I ran certbot -d "mail.lindows.org" to see what would happen. I guess I should delete that
The actual output of renew on my second attempt was:
/etc/letsencrypt/live/mail.lindows.org-0001/fullchain.pem expires on 2020-11-10 (skipped)
/etc/letsencrypt/live/mail.lindows.org/fullchain.pem expires on 2020-10-11 (skipped)
This is what is in /etc/letsencrypt/live/mail.lindows.org/fullchain.pem
What are the contents of /etc/letsencrypt/renwal/mail.lindows.org.conf, then?
Generally, one of two things need to happen:
The installer needs to be set to nginx so it automatically installs the certificate to the nginx configuration and reloads the server every renewal. That is typical if you used certbot --nginx. Or
The configuration contains a deploy hook, something along the lines of systemctl reload nginx, in the case that you originally used certbot certonly.
If neither is the case, that would explain why your certificate isn’t being reloaded upon renewal.
I was able to resolve the issue. It seems I needed to do a server reboot.
I have symbolic links pointing to the Let’s Encrypt certificates which nginix is using, to the mail server wants to use. I guess the email server was still using old certificates. I guess they are held in memory?
Thanks for helping me understand this, and the quick, and helpful responses.
To save you from future issues (This will happen everytime you certificate renew), please do what @_az suggested so you won't need to reload nginx every 2 months.
I am using iRedMail for setup. The developer says to not to use the --nginx
I missed his caveat of
Let's Encrypt cert will expire in 90 days, you must renew it before expired. After renewed, don't forget to restart Postfix/Dovecot/Nginx/Apache to load the new cert files.
I guess I will just have to do daily reloads of those from cron
That will work. You can alternatively put an executable shell script to reload everything inside the /etc/letsencrypt/renewal-hooks/deploy/ directory, which will be executed at every renewal.
Curse Americans and their backwards mm/dd/yyyy dates.
The most likely problem is that your webserver and certbot are talking about two different certificates. Best case solution: reload the mailserver so it can realise the certificate has been renewed (and tell certbot to do it in the future by adding a --deploy-hook)
This means your command is:
certbot renew {whatewer plugin, or none to read from old runs} \
--deploy-hook "systemctl reload postfix dovecot nginx apache"