Internet Security Warning


#1

I just renewed my Certificate for my private email server. The tiny icon next to the https shows the site is current and secure. However, my iPhone, iPad and Outlook all do not recognize the renewal. They are all throwing warnings. Outlook shows “Internet security warning” and shows the old expired cert. iPhone and iPad will not accept the cert which lead me a draconian solution. Delete and reinstall the emails.

I am stuck. There is no clear answer online. The certificate is valid and current. None of my end points recognize the change. I use LetsEncrypt with an AWS server using iRedMail. Also using Cloudflare CDN. And why is the cert period so short – 3 months.

How to solve.


#2

You sure? What’s the email server’s hostname?

Alternatively, check the dates with:

openssl s_client -connect MY-MAIL-SERVER.EXAMPLE:995 -servername MY-MAIL-SERVER.EXAMPLE -showcerts | openssl x509 -noout -dates

(replace MY-MAIL-SERVER.EXAMPLE in both instances with your mail server’s hostname).


#3

I guess you might need to reload / restart your mail server?? (Since the previous suggested that the certificate is correct on https)

Thank you


#4

OK Now even stranger. https://mail.philipleemillermd.com/ Secure and certificate is not expired. But I use your command line and it says cert has expired. I entered letsencrypt certonly twice now and the routine was successful. Says it updated the server cert. Restarted Apache and rebooted. Your command line still shows expired cert.

So … somewhere there is a dupe or something. Closer to an answer but this makes no sense.


#5

The answer is probably “Dovecot is using a copy of the certificate that doesn’t get updated after renewal”.

grep -R ssl_cert /etc/dovecot

#6

Thank you! Closer. What is the default location for the updated letsencrypt cert? I can see more than more copy in several locations. So there were dupes. I need to change a few lines in the conf file:

etc/letsencyrpt/renewal/xxxxxx.conf file


#7

The latest copy of the certificate is always stored at:

/etc/letsencrypt/live/example.org/fullchain.pem

and its private key:

/etc/letsencrypt/live/example.org/privkey.pem

So you should set your ssl_cert and ssl_key values to those paths, respectively.

Keep in mind that Dovecot has to be reloaded/restarted to pick up the new certificate/key, at every renewal.


#8

5 stars!!! I found it. It was a few lines in dovecot.conf. It was referencing the wrong directory for renewed certs. So the server was secure but dovecot email intercepted the wrong and outdated certs.

You were so targeted in your suggestions.

so many thanks


#9

Well, I am still seeing a “certificate expired” in Outlook although all command line routines show the cert is valid and not expired. There is a DST Root CA which may be a different cert authority than Letsencrypt.

Makes no sense.


#10

This is pretty hard for us to help diagnose unless you tell us the real hostname.

The DST root is one used by Let’s Encrypt.

If you were seeing a problem with the root, the error message that you would get would normally be something different, like “untrusted” or “unknown authority”, rather than “expired”.


#11

-az had the most answers. Very direct, targeted, and right on.

As I’ve mentioned previously, you can look at the server name and see that the certificate is totally valid. That is not the problem. That is how started this thread.
Apparently, it is something about the way dovecot interprets and grabs some other certificate.

mail.philipleemillermd.com


#12

Oh, sorry, I didn’t see that you had posted it above!

Is it working properly in all of your clients except for Outlook now?


#13

Yes. You can see the dilemma. The server is fully certified with an up-to-date certificate. I am no longer having problems with iPhone or iPad. But Outlook 2007 still gives me Internet security warning. That is the title of this thread. It’s easy to simply click yes, allow this exception. But I can’t figure out why Outlook is not recognizing the updated certificate. We’re is it finding an expired certificate?


#14

Often when we’ve heard reports of warnings from outlook, the problem is not the email server, but embedded images inside emails. That is, if someone sends you an email with an embedded image, and that image is on a site with an expired certificate, you might get a warning from Outlook. Next time you get one of these warnings, check out the email you’ve been viewing - does it have any obvious image embeds? If so, copy the image URL into a browser to see what message you get.

Note that if you don’t see an image, there might still be a transparent 1x1 pixel. You can also try viewing the email source and searching for <img tags.


#15

I wonder if I could enlist _az again. This is a guess and not the problem. It is obvious as I have maintained from the beginning that the server is fully authenticated with an up-to-date certificate. How is Outlook finding this expired certificate.

Outlook now gives me Internet security warning only at the time that I send an email.


#16

I also see that problem when testing that service, but that would be a matter for your Postfix configuration rather than Dovecot.


#17

Hi @lancelot,

As @schoen said, your dovecot server is using the right certificate (this certificate is valid till 6th Feb and is covering mail.philipleemillermd.com and philipleemillermd.com) the problem is in your postfix conf, your mail server is using the expired cert that only covers mail.philipleemillermd.com so review the postfix conf to check that you are using the right path to your last certificate and private key and that you have reloaded/restarted it.

Cheers,
sahsanu