(New updates at end)
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
openssl verify chain.pem / openssl verify cert.pem
It produced this output:
root@kirika:/etc/letsencrypt/live/mail.webl.com# openssl verify chain.pem
chain.pem: OK
root@kirika:/etc/letsencrypt/live/mail.webl.com# openssl verify cert.pem
CN = mail.webl.com
error 20 at 0 depth lookup: unable to get local issuer certificate
error cert.pem: verification failed
My web server is (include version):
Apache 2.4.41
The operating system my web server runs on is (include version):
Ubuntu focal
My hosting provider, if applicable, is:
self
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
0.40.00
So this is a very non-standard setting, and I'll include details at the end so they can be skipped. I'm attempting to use the certificante not on a webserver (where it works fine and identifies correctly in the browser) but in cyrus-imapd. The relevant part of imapd.conf is
tls_server_cert: /etc/letsencrypt/live/mail.webl.com/fullchain.pem
tls_server_key: /etc/letsencrypt/live/mail.webl.com/privkey.pem
Thunderbird (Windows) started failing to connect recently, with timeout errors. I've had the damndest time finding any useful log messages from cyrus-imapd, but what I have found is that if I wipe out my Thunderbird config and create a new one it will connect to the server and download mail but it reports a certificate error - wrong site, not certificate doesn't exist. When I view the certificate in Thunderbird, the CN is www.webl.com, not mail.webl.com. Yet if I run openssl verify (and ignore the errors), the CN is mail.webl.com. I have absolutely no clue how www.webl.com is sneaking into the chain, or if this is some oddity in Thunderbird.
I do have certificates for www.webl.com, but they don't even exist on this machine (see TLDR notes below).
What the heck is going on? I don't want to spam with my first post but I'll be happy to attach any configuration files.
- TLDR stuff:
The mail server is not the machine that I run certbot on. It's isolated behind a VPN, with ports 25, 143 etc. tunneled from the host that has the address of mail.webl.com. I update the certificates with rsync nightly. The webserver is on mail.webl.com and Firefox correctly displays the name mail.webl.com in the certificate. As I said, I also have certs for www.webl.com on that server, which also identify correctly, but the directories for those certificates aren't included in the rsync, so they don't exist at the mail server.
As you can see I get an error 20 in openssl verify. Running openssl verify on the certbot machine / web server / public IP gives me the same error. I've tried various forms (after googling) of specifying a CA to try to get an error-free result, but haven't succeeded. Since the certificates seem valid in Thunderbird and Firefox, I assume the error is a red herring. But on both machines, the CN is mail.webl.com, which is what I was looking for. So how Thunderbird could be picking up www.webl.com is truly beyond me.
It's also worth mentioning that
- Thunderbird on Linux doesn't seem to find a problem. However,
- Rainloop (webmail) refuses to connect (for unknown reasons, but the failures started at the same time as the Thunderbird failures, so my guess is it's also picking up a bogus CN. This could be another red herring.)
- This setup has been working for a couple of years now with no problems until about two weeks ago, when I realized rsync had been failing for a while (I accidentally deleted the ssh key) and the LE certificate had expired.
Last edit, I hope:
- Since I have had useful results with Sylpheed, I installed that on Windows. It reports that the certificate is expired, but it accurately lists the start and end time, and it hasn't. Which makes me think that something in the chain isn't right. On Linux (Debian 11) Sylpheed finds no error, just like Thunderbird on Linux. I'm thinking the "www.mail.com" in Thunderbird is a bogus error. Perhaps Thunderbird is checking common mismatched URLs or something. There's a certificate error in Thunderbird, but possibly not what it's reporting.
- As an experiment, I tunnelled port 444 to the mail server, and set up an Apache configuration using a copy of the certbot-generated configuration. Connecting to https://mail.webl.com:444/ gives no error and examining the certificate with Firefox gives exactly what I see on the public address https://mail.webl.com/. So the certificates are correct on the mail server.
- I'm wondering if I need explicitly to provide the root CA for cyrus-imapd. Not that I have any clue how to do that, or where to acquire it, but it seems to me that the certificate chain must broken in the server. Perhaps the CA doesn't exist in the collection in /etc/certs? Maybe if I can figure out how to make openssl verify work without error that will tell me what I'm missing.