > >So cert.pem is linked to the valid certificate cert23.pem: > >[root@mail mydomain.it]# openssl x509 -enddate -noout -in >/etc/letsencrypt/live/mydomain.it/cert.pem >notAfter=Aug 16 14:45:40 2025 GMT > >[root@mail mydomain.it]# openssl x509 -enddate -noout -in >/etc/letsencrypt/archive/mydomain.it/cert22.pem >notAfter=Jun 17 12:27:45 2025 GMT > >I really don't understand why EMAIL clients receive the expired certificate... > >If I use webmail, I get the valid certificate... > >Cesare > >Il 20/06/2025 15:45, [email protected] ha scritto: >> Now check every file and find out which is expired: >> >> openssl x509 -enddate -noout -in /etc/letsencrypt/live/'domain'/fullchain.pem >> >> >> >> June 20, 2025 7:32 AM, "Cinghiuz" <[email protected] >> <mailto:[email protected]?to=%22Cinghiuz%22%20<[email protected]>>> wrote: >> >> Hi Carl, >> >> thank you for your reply! >> >> I confirm that I mean that EMAIL clients are getting the warning. >> >> I checked /etc/dovecot/dovecot.conf and I read this: >> >> ssl_cert = </var/qmail/control/servercert.pem >> ssl_key = </var/qmail/control/servercert.pem >> >> moreover at the bottom of this file I have these lines: >> >> local_name maindomain.it { >> ssl_cert = </etc/letsencrypt/live/maindomain.it-0001/fullchain.pem >> ssl_key = </etc/letsencrypt/live/maindomain.it-0001/privkey.pem >> } >> local_name mail.maindomain.it { >> ssl_cert = </etc/letsencrypt/live/maindomain.it-0001/fullchain.pem >> ssl_key = </etc/letsencrypt/live/maindomain.it-0001/privkey.pem >> } >> local_name otherdomain.it { >> ssl_cert = </etc/letsencrypt/live/otherdomain.it/fullchain.pem >> ssl_key = </etc/letsencrypt/live/otherdomain.it/privkey.pem >> } >> local_name mail.otherdomain.it { >> ssl_cert = </etc/letsencrypt/live/otherdomain.it/fullchain.pem >> ssl_key = </etc/letsencrypt/live/otherdomain.it/privkey.pem >> } >> >> all lines in /etc/dovecot/conf.d/10-ssl.conf are commented out >> except these 2 lines: >> ssl_cert = </etc/pki/dovecot/certs/dovecot.pem >> ssl_key = </etc/pki/dovecot/private/dovecot.pem >> >> but these 2 files are dated Jan 15 2022 so I think they aren't used... >> >> Cesare >> Il 20/06/2025 14:26, CarlC Internet Services Service Desk ha scritto: >>> >>> Cesare, >>> >>> Do you mean EMAIL clients are getting the warnings? >>> >>> If so, it could be dovecot which supplies the setups for >>> POP3/IMAP… What certs are you using for those? Look in >>> /etc/dovecot/conf.d/10-ssl.conf or /etc/dovecot/dovecot.conf to >>> see if your using the correct certs… >>> >>> Also, you could look at IMAP directly via: >>> >>> openssl s_client -crlf -connect imap.example.com:993 >>> >>> Just replace imap.example.com with your domain or 127.0.0.1 >>> >>> Carl >>> >>> *From:*Cinghiuz [mailto:[email protected] >>> <mailto:[email protected]>] >>> *Sent:* Friday, June 20, 2025 03:25 AM >>> *To:* [email protected] >>> *Subject:* [qmailtoaster] Certificate expired >>> >>> Hi there, >>> >>> I've got a strange issue with my production Qmail server: email >>> clients say that the certificate is expired, but if I check on >>> Qmail server I get this result: >>> >>> [root@mail ~]# certbot certificates|grep days >>> Saving debug log to /var/log/letsencrypt/letsencrypt.log >>> Expiry Date: 2025-07-14 19:07:08+00:00 (VALID: 24 days) >>> Expiry Date: 2025-09-12 21:57:08+00:00 (VALID: 84 days) >>> Expiry Date: 2025-07-14 18:56:29+00:00 (VALID: 24 days) >>> Expiry Date: 2025-07-14 18:57:18+00:00 (VALID: 24 days) >>> Expiry Date: 2025-07-14 18:57:28+00:00 (VALID: 24 days) >>> Expiry Date: 2025-07-14 18:57:36+00:00 (VALID: 24 days) >>> Expiry Date: 2025-09-12 21:57:56+00:00 (VALID: 84 days) >>> Expiry Date: 2025-08-16 14:45:25+00:00 (VALID: 57 days) >>> Expiry Date: 2025-07-14 18:58:55+00:00 (VALID: 24 days) >>> Expiry Date: 2025-07-11 16:57:23+00:00 (VALID: 21 days) >>> Expiry Date: 2025-07-14 18:59:10+00:00 (VALID: 24 days) >>> Expiry Date: 2025-08-16 14:45:40+00:00 (VALID: 57 days) >>> Expiry Date: 2025-08-16 14:45:58+00:00 (VALID: 57 days) >>> Expiry Date: 2025-07-14 18:59:29+00:00 (VALID: 24 days) >>> Expiry Date: 2025-08-16 14:46:11+00:00 (VALID: 57 days) >>> Expiry Date: 2025-08-16 14:46:23+00:00 (VALID: 57 days) >>> >>> >>> If I check the validity of /var/qmail/control/servercert.pem I >>> got this result: >>> Common Name : maindomain.it >>> Alternative Names : maindomain.it, otherdomain.com, >>> alternativedomain.it, xyz.com, [...], mail.maindomain.it, >>> mail.otherdomain.com, mail.alternativedomain.it, mail.xyz.com, [...] >>> Valid From : Apr 15,2025 >>> Valid To : Jul 14,2025 >>> Issuer : Let's Encrypt >>> Serial Number : 0x06[...]253 >>> >>> Also if I go to https://mail.maindomain.it I see that the >>> certificate is valid: >>> >>> >>> But email clients (Outlook, Thunderbird, etc.) say that there is >>> something wrong with the certificate: >>> >>> >>> >>> >>> What can I check to fix this issue? >>> >>> Thanks a lot! >>> >>> Cesare >>> >> >>
