Different outputs from an openssl request depending on the port

I have different outputs from an openssl request depending on the port, and this differs from the certificates stored locally.

My domain is: numedicus.com, with alias domains of mail.cambridgejazz.org, mail.drugrepurposing.info, mail.numedicus.co.uk, mail.numedicus.com, DNS:mail.sirgartan.com, www.numedicus.com

I ran this command: 'openssl s_client -connect numedicus.com:443 | openssl x509 -noout -text | grep DNS:'

It produced this output: 'DNS:mail.cambridgejazz.org, DNS:mail.drugrepurposing.info, DNS:mail.numedicus.co.uk, DNS:mail.numedicus.com, DNS:mail.sirgartan.com, DNS:numedicus.com, DNS:www.numedicus.com'

So far, so good.

...but when I asked for a different port: openssl s_client -connect numedicus.com:993 | openssl x509 -noout -text | grep DNS:

It replied: DNS:mail.cambridgejazz.org, DNS:mail.numedicus.com, DNS:mail.sirgartan.com, DNS:numedicus.com, DNS:www.numedicus.com

In other words, mail.numedicus.co.uk and mail.drugrepurposing.info are missing from this output.

I am getting errors installing a Mozille Thunderbird mail client on a machine that wants to d/l mail from mail.numedicus.co.uk.

When I type 'certbot certificates' on the server I get this reply on the status of the local certificates:

Certificate Name: numedicus.com
Serial Number: 3ef757dfc9f47xxx53ba525015668cb5c
Key Type: RSA
Domains: numedicus.com mail.cambridgejazz.org mail.drugrepurposing.info mail.numedicus.co.uk mail.numedicus.com mail.sirgartan.com www.numedicus.com
Expiry Date: 2024-02-26 17:45:32+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/numedicus.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/numedicus.com/privkey.pem

In other words, the full list of alias domains including mail.numedicus.co.uk and mail.drugrepurposing.info are there.

Similarly, when I go to SSL Checker, it lists the inclusion of mail.numedicus.co.uk on the numedicus.com certificate.

Why the difference? Is this a TTL issue? Would it help if I forced the renewal of chain of trust?

My web server is: Apache/2.4.52 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 22.04 LTS

My hosting provider, if applicable, is: ISPConfig, self-hosted

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): ISPConfig

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.21.0

Thanks, David

Port 993 is IMAP and is (usually) completely separated from the webserver. You should check the IMAP servers configuration: where does it get the cert from?

1 Like

No

Also no.

What's happening is that your IMAP server is using a different certificate than your web server. This cert likely would have shown up in the output of certbot certificates, but you only showed what it had to say about one of them. You'll need to configure your IMAP server to use the correct cert.

6 Likes

Thanks for your help.

In /etc/postfix there is a smptd.cert file (and a corresponding .key) linked to the letsencrypt live folder:

smtpd.cert -> /etc/letsencrypt/live/numedicus.com/fullchain.pem

In dovecot, the configuration file also points to this cert file for its ssl function.

I would therefore have thought that the mail server would use the same certificate that is shown from 'certbot certificates' under 'numedicus.com'

1 Like

I've restarted postfix and dovecot and it seems to have resolved the matter.

A simple solution, but thanks to the forum for pointing me in the right direction!

2 Likes

You should schedule their reload/restart periodically OR use a "deploy-hook" to automatically reload/restart them after each renewal.

6 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.