Fail on renewal

kmc · August 19, 2020, 11:41am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:webologix.com
the problem concerns mail adresses on webologix.com

I ran this command:
certbot renew

It produced this output:
…
MThe following certs are not due for renewal yet:
/etc/letsencrypt/live/joomla-development.eu/fullchain.pem expires on 2020-09-22 (skipped)
/etc/letsencrypt/live/ks307144.kimsufi.com/fullchain.pem expires on 2020-09-25 (skipped)
/etc/letsencrypt/live/mon-voyage-a-cuba.com/fullchain.pem expires on 2020-09-22 (skipped)
/etc/letsencrypt/live/webologix.com/fullchain.pem expires on 2020-09-22 (skipped)
No renewals were attempted.

My web server is (include version):
apache 2.4

The operating system my web server runs on is (include version):
Debian 9

My hosting provider, if applicable, is:
OVH

I can login to a root shell on my machine (yes or no, or I don’t know):
YES

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No more

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
0.31.0

All was workin since monthes but today thunderbird started to complain about my imap server ks307144.kimsufi.com:143 is rejected by thunderbird saying “Outdated Information” and it wouldn’ let me see the certicate.
How can I see the certificate presented by my server to Thunderbird ?

JuergenAuer · August 19, 2020, 11:59am

Hi @kmc

there is an expired certificate, expired yesterday.

Update your Dovecot.

_az · August 19, 2020, 12:01pm

You could use openssl if you like:

$ openssl s_client -connect ks307144.kimsufi.com:143 -starttls imap -showcerts 2>/dev/null | openssl x509 -noout -subject -issuer -dates
subject=CN = ks307144.kimsufi.com
issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
notBefore=May 20 13:19:52 2020 GMT
notAfter=Aug 18 13:19:52 2020 GMT

But yes, you will likely want to restart Dovecot, and probably add a --deploy-hook "service dovecot reload" or something to Certbot.

kmc · August 19, 2020, 2:24pm

Thanks ! Restarting server services did the trick

great ! Thanks !

So I'd like to restart services after any renew. How should I do that ?

JuergenAuer · August 19, 2020, 2:38pm

That's

not the certificate your Dovecot sends. There is the old certificate.

May be you have to restart your Dovecot.

Use Openssl to check your Dovecot, there you see your old certificate.

kmc · August 19, 2020, 2:41pm

Yes restarting mail services did it. How can I do that autmatically after each renewal with certbot ?

JuergenAuer · August 19, 2020, 2:45pm

You have already the answer.

kmc · August 19, 2020, 3:05pm

Added --deploy-hook “service dovecot reload” to the certbot command I have in crontab:

7,19 * * * certbot -q --deploy-hook “service dovecot reload” renew

Hope it will work next renewal
Thank you all

system · September 18, 2020, 3:05pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.