Expired Let's Encrypt certs on Icewarp - AGAIN

Huh? Bare bones host. No management or anything. Host is a local VOIP provider renting us some backbone. They are completely hands off.

Hi @TopperTom

then install one, so we can check the answer / firewall / routing.

Then use webroot with that webserver to create a certificate.

1 Like

Previous post says certbot creates it's own.

So I turned off the FW and it worked..(damn you MS!)

So now I have "fullchain.pem" and "privkey.pem". For the overwhelmed - are these "Server Certs" or "CA Certs". Icewarp let me import the "fullchain.pem" into CA Certs. I know this is not your realm (Icewarp) but any advice would be appreciated.

Thanks, Tom

1 Like


Webmail connect sees new cert. Says my computer date is incorrect.

Time on:
server is 3/8/21 2:16pm
PC 3/8/21 2:20pm

How close do they have to be?

1 Like

Let's Encrypt certs are backdated one hour.

I thought you said you tried that already?

1 Like

No. I was assuming there was a rule that was blocking. Just quicker to turn it off. Could well have been blocked by an IP block rule. My Icewarp authentication logs used to be full attempted logins so I started blocking IPs. Sometimes I block /16 and /8 ranges and may have been blocking certbot IP. If I new certbot IP, I could check logs.

So do I have to set all my PC clocks back an hour to be able to use webmail?

So how do I deal with the cert clock being backdated?

No, the backdate just means the cert is technically valid starting before it was actually issued. If you're having date/time issues, something else is wrong. Usually Windows crypto stuff is ok with time differences up to 5 min.

Have you checked the timezone settings on both systems?

Both are Pacific Time

Could you share a more specific error message about that? As @Osiris and @rmbolger mentioned, the certificate from Let's Encrypt is supposed to be valid from one hour before its issuance, meaning that if your computer's clock is less than 1 hour slow, it should be willing to accept the certificate immediately.

When trying to connect go https://go2email.topperfloats.com:32001/webmail/ I get this:

Your clock is ahead

A private connection to go2email.topperfloats.com can't be established because your computer's date and time (Monday, March 8, 2021 at 3:55:23 PM) are incorrect.


Thanks. While I'm not sure why the web browser chose to phrase the error message that way, that server is not serving your Let's Encrypt certificate, but rather a self-signed certificate (issued by the web server itself, not issued by a publicly-trusted CA like Let's Encrypt). That self-signed certificate, in addition to not being issued by a publicly-trusted CA, is very recently expired, so it's doubly invalid.

I'm sorry but I don't know what to do. Icewarp support is non-existent and I followed what I though was the certbot certificate creation. IW wouldn't import a .pem file generated by certbot but I got it to take as a CA Certificate.

I can almost live without a certificate for webmail as it isn't used much. However, all this certificate stuff has stopped me from being able to install Thunderbird on a machine that crapped out today (yeah, I needed that, too).

Would this self-signed cert be the problem with Thunderbird? Is it the CA certificate in Icewarp?

I'm sorry to be so troublesome here but I'm not versed in all this cert stuff and am running out of brain matter.

Here are screenshots of the IW certs....

I know absolutely zero about Icewarp, but the CA Certificates section is undoubtedly the wrong place for your Let's Encrypt cert. It should likely go into Server Certificates.

This support doc I just looked up might help.


Thanks for the reply. Had to repair a computer for our sales guy so now I can revisit this.

So, amidst all the angst, I figured out that my firewall is too tight causing certbot to fail. So I temporarily turned it off and managed to get the certbot certs for "mail.topperfloats.com" -

Icewarp docf says to append two files (copy private.pem+signedkey.pem mycert.pem). Which of the four files should I combine?

1 Like

privkey.pem and fullchain.pem should be what you need.

1 Like

It worked! Web session to mail server is no longer complaining about my computer clock being wrong and Thunderbird talks nice to Icewarp.

Imported the combined file (toppercert.pem) made it the default in Icewarp.

So much easier when I don't have users breathing down my neck about their missing computer....:slight_smile:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.