Certificate valid until september - but error message

Hello,

I have created a certificate for 4 domains - including a mail.domain.com.

certbot certificates | grep -i domain

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certificate Name: mail.domain.com**-0001**
Domains: mail.domain.com imap.domain.com mail.domain2.com
Certificate Path: /usr/local/etc/letsencrypt/live/mail.domain.com-0001/fullchain.pem
Private Key Path: /usr/local/etc/letsencrypt/live/mail.domain.com-0001/privkey.pem

I use the mail.domain.com in my email client.

In sendmail the following paths are set (.mc4):

define(`CERT_DIR', `/usr/local/etc/letsencrypt/live/mail.domain.com-0001')
define(`confCACERT_PATH', `CERT_DIR')
define(`confCACERT', `CERT_DIR/fullchain.pem')
define(`confSERVER_CERT', `CERT_DIR/cert.pem')
define(`confSERVER_KEY', `CERT_DIR/privkey.pem')
define(`confCLIENT_CERT', `CERT_DIR/cert.pem')
define(`confCLIENT_KEY', `CERT_DIR/privkey.pem')

Since that afternoon today, I get an error message in Outlook/Thunderbird that the certificate for mail.domain.com expired on 7/16/2022.

But
"show certificates" displays:

Certificate Name: mail.domain.com-0001
Serial Number: ...
Key Type: RSA
Domains: mail.domain.com imap.domain.com mail.domain2.com
Expiry Date: 2022-09-20 19:23:01+00:00 (VALID: 66 days)
Certificate Path: /usr/local/etc/letsencrypt/live/mail.domain.com-0001/fullchain.pem
Private Key Path: /usr/local/etc/letsencrypt/live/mail.domain.com-0001/privkey.pem

So my email client throws an error message a certificate called "mail.domain.com" which expired today although sendmail is working with a certificate named mail.domain.com**-0001**.

apparently something got mixed up with the certificates on the server.

What can I do to clean it up?

Thanks and kind regards
letsencrypttestit

Is sendmail being reloaded after renewal to actually load the new cert in memory and use it?

5 Likes

Hi,

yes - I restarted sendmail!

Since my certificate, which is valid until September 2022, is called mail.domain.com**-0001**, but since noon today my e-mail client shows that the certificate for mail.domain.com has expired, I wonder why Thunderbird/Outlook always uses mail.domain.com instead of mail.domain.com-0001?

By the way:

root@mail:~ # certbot delete --cert-name mail.domain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log


The following certificate(s) are selected for deletion:

WARNING: Before continuing, ensure that the listed certificates are not being
used by any installed server software (e.g. Apache, nginx, mail servers).
Deleting a certificate that is still being used will cause the server software
to stop working. See User Guide — Certbot 1.29.0 documentation for information on
deleting certificates safely.

Are you sure you want to delete the above certificate(s)?


(Y)es/(N)o: Y
No certificate found with name mail.domain.com (expected /usr/local/etc/letsencrypt/renewal/mail.domain.com.conf).

I think it will be best to manually delete/reset everything related to mail.domain.com and mail.domain.com-0001. Can anyone tell me the best way to proceed here?

Kind regards
letsencrypttestit

P. S.:

Obviously I have two Accounts, but why?

/usr/local/etc/letsencrypt/accounts/acme-staging-v02.api.letsencrypt.org/directory
and
/usr/local/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory

One is for the staging environment (note the term "staging" in the URI) and the other one (without "staging" in the URI) is for the production environment.

Please show the entire output without redacting anything of certbot certificates.

5 Likes

Hi,

how do you mean that:

Please show the entire output without redacting anything of certbot certificates.

Do you mean the serial number?

Kind regards
letsencrypttestit

Everything. If you deleted the previously expired certificate and reloaded/restarted sendmail, it shouldn't be able to use that cert any longer. So either you didn't reload/restarted sendmail successfully or there are multiple certificates present.

Also, your actual hostname(s) are required, so we can test it ourselves.

5 Likes

The hostname concerned is
mail.sitepromo.de

root@mail:~ # certbot certificates | grep -i sitep
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certificate Name: mail.sitepromo.de-0001
Domains: mail.sitepromo.de imap.sitepromo.de mail.XY.de www.XY.de
Certificate Path: /usr/local/etc/letsencrypt/live/mail.sitepromo.de-0001/fullchain.pem
Private Key Path: /usr/local/etc/letsencrypt/live/mail.sitepromo.de-0001/privkey.pem

Due to GDPR two other domains have to be "XY".

Since in sendmail.cf the paths are leading to mail.sitepromo.de-0001 and NOT to mail.sitepromo.de and simultaneously show certificates shows up valid certificates for certificate name "mail.sitepromo.de-0001" I wonder why my email client always complains about an expired certificate for certificate name "mail.sitepromo.de"?

Thanks and kind regards
letsencrypttestit

The certbot certificates should have shown a line with Expiry Date. What did that say?

Because I can see the cert being sent by that domain just expired (via port 995).

5 Likes

Hi,

I already posted it above:

Certificate Name: mail.sitepromo.de-0001
Serial Number: 4efa444257050da340660a704290af99be0
Key Type: RSA
Domains: mail.sitepromo.de imap.sitepromo.de mail.XY.de www.sitepromo.de
Expiry Date: 2022-09-20 19:23:01+00:00 (VALID: 65 days)
Certificate Path: /usr/local/etc/letsencrypt/live/mail.sitepromo.de-0001/fullchain.pem
Private Key Path: /usr/local/etc/letsencrypt/live/mail.sitepromo.de-0001/privkey.pem

Kind regards
letsencrypttestit

My mistake, I was just looking at your most recent display that filtered the lines through grep and lost some lines.

What port are you using for your mail domain server?

If I look at that domain with https (port 443), I see the cert you show with 65 days left. But, if I use port 995 the cert you send has expired.

See what I am describing using a SSL Decoder site like this. Try the proper ports for your config.

Does your mail server use a copy of an older cert maybe?

4 Likes

SMTP is fine, valid certificate from today.
IMAP is not accessible, so cannot test.
POP3 is running Qpopper and indeed is serving an expired certificate.

Please check Qpoppers configuration for any POP3 issue. SMTP works fine.

5 Likes

Hello,

Your tests and my changes overlapped in time. In the meantime I had generated a new certificate for mail.sitepromo.de, entered the path in sendmail and then restarted sendmail. Since I work with qpopper, which does not support SSL, I had to solve this with stunnel 995 -> 110. But you had done your tests when I had not yet inserted the path to the new certificate in stunnel.conf.

Thanks again for your (Osiris and Mike) timely support!

Greetings
testit

3 Likes

But you already had a valid certificate, right? Why would you need to generate a new one?

What was wrong the first time? Seemed correct.

4 Likes

Hello,

I had opened the thread here and described the problem. Since yesterday, my email clients always complained about a certificate mail.sitepromo.de, which did not exist anymore at all.

At least with "show certificates" such a certificate was not output. What did exist and was still valid was the certificate mail.sitepromo.de**-0001**. Both in sendmail.cf and stunnel.conf the path to mail.sitepromo.de-0001 was entered, which worked fine for several weeks until yesterday.

Possibly "stunnel" had crashed, otherwise I can't explain the whole thing. But why then my Thunderbird/Outlook constantly criticized problems with the certificate name "mail.sitepromo.de" (without the suffix -0001), I can not explain.

Kind regards
testit

1 Like