Re: [qmailtoaster] Certificate expired

Sat, 21 Jun 2025 08:09:10 -0700 

OMG it was the simplest thing to do, but I didn't and now it works.

What a disgrace!

Thank you Peter!

Cesare

Il 21/06/2025 06:09, Peter Peterse ha scritto:
Did you restart dovevot? A restart of dovevot and email is not automatically out of the box done. 


Cinghiuz <[email protected]> schreef op 20 juni 2025 16:30:16 CEST:

    I found the expired certificate it is in the archive folder
    /etc/letsencrypt/archive/mydomain.it/

    [root@mail mydomain.it]# ls
    cert10.pem  cert6.pem    chain2.pem       fullchain20.pem
    privkey17.pem
    cert11.pem  cert7.pem    chain3.pem       fullchain21.pem
    privkey18.pem
    cert12.pem  cert8.pem    chain4.pem       fullchain22.pem
    privkey19.pem
    cert13.pem  cert9.pem    chain5.pem       fullchain23.pem privkey1.pem
    cert14.pem  chain10.pem  chain6.pem       fullchain2.pem privkey20.pem
    cert15.pem  chain11.pem  chain7.pem       fullchain3.pem privkey21.pem
    cert16.pem  chain12.pem  chain8.pem       fullchain4.pem privkey22.pem
    cert17.pem  chain13.pem  chain9.pem       fullchain5.pem privkey23.pem
    cert18.pem  chain14.pem  fullchain10.pem  fullchain6.pem privkey2.pem
    cert19.pem  chain15.pem  fullchain11.pem  fullchain7.pem privkey3.pem
    cert1.pem   chain16.pem  fullchain12.pem  fullchain8.pem privkey4.pem
    cert20.pem  chain17.pem  fullchain13.pem  fullchain9.pem privkey5.pem
    cert21.pem  chain18.pem  fullchain14.pem  privkey10.pem privkey6.pem
    cert22.pem  chain19.pem  fullchain15.pem  privkey11.pem privkey7.pem
    cert23.pem  chain1.pem   fullchain16.pem  privkey12.pem privkey8.pem
    cert2.pem   chain20.pem  fullchain17.pem  privkey13.pem privkey9.pem
    cert3.pem   chain21.pem  fullchain18.pem  privkey14.pem
    cert4.pem   chain22.pem  fullchain19.pem  privkey15.pem
    cert5.pem   chain23.pem  fullchain1.pem   privkey16.pem

    the expired certificate is cert22.pem but in
    /etc/letsencrypt/live/mydomain.it folder I see this:

    lrwxrwxrwx  1 root root   32 May 18 17:44 cert.pem ->
    ../../archive/mydomain.it/cert23.pem
    lrwxrwxrwx  1 root root   33 May 18 17:44 chain.pem ->
    ../../archive/mydomain.it/chain23.pem
    lrwxrwxrwx  1 root root   37 May 18 17:44 fullchain.pem ->
    ../../archive/mydomain.it/fullchain23.pem
    lrwxrwxrwx  1 root root   35 May 18 17:44 privkey.pem ->
    ../../archive/mydomain.it/privkey23.pem
    -rw-r--r--  1 root root  692 Jan 17  2022 README

    So cert.pem is linked to the valid certificate cert23.pem:

    [root@mail mydomain.it]#  openssl x509 -enddate -noout -in
    /etc/letsencrypt/live/mydomain.it/cert.pem
    notAfter=Aug 16 14:45:40 2025 GMT

    [root@mail mydomain.it]#  openssl x509 -enddate -noout -in
    /etc/letsencrypt/archive/mydomain.it/cert22.pem
    notAfter=Jun 17 12:27:45 2025 GMT

    I really don't understand why EMAIL clients receive the expired
    certificate...

    If I use webmail, I get the valid certificate...

    Cesare

    Il 20/06/2025 15:45, [email protected] ha scritto:

    Now check every file and find out which is expired:

    openssl x509 -enddate -noout -in
    /etc/letsencrypt/live/'domain'/fullchain.pem



    June 20, 2025 7:32 AM, "Cinghiuz" <[email protected]
    <mailto:[email protected]?to=%22Cinghiuz%22%20<[email protected]>>>
    wrote:

        Hi Carl,

        thank you for your reply!

        I confirm that I mean that EMAIL clients are getting the warning.

