Gmail & Roundcube say "Leaf certificate is expired" but LE says it's fine

Help
1

My domain is: pop3.hatters.org.uk

I ran this command:
sudo openssl x509 -in /etc/letsencrypt/live/pop3.hatters.org.uk/cert.pem -text -noout

It produced this output:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:0e:0c:9b:1b:8e:a3:d8:5b:65:5e:c2:cb:29:fb:7c:53:0a
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
        Validity
            Not Before: Dec 24 22:29:17 2019 GMT
            Not After : Mar 23 22:29:17 2020 GMT
        Subject: CN=pop3.hatters.org.uk
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)

My web server is: none (this is a mail server)

The operating system Ubuntu 16.04.6 LTS

My hosting provider: Jump Networks Ltd

I can login to a root shell on my machine: yes

I’m using a control panel to manage my site: no:

The version of my client is: 0.31.0

I am using Gmail as a POP3 client to pick up mail over port 995. This has been working fine until today when it failed with "Server returned error “SSL error: Leaf certificate is expired” Similarly, when I tried logging in using Roundcube webmail system, I see this in the log:

Could not connect to ssl://smtp.hatters.org.uk:993: Unknown reason

Certbot --renew (and the above command) confirm that the cert doesn’t need renewing.

Has anyone else experience this happening?

2 Likes
2

Hi @gilgongo,

Certbot doesn’t have any built-in integrations related to installing certificates in Dovecot, which is the software that’s listening on port 993 here. That means that although the new certificate is present on your server’s hard drive, Certbot hasn’t done anything to tell Dovecot to notice and start using the new certificate.

You can probably make this work with a command like service dovecot reload. If that works, you can also specify it to Certbot with the --deploy-hook command so that Certbot will remember to run that command automatically after a certificate is successfully renewed, so that it will then know how to inform Dovecot about the new certificate.

5 Likes
3

Ah - thanks! That worked. I'll add that --deploy-hook

4 Likes
4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.