My domain is:
box.hamletmail.com
I ran this command:
echo QUIT | openssl s_client -starttls smtp -crlf -connect box.hamletmail.com:587
It produced this output when run from one server (71.192.82.97) showing valid cert
CONNECTED(00000005)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = box.hamletmail.com
verify return:1
---
Certificate chain
0 s:CN = box.hamletmail.com
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFPTCCBCWgAwIBAgISBLbIK18aiY0qEWs5Wjo3TLVgMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
and this output from another server (34.196.217.183) showing expired cert
CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
---
Certificate chain
0 s:/CN=box.hamletmail.com
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFPTCCBCWgAwIBAgISBLbIK18aiY0qEWs5Wjo3TLVgMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
My web server is (include version):
Ubuntu 18.04.1 LTS
The operating system my web server runs on is (include version):
GNU/Linux 5.4.0-1068-aws x86_64
My hosting provider, if applicable, is: AWS
I can login to a root shell on my machine (yes or no, or I don't know): YES
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NO
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot):
certbot 0.28.0
My SMTP server fails when I try to access it from another server due to an expired certificate. This is confirmed when I check the SSL certificate of hamletmail.com from the command line of that server. It is not only that server though, when I check it from other servers it shows as expired as well.
However, the certificate is valid. When I check it from sslabs, or from the command line of some other servers, it shows. as valid.
The same certificate appears in the response, regardless if the response shows valid or expired, as you can see from the output above - so I don't believe I have two certificates, it appears as though the exact same certificate is showing valid and expired at the same time.
Why is a valid cert showing as expired, but only from certain servers?
Thanks!