        I checked /etc/dovecot/dovecot.conf and I read this:

        ssl_cert = </var/qmail/control/servercert.pem
        ssl_key = </var/qmail/control/servercert.pem

        moreover at the bottom of this file I have these lines:

        local_name maindomain.it {
        ssl_cert =
        </etc/letsencrypt/live/maindomain.it-0001/fullchain.pem
        ssl_key = </etc/letsencrypt/live/maindomain.it-0001/privkey.pem
        }
        local_name mail.maindomain.it {
        ssl_cert =
        </etc/letsencrypt/live/maindomain.it-0001/fullchain.pem
        ssl_key = </etc/letsencrypt/live/maindomain.it-0001/privkey.pem
        }
        local_name otherdomain.it {
        ssl_cert = </etc/letsencrypt/live/otherdomain.it/fullchain.pem
        ssl_key = </etc/letsencrypt/live/otherdomain.it/privkey.pem
        }
        local_name mail.otherdomain.it {
        ssl_cert = </etc/letsencrypt/live/otherdomain.it/fullchain.pem
        ssl_key = </etc/letsencrypt/live/otherdomain.it/privkey.pem
        }

        all lines in /etc/dovecot/conf.d/10-ssl.conf are commented
        out except these 2 lines:
        ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
        ssl_key = </etc/pki/dovecot/private/dovecot.pem

        but these 2 files are dated Jan 15 2022 so I think they
        aren't used...

        Cesare
        Il 20/06/2025 14:26, CarlC Internet Services Service Desk ha
        scritto:


        Cesare,

        Do you mean EMAIL clients are getting the warnings?

        If so, it could be dovecot which supplies the setups for
        POP3/IMAP… What certs are you using for those? Look in
        /etc/dovecot/conf.d/10-ssl.conf or /etc/dovecot/dovecot.conf
        to see if your using the correct certs…

        Also, you could look at IMAP directly via:

        openssl s_client -crlf -connect imap.example.com:993

        Just replace imap.example.com with your domain or 127.0.0.1

        Carl

        *From:*Cinghiuz [mailto:[email protected]
        <mailto:[email protected]>]
        *Sent:* Friday, June 20, 2025 03:25 AM
        *To:* [email protected]
        *Subject:* [qmailtoaster] Certificate expired

        Hi there,

        I've got a strange issue with my production Qmail server:
        email clients say that the certificate is expired, but if I
        check on Qmail server I get this result:

        [root@mail ~]# certbot certificates|grep days
        Saving debug log to /var/log/letsencrypt/letsencrypt.log
        Expiry Date: 2025-07-14 19:07:08+00:00 (VALID: 24 days)
        Expiry Date: 2025-09-12 21:57:08+00:00 (VALID: 84 days)
        Expiry Date: 2025-07-14 18:56:29+00:00 (VALID: 24 days)
        Expiry Date: 2025-07-14 18:57:18+00:00 (VALID: 24 days)
        Expiry Date: 2025-07-14 18:57:28+00:00 (VALID: 24 days)
        Expiry Date: 2025-07-14 18:57:36+00:00 (VALID: 24 days)
        Expiry Date: 2025-09-12 21:57:56+00:00 (VALID: 84 days)
        Expiry Date: 2025-08-16 14:45:25+00:00 (VALID: 57 days)
        Expiry Date: 2025-07-14 18:58:55+00:00 (VALID: 24 days)
        Expiry Date: 2025-07-11 16:57:23+00:00 (VALID: 21 days)
        Expiry Date: 2025-07-14 18:59:10+00:00 (VALID: 24 days)
        Expiry Date: 2025-08-16 14:45:40+00:00 (VALID: 57 days)
        Expiry Date: 2025-08-16 14:45:58+00:00 (VALID: 57 days)
        Expiry Date: 2025-07-14 18:59:29+00:00 (VALID: 24 days)
        Expiry Date: 2025-08-16 14:46:11+00:00 (VALID: 57 days)
        Expiry Date: 2025-08-16 14:46:23+00:00 (VALID: 57 days)


        If I check the validity of /var/qmail/control/servercert.pem
        I got this result:
        Common Name : maindomain.it
        Alternative Names : maindomain.it, otherdomain.com,
        alternativedomain.it, xyz.com, [...], mail.maindomain.it,
        mail.otherdomain.com, mail.alternativedomain.it,
        mail.xyz.com, [...]
        Valid From : Apr 15,2025
        Valid To : Jul 14,2025
        Issuer : Let's Encrypt
        Serial Number : 0x06[...]253

        Also if I go to https://mail.maindomain.it I see that the
        certificate is valid:


        But email clients (Outlook, Thunderbird, etc.) say that
        there is something wrong with the certificate:




        What can I check to fix this issue?

        Thanks a lot!

        Cesare

Reply via email to