I dont know how renew certificate

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mail.mpec.mielec.pl

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

2

Without any information about your system we (the community) don't know either. Your cert was last renewed in July https://crt.sh/?q=mail.mpec.mielec.pl

4 Likes
3

Hi @mpec, and welcome to the LE community forum :slight_smile:

How did you obtain the current cert?

4 Likes
4

Sorry, I'm a new IT in the company, and the previous one didn't tell me how to do it, and today the email stopped working because of this certificate.
The mail server is Ubuntu 18.04.6 LTS and the domain server is Windows Server 2012 R2.

5

Which system receives the incoming HTTP requests?
Is there a firewall/NAT device?

4 Likes
6

Windows Server 2012 and we have Fortigate firewall

7

Which is the mail server?
Is IIS installed on the Win2K12 server?

4 Likes
8

Ubuntu have only mail server with Zentyal software and rest stuff have Win Server

10

If the W2K12 isn't using port 80, you could have the FG firewall direct the incoming HTTP requests directly to the Ubuntu system.
There it could run an ACME client and obtain/manage the required mail cert.
Who is the firewall admin?

4 Likes
11

Im admin on Firewall

12

Good.
Do you know how to accept and NAT the incoming HTTP requests to the Ubuntu system?

3 Likes
14

First: Is the Ubuntu system (already) running anything on TCP port 80?

Who is the Ububtu admin?
Show:
sudo netstat -plnt | grep ':80'

3 Likes
15

Im sorry for trouble but i found solution. Im just renew certificate in Fortigate and it work. Thanks for help

1 Like
16

Not so sure about that. If I connect to your SMTP server on mail.mpec.mielec.pl:25 with STARTTLS, I'm getting a verification problem, because your Fortigate seems to be sending an untrusted certificate, not the one from Let's Encrypt:

 0 s:C = US, ST = Undefined, L = Undefined, O = MPEC Sp. z o.o. w Mielcu, CN = mail.mpec.mielec.pl
   i:C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = Fortinet Untrusted CA, emailAddress = support@fortinet.com

Same goes for the "submission" port on port 587 and SMTPS on port 465, where the latter is by the way improperly configured. Port 465 is the SMTP port with implicit TLS (so NO STARTTLS, but TLS from the beginning), but your port 465 is responding just like port 25/587.

And your Fortigate on HTTPS port 443 is serving a self-signed cert:

 0 s:O = Fortinet Ltd., CN = FortiGate
   i:O = Fortinet Ltd., CN = FortiGate
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: May 30 05:12:26 2023 GMT; NotAfter: Sep  1 05:12:26 2025 GMT

Not sure if that's a problem or not for you.

2 Likes
17

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.