EXPIRED: Certificate 1 of 3 in chain

many · August 3, 2019, 2:58pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mail.sibex.com

I ran this command: https://www.checktls.com/ then put in my email domain

It produced this output: https://www.checktls.com/

My web server is (include version):

The operating system my web server runs on is (include version): Windows 2008r2

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

many · August 3, 2019, 3:02pm

Sorry I am new here. I have used the ZeroSSL.com site to generate the needed SSL certs for our Kerio mail server for about 2 years. For some reason my first cert of my chain is showing expired on 7/24/19. I don’t understand as I have done the same steps that I normally performed for the last 2 years. The https://mail.sibex.com comes up normally. The SSL checks out find. But when I go to https://checktls.com I get an error about:
EXPIRED: Certificate 1 of 3 in chain: Cert VALIDATION ERROR(S): certificate has expired
So email is encrypted but the recipient domain is not verified
Cert Hostname VERIFIED (mail.sibex.com = mail.sibex.com | DNS:mail.sibex.com)
Not Valid Before: Apr 24 21:44:57 2019 GMT
Not Valid After: Jul 23 21:44:57 2019 GMT

JuergenAuer · August 3, 2019, 3:10pm

Hi @many

did you restart your mail server?

many · August 4, 2019, 12:27am

@JuergenAuer Thank you for the response.

Yes I restarted the service and that changed nothing so I restarted the whole server and that changed nothing. I then stopped the mail services and manually added the cert and then started the service. I then went through the steps and requested a new cert on the off chance I goofed or the cert file was damaged. Nothing has changed this issue.

JuergenAuer · August 4, 2019, 6:37am

I don’t know how to configure that Kerio Mail server.

Yep, you have created a new certificate

Issuer	not before	not after	Domain names	LE-Duplicate
Let’s Encrypt Authority X3	2019-08-03	2019-11-01	mail.sibex.com - 1 entries	duplicate nr. 1
Let’s Encrypt Authority X3	2019-07-22	2019-10-20	mail.sibex.com - 1 entries
Let’s Encrypt Authority X3	2019-06-17	2019-09-15	autodiscover.sibex.com, cpanel.sibex.com, mail.sibex.com, sibex.com, webdisk.sibex.com, webmail.sibex.com, www.sibex.com - 7 entries

Only idea: Is this

seconds		test stage and result
[000.041]		Connected to server
[000.189]	<–	220 Cuda.Sibex.com ESMTP (e401d4190370f5d86452996e1017f190)
[000.189]		We are allowed to connect
[000.190]	–>	EHLO www6.CheckTLS.com
[000.246]	<–	250-Cuda.Sibex.com Hello www6.checktls.com [159.89.187.50], pleased to meet you

250-SIZE 100000000
250-STARTTLS
250-PIPELINING
250-8BITMIME
250 HELP|

the answer of your kerio? (Cuda.sibex.com)? Or is this another mail server?

many · August 5, 2019, 2:38pm

yes that is the mail filtering box.

many · August 6, 2019, 1:22pm

You fixed it for me. Or atleast pointed me in the direction. When I checked our filter it was still using the old cert. I updated that and then we were working correctly again. Thank you!

system · September 5, 2019, 8:54pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.