Cannot identify server after renewal

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mail.carpenter-farms.us
I ran this command: Apple Mail

It produced this output:Cannot identify server

My web server is (include version):

The operating system my web server runs on is (include version): Gentoo Linux

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 1.5.0

Every time my certificate renews, all my IOS devices start popping up “Cannot identify server” messages every 30 seconds or so. Only solution to date is to delete and re-add the e-mail account on each device. When re-added, a similar message occurs except I’m given the option to “continue”, after which all is fine until the next renewal.

Hi @kevinc

may be your incomplete chain is the problem - see https://check-your-website.server-daten.de/?q=mail.carpenter-farms.us#connections

2020-07-12.mail.carpenter-farms.us1158×448 23.2 KB

Your IMAP-port 993 has the correct certificate, see the portcheck part:

mail.carpenter-farms.us
	993
	IMAP (encrypted)
	open
	* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN] Dovecot ready.
	Mail certificate is valid

But your chain is incomplete, the intermediate certificate is missing.

Your port 443 has the complete chain, may be you have used fullchain.pem (not cert.pem). So use the same fullchain.pem with your Dovecot.

Thank you for the very rapid response.

Indeed Dovecot was using cert.pem. I’ve changed that to fullchain.pem and restarted everything, but still showing an incomplete chain.

Unlikely related, but I noticed kevinsthoughts.com is being reported. That is a website that has been moved to another server. Not sure why that is associated with mail.carpenter-farms.us anymore.

You have to recheck your domain. There is no newer check.

Ah, sorry. Was unfamiliar with the site and just doing refreshes (and being amazed at how fast they came back with all the information). Its looking better now - lets how things go smoother in 90 days after the next refresh.

Yep, now your port 993 chain

Chain (complete)	
	1	CN=mail.carpenter-farms.us
	2	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US

is correct.

Still concerned about CN=www.kevinsthoughts.com being associated with mail.carpenter-farms.us, since that domain is now being handled by a different server. This causes grief when doing a renewal as well, since its tries to use that domain instead of mail.carpenter-farms.us.

Is there any way to purge it from the certificate?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.