Certificate problem

jdpedersen1 · August 8, 2021, 4:16am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:jpedmedia.com

I ran this command:certbot --nginx, then certbot certificates

It produced this output:Found the following certs:
Certificate Name: jpedmedia.com
Domains: jpedmedia.com mail.jpedmedia.com notmyown.xyz www.jpedmedia.com www.mail.jpedmedia.com www.notmyown.xyz
Expiry Date: 2021-11-06 02:38:38+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/jpedmedia.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/jpedmedia.com/privkey.pem
Certificate Name: mail.jpedmedia.com
Domains: mail.jpedmedia.com www.mail.jpedmedia.com
Expiry Date: 2021-11-06 02:47:44+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/mail.jpedmedia.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/mail.jpedmedia.com/privkey.pem
Certificate Name: notmyown.xyz
Domains: notmyown.xyz www.notmyown.xyz
Expiry Date: 2021-11-06 02:58:57+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/notmyown.xyz/fullchain.pem
Private Key Path: /etc/letsencrypt/live/notmyown.xyz/privkey.pem

My web server is (include version):nginx

The operating system my web server runs on is (include version):debian 10

My hosting provider, if applicable, is:vultr

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):0.31.0

I got a renewal email that stated my certs were expiring, so i logged into my server and ran certbot --nginx and updated my certs, then ran certbot certificates and verifed they are all renewed, my websites, jpedmedia.com and notmyown.xyz work fine but i cannot sync my mail server, mail.jpedmedia.com, to my email client, it tells me my cert is expired everytime. how do i fix this issue?

rg305 · August 8, 2021, 4:29am

Hi @jdpedersen1, and welcome to the LE community forum

It sounds like maybe you have two issues:

The certificates aren't automatically renewing.
[you should ensure to follow the best practice of running a job for that (twice a day)]
The mail program doesn't update itself when a cert is renewed.
[you should ensure to restart the mail program each time the mail cert is renewed]

jdpedersen1 · August 8, 2021, 4:53am

Thank you for the quick response! So if I get what you are saying, I should update my certs twice a day? Also, I got frustrated with the mail client and uninstalled and reinstalled it and when i try to add my mail server it wont sync, it just fails and says my certs are expired.

rg305 · August 8, 2021, 5:27am

You should run:
certbot renew
twice a day.
[it won't actually renew your certs twice a day - only when they are nearing expiry]

Do you recall how you configured the mail server to use a cert?

Osiris · August 8, 2021, 7:33am

I'm wondering, is there any reason why some hostnames are in multiple certificates?
I.e., the following certificate contains all hostnames:

And the following cert contains two hostnames which are also included in the cert above:

The same goes for:

Seems to me one or two (depending on which certificate(s) is/are in use) are redundant?

Is your mailserver being reloaded after the renewal? Because it will only pick up and use the renewed certificate after a reload or restart.

jdpedersen1 · August 8, 2021, 11:50am

Basically when i set up nginx, I created a sites-enabled dir with 3 files, one for each of my 2 websites and one for my mail server, what's strange is that my certs expired once before and I did not have an issue when I renewed, nothing has changed in my nginx conf and this time things are screwy. I have tried a couple clients thinking the client was the problem but they all say my certs are expired. I also tried removing all certs and uninstalling certbot completely including dependencies and any created files and directories, then reinstalling and running again, still have same issue.

jdpedersen1 · August 8, 2021, 11:52am

It should be, I run systemctl restart nginx, and I also ran systemctl disable nginx && systemctl enable --now nginx, output shows stopping and starting.

Osiris · August 8, 2021, 12:07pm

Are your mail clients connecting to nginx? I thought nginx was just a webserver, I didn't know it was also a mail server.

jdpedersen1 · August 8, 2021, 12:15pm

They were connecting with no issue until now,

Osiris · August 8, 2021, 12:18pm

Could you perhaps explain to me how a mail client can connect to a webserver? Are you absolutely sure the mail clients aren't connecting to Postfix and Dovecot?

jdpedersen1 · August 8, 2021, 12:31pm

Excuse me, yes, I run dovecot and postfix on the server. Everything has been running with ease until now so I completely forgot about those.

Osiris · August 8, 2021, 12:33pm

Please reload your Dovecot so it makes use of the most recently issued/renewed certificate, assuming you've configured Dovecot to read the certificate from the appropriate location in /etc/letsencrypt/.

jdpedersen1 · August 8, 2021, 1:28pm

reloaded dovecot, verified etc/dovecot/dovecot.conf shows ssl cert and ssl key at /etc/letsencrypt/live/mail.jpedmedia.com/fullchain.pem and privkey.pem.

Osiris · August 8, 2021, 1:33pm

Well, the reloading did something at least:

< * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS LOGINDISABLED] Dovecot (Debian) ready.
> . CAPABILITY
< * CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS LOGINDISABLED
< . OK Pre-login capabilities listed, post-login capabilities have more.
> . STARTTLS
< . OK Begin TLS negotiation now.
... binary TLS stuff ...
< * BYE [UNAVAILABLE] TLS initialization failed.

For some reason your TLS (through STARTTLS) is failing now. Please check the Dovecot error log to see why.

Edit:
Seems to be working now With the correct certificate too.

jdpedersen1 · August 8, 2021, 1:56pm

well not getting the cert expired error so that is good, but cant login because says authentication fail, check username and password,neither of those have changed. this is ridiculous, I think I will just destroy my server and start over.

Osiris · August 8, 2021, 1:57pm

Please backup and restore your perfectly fine certificates in /etc/letsencrypt/. Or even better: as root (or sudo), tar the entire directory and back that up so you can restore it again (as root or using sudo).

That said: my experience with Linux is that it's almost NEVER EVER necessary to start over from scratch. It's probably better in the long run to learn good debugging skills and fix the issue at hand. 99,99 % of time you can learn almost everything you need to know from the error logs in combination with Google.

jdpedersen1 · August 8, 2021, 1:59pm

will do, thank you for all your input and info is is greatly appreciated

rg305 · August 8, 2021, 8:11pm

The problem now seems to be within the Dovecot config.
Which may easier to fix than redoing the entire server.
But whatever makes it work... wins!

system · September 7, 2021, 8:11pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.