Cyrus-imapd name confusion (or maybe expired)

(New updates at end)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
openssl verify chain.pem / openssl verify cert.pem

It produced this output:
root@kirika:/etc/letsencrypt/live/ openssl verify chain.pem
chain.pem: OK
root@kirika:/etc/letsencrypt/live/ openssl verify cert.pem
CN =
error 20 at 0 depth lookup: unable to get local issuer certificate
error cert.pem: verification failed

My web server is (include version):
Apache 2.4.41

The operating system my web server runs on is (include version):
Ubuntu focal

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

So this is a very non-standard setting, and I'll include details at the end so they can be skipped. I'm attempting to use the certificante not on a webserver (where it works fine and identifies correctly in the browser) but in cyrus-imapd. The relevant part of imapd.conf is

tls_server_cert: /etc/letsencrypt/live/
tls_server_key: /etc/letsencrypt/live/

Thunderbird (Windows) started failing to connect recently, with timeout errors. I've had the damndest time finding any useful log messages from cyrus-imapd, but what I have found is that if I wipe out my Thunderbird config and create a new one it will connect to the server and download mail but it reports a certificate error - wrong site, not certificate doesn't exist. When I view the certificate in Thunderbird, the CN is, not Yet if I run openssl verify (and ignore the errors), the CN is I have absolutely no clue how is sneaking into the chain, or if this is some oddity in Thunderbird.

I do have certificates for, but they don't even exist on this machine (see TLDR notes below).

What the heck is going on? I don't want to spam with my first post but I'll be happy to attach any configuration files.

  • TLDR stuff:

The mail server is not the machine that I run certbot on. It's isolated behind a VPN, with ports 25, 143 etc. tunneled from the host that has the address of I update the certificates with rsync nightly. The webserver is on and Firefox correctly displays the name in the certificate. As I said, I also have certs for on that server, which also identify correctly, but the directories for those certificates aren't included in the rsync, so they don't exist at the mail server.

As you can see I get an error 20 in openssl verify. Running openssl verify on the certbot machine / web server / public IP gives me the same error. I've tried various forms (after googling) of specifying a CA to try to get an error-free result, but haven't succeeded. Since the certificates seem valid in Thunderbird and Firefox, I assume the error is a red herring. But on both machines, the CN is, which is what I was looking for. So how Thunderbird could be picking up is truly beyond me.

It's also worth mentioning that

  1. Thunderbird on Linux doesn't seem to find a problem. However,
  2. Rainloop (webmail) refuses to connect (for unknown reasons, but the failures started at the same time as the Thunderbird failures, so my guess is it's also picking up a bogus CN. This could be another red herring.)
  3. This setup has been working for a couple of years now with no problems until about two weeks ago, when I realized rsync had been failing for a while (I accidentally deleted the ssh key) and the LE certificate had expired.

Last edit, I hope:

  • Since I have had useful results with Sylpheed, I installed that on Windows. It reports that the certificate is expired, but it accurately lists the start and end time, and it hasn't. Which makes me think that something in the chain isn't right. On Linux (Debian 11) Sylpheed finds no error, just like Thunderbird on Linux. I'm thinking the "" in Thunderbird is a bogus error. Perhaps Thunderbird is checking common mismatched URLs or something. There's a certificate error in Thunderbird, but possibly not what it's reporting.
  • As an experiment, I tunnelled port 444 to the mail server, and set up an Apache configuration using a copy of the certbot-generated configuration. Connecting to gives no error and examining the certificate with Firefox gives exactly what I see on the public address So the certificates are correct on the mail server.
  • I'm wondering if I need explicitly to provide the root CA for cyrus-imapd. Not that I have any clue how to do that, or where to acquire it, but it seems to me that the certificate chain must broken in the server. Perhaps the CA doesn't exist in the collection in /etc/certs? Maybe if I can figure out how to make openssl verify work without error that will tell me what I'm missing.
1 Like

What date/time does your system think it is?


6/19/2022, 12:30:59. Sylpheed lists the certificate as Issued date: Jun 14 19:29:56 2022 GMT, Expire date: Sep 12 19:29:55 2022 GMT

However... removing the "DST Root CA X3" certificate from Windows has magically fixed Thunderbird. (Not Sylpheed.)

I'm so far out of my depth with certificate chains, but a different openssl error on a different server (and different certificate) led me down a path where removing DST Root CA X3 changed the error from expired to unable to find issuing authority. So I tried removing the CA from Windows and got a partial solution.

Might there be a way I can construct the certificate chain that Windows doesn't hunt for the expired CA?

1 Like

It appears that removing the last certificate from fullchain.pem (to a new file, of course...) fixes Thunderbird everywhere. Sylpheed no longer complains about an expired certificate, but does complain about a missing intermediate certificate
"The SSL certificate of cannot be verified by the following reason:
unable to get local issuer certificate"
which is not that significant of a problem at this point, since I'm only using Sylpheed to help figure out what is going on. I don't think I care about old Android devices. I'd like to know if there's a way to have Sylpheed connect without error, but it's a background problem now.

Also, for the first time yet on any of my domains,

root@kirika:~# openssl verify -CAfile /etc/letsencrypt/live/ /etc/letsencrypt/live/
/etc/letsencrypt/live/ OK

1 Like

Just fyi, using openssl to verify cert chains is confusing. The best advice I've seen is here:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.