Today - during the course of the day - I'm suddenly getting a note from my Apple mail client, that my server's identity cannot be verified.
My domain is: mail.kukulies.org
First I was thinking of some Letsencrypt or certbot issue, but my actual Letsencrypt certificate says it's valid from October 1 and expires Dec 30th, 2022. So it can't be a Letsencrypt issue.
But I hope I'm getting help here nonetheless.
Neither Let's Encrypts current intermediate nor root has expired today.
Let's Encrypts current intermediate, R3, is valid until Sep 15 16:00:00 2025 GMT.
Let's Encrypts current root certificate, ISRG Root X1, is valid until Jun 4 11:04:38 2035 GMT.
You have a certificate (this one) that is valid until Oct 30 16:13:25 2022 GMT - exactly the same time as your screenshot.
You do indeed have a newer certificate (this one), valid until Dec 30 06:16:01 2022 GMT. However, the screenshot suggests that your mail service is not using this new certificate. The error message indicates that some of your services are still using the older, expired certificate.
You may need to restart IMAP/POP/Exchange servers, depending on what you are using. With the limited amount of info you have given us it is hard to give more information.
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
What do you mean?
❯ openssl s_client -connect mail.kukulies.org:25 -starttls smtp
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = mail.kukulies.org
verify return:1
---
Certificate chain
0 s:CN = mail.kukulies.org
i:C = US, O = Let's Encrypt, CN = R3
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Oct 1 06:16:02 2022 GMT; NotAfter: Dec 30 06:16:01 2022 GMT
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Sep 4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFYjCCBEqgAwIBAgISA/h+RhHJxwZNg/EG21ys9KNwMA0GCSqGSIb3DQEBCwUA
certbot --version
certbot 0.31.0
DISTRIB_DESCRIPTION="Ubuntu 18.04.6 LTS"
Do this. Your SMTP server is using the proper certificate, but your IMAP server is using an expired one. Tell your IMAP server to use the new certificate.
❯ openssl s_client -connect mail.kukulies.org:993
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = mail.kukulies.org
verify error:num=10:certificate has expired
notAfter=Oct 30 16:13:25 2022 GMT
verify return:1
depth=0 CN = mail.kukulies.org
notAfter=Oct 30 16:13:25 2022 GMT
verify return:1
---
Certificate chain
0 s:CN = mail.kukulies.org
i:C = US, O = Let's Encrypt, CN = R3
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Aug 1 16:13:26 2022 GMT; NotAfter: Oct 30 16:13:25 2022 GMT
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Sep 4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgISAzYNq2x7SDKxOJZWgc8MNWHAMA0GCSqGSIb3DQEBCwUA
I rebooted the server. Did not change anything else. Issued
openssl s_client -connect mail.kukulies.org:993
from my Mac at home and the command hangs resp. bails out after hitting return 3 times.
---
read R BLOCK
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
* BAD Error in IMAP command received by server.
* BAD Error in IMAP command received by server.
* BYE Too many invalid IMAP commands.
closedThat's expected and it's not a TLS error. You are not typing imap commands.
Is it dovecot? how did you install the TLS certificate?
Dovecot is part of the game. I only have in /etc/postfix/main.cf:
#### TLS parameters ######
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.kukulies.org/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.kukulies.org/privkey.pem
Wonder where I have buried the imap certificate.dovecot. /etc/dovecot/conf.d/10-ssl.conf contains
ssl_cert = </etc/letsencrypt/live/mail.kukulies.org/cert.pem
ssl_key = </etc/letsencrypt/live/mail.kukulies.org/privkey.pem
# If key file is password protected, give the password here. Alternatively
# give it when starting dovecot with -p parameter. Since this file is often
# world-readable, you may want to place this setting instead to a different
# root owned 0600 file by using ssl_key_password = <path.
#ssl_key_password =
# PEM encoded trusted certificate authority. Set this only if you intend to use
# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
ssl_ca = </etc/letsencrypt/live/mail.kukulies.org/fullchain.pem
But this "fullchain.pem" gives:
Not Before: Oct 1 06:16:02 2022 GMT
Not After : Dec 30 06:16:01 2022 GMT
fullchain.pem doesn't contain this.
And isn't relevant. That's for client authentication. ssl_ca shouldn't be set, usually, unless you require client authentication using certificates, which is uncommon.
I would try:
ssl_cert = /etc/letsencrypt/live/mail.kukulies.org/fullchain.pem
ssl_key = /etc/letsencrypt/live/mail.kukulies.org/privkey.pem
ssl_ca =
I changed the configuration according to your suggestion. How can I test it?
The < in the directive is actually a Dovecot thing which should be required.
That's what I actually did:
ssl_cert = </etc/letsencrypt/live/mail.kukulies.org/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.kukulies.org/privkey.pem
ssl_ca =
After restarting Dovecot [or the server], retry your:
..Apple Mail client. Yes, no more error messages when connecting and fetching imap email.
But I actually asked for a kind of openssl command to test the certificate.
That depends.
A mail server uses several ports:
PORT STATE SERVICE
25/tcp open smtp
110/tcp open pop3
143/tcp open imap
465/tcp open smtps
587/tcp open submission
993/tcp open imaps
995/tcp open pop3s
If you're testing 465, 993 or 995 you can just use
openssl s_client -connect mail.example.com:port
Otherwise, you'll have to use starttls
openssl s_client -connect mail.example.com:port -starttls pop|imap|smtp
It will then wait for commands. Press Ctrl-D to close.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.