Certs up to date but OpenSSL fails

alavarre · August 19, 2019, 4:28pm

How can I determine the path to the certificates being used by an IMAP server?

My Dovecot/IMAP configuration in **10-ssl.conf** correctly points to the certbot certificates, which returns success when I test them with openssl. 
    *openssl x509 -noout -text -in fullchain.pem*

But the imap server serves the wrong certificate, which is expired:
    *openssl s_client -connect 70.186.159.22:143 -starttls imap*

Thanks in advance, Andy

My certificates were updated 8/13/19 by certbot renew. The latest is
/etc/certbot/archive/privustech.com/fullchain12.pem.
The offending cert is
…/fullchain11.pem

All the certificates have the correct DNS names, including mail.privustech.com

My domain is: mail.privustech.com

My imap server is (include version): Dovecot 2.3-lp150.1.3

The operating system my web server runs on is (include version): Linux Mint 18.3

My hosting provider, if applicable, is: my own mail server 70.186.159.22

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site: no

The version of my client is: certbot 0.24.0

schoen · August 19, 2019, 4:32pm

Hi @alavarre,

Did you restart Dovecot after getting the new certificate? Most server applications don’t reload new certificates from disk unless you actively tell them to (and Certbot currently only knows how to tell Apache and nginx to do this, not Dovecot).

alavarre · August 19, 2019, 4:37pm

OMG… ! Thank you.

So Dovecot caches the content of the cert, not the path…

Another life lesson learned the hard way.

Thank you!! We can close this ticket!

Kind regards, Andy

schoen · August 19, 2019, 5:18pm

That's true for most servers—I think I've only seen two exceptions, which I don't even remember at the moment—but we may not notice it when the certificate management is better integrated with the server process (like with certbot --apache).