Certificate expired although valid cert is in archive

My domain is: mail.kukulies.org

I can login to a root shell on my machine: yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

Yesterday during the day my mailserver suddenly lost its certificate validity.

I'm running postfix/dovecot and the certificates used are the links in
/etc/letsencrypt/live/<domain/hostname>/cert.pem etc..

Although the valid certificate (expiring Apr 29, 2023) was already behind the link
the mailserver still hung on the old ceritificate, expiring Feb 28.

BTW, the expire date Feb 28, 2023 means from 0 a.m. of this day the cert has expired, right?

So, my question is, why did the mail server still use the old certificate?
Could it be that the file is opened or locked and thus the new file isn't used?

After rebooting the server all was fine. Would that mean that, whenever certbot is updating, I should run a script that restarts the mail server?

I just noticed that I already had this case opened in:

you should've added a renewal hook --renewal-hook to reload/restart your mailserver when you renew that. but not sure how one add hook on already running lineage. edit /etc/letsencrypt/renewal/${certname}.conf?


Aah. That's interesting. In /etc/letsencrypt/renewal/mail.kukulies.org.conf I see:

# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/mail.kukulies.org
cert = /etc/letsencrypt/live/mail.kukulies.org/cert.pem
privkey = /etc/letsencrypt/live/mail.kukulies.org/privkey.pem
chain = /etc/letsencrypt/live/mail.kukulies.org/chain.pem
fullchain = /etc/letsencrypt/live/mail.kukulies.org/fullchain.pem

# Options used in the renewal process
account = dfecccbcxxxxxxxxxxxxx4xxx
authenticator = apache
installer = apache
server = https://acme-v02.api.letsencrypt.org/directory

And what would I have to edit in that file? I don't run apache. It's dovecot and postfix I'm running.

I got a hint from elsewhere to use:

certbot renew --renew-hook "systemctl restart dovecot"

I think that will do, I hope


From version 2.3.0 and higher, Certbot supports the reconfigure subcommand which should allow you to add such parameters as the renewal hook without actually getting a new certificate (if there's no renewal pending).

Your version of 0.31.0 is ancient and I recommend upgrading to the newest version.


Expanding on @orangepizza 's instructions:

Certbot just procures certificates for you and puts them on disk. You have to instruct Certbot to restart or alert services about the new certificates. (If you use a Certbot plugin like apache or nginx, it should restart those automatically).

You will need renewal hooks that cover all services that use your certificate:

  • dovecot
  • postfix
  • potentially apache/nginx/etc if you have a webmail system installed on that domain