I've had certificate issues on my mail subdomain, where I have my postfix and dovecot server set up.
I copied the certificates from my old server, and have been having issues since. I'm including my last command that's relevant to the current state of the certificate.
My domain is: bonsai.cool
I ran this command: certbot --nginx certonly -d mail.bonsai.cool
It produced this output: (no apparent error here)
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certificate not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/mail.bonsai.cool.conf)
What would you like to do?
1: Keep the existing certificate for now
2: Renew & replace the certificate (may be subject to CA rate limits)
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate for mail.bonsai.cool
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/mail.bonsai.cool/fullchain.pem
Key is saved at: /etc/letsencrypt/live/mail.bonsai.cool/privkey.pem
This certificate expires on 2025-06-01.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
If you like Certbot, please consider supporting our work by:
- Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
- Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation
After these, I've still had issues with mail clients connecting. Here I'm running openssl for diagnostic purposes from my own machine:
openssl s_client -connect bonsai.cool:smtp -starttls smtp
I get this output:
Connecting to 152.53.131.76
CONNECTED(00000003)
depth=0 CN=bonsai.local
verify error:num=18:self-signed certificate
verify return:1
depth=0 CN=bonsai.local
verify return:1
Certificate chain
0 s:CN=bonsai.local
i:CN=bonsai.local
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Mar 2 19:32:19 2025 GMT; NotAfter: Feb 28 19:32:19 2035 GMT
Server certificate
-----BEGIN CERTIFICATE-----
MIIDATCCAemgAwIBAgIUTI4CvQeSg4EeZhcSHpXXoswFG7QwDQYJKoZIhvcNAQEL
BQAwFzEVMBMGA1UEAwwMYm9uc2FpLmxvY2FsMB4XDTI1MDMwMjE5MzIxOVoXDTM1
MDIyODE5MzIxOVowFzEVMBMGA1UEAwwMYm9uc2FpLmxvY2FsMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp5nKpad6ZCoeXkgrJkfg/J+YuFhyajetxS2/
SsgGGH4Q4OLT5RlBVoYWG6ob02WBP3QLNclCNZyjOUq/Ht0BaudquceSwt9GFlZy
+ZVC4N0/o0ARyN2Ravof6AOucJp89XEa3HrKv+ApHWytoT3qS8uTpgxwBeGP1cNV
yr+dySUqGeR8InJWSZErmC5aSRY0Pd1Ce1LWgQ316xpJjqwe+D+iFfpbcp5OzmW/
GphCDBBuJumFV0PET+5vXaFD6oakqwBgT0nUPKmb7576JqnDB/2T/L63IgRLtZXT
VmBe1OSlHX4QIBEWXj3QwhmyMiwi89SaAJsKg+LEzhoYZjwe6QIDAQABo0UwQzAJ
BgNVHRMEAjAAMBcGA1UdEQQQMA6CDGJvbnNhaS5sb2NhbDAdBgNVHQ4EFgQUmfH7
6IlEipjZpA8WJ4ePsuEfs4owDQYJKoZIhvcNAQELBQADggEBAAoIWb3MhwgirZbe
QckNIg7c6FyS9Fb744Cdf00GkMZyn/pTEuTJ+lpNo4/ZhvgTjcxFpuVjQSdYHsMY
T16K+72AnJdmKwFMWSm46amcvBqRo+ByXoA5cOn7IJkflxDZV4V6MG6zU2qIkniW
yGqqj2mVZzr4Yd60fTNgg/V4obLA779gVnOYNn74X6/9HJSsn1CfcASSgFKjkwKz
rTU3U32vTw8l8Pos8Jg2oPXhJNCMVOhz6fOUINXC+A16x82+Pyyb8qKbGs0uPua7
F9Wlj2tfXoMWfy/wzoridueiywX6eFwmXfTGAmLR+NJVcaj87aEQICDtJrfdTw8T
8CMGHsc=
-----END CERTIFICATE-----
subject=CN=bonsai.local
issuer=CN=bonsai.local
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
SSL handshake has read 1583 bytes and written 442 bytes
Verification error: self-signed certificate
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Protocol: TLSv1.3
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self-signed certificate)
250 CHUNKING
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 599BCA7E10C803B48ADA37639D8AEB2D7B22F990D2E383814DDDCF5C170219EF
Session-ID-ctx:
Resumption PSK: C480D09515AC7E5DF669786D68507FD25AF2B44D88E649111A17CD4B5BAE51C893AA8DC02B8C22CDA3C76453CCD23EDB
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - fa 50 a9 f8 b5 1b dd f2-19 4c 8b f1 df c2 1a 75 .P.......L.....u
0010 - 02 62 eb 4b 7c 73 24 a7-cd 8f 0c 79 0c e2 d7 89 .b.K|s$....y....
0020 - 51 1f 0e 33 9f fb 0b 46-e7 98 c3 5c dd 00 aa 77 Q..3...F......w
0030 - 6e 86 d3 ca 96 4f af 2a-85 14 be 70 8a 11 55 96 n....O.*...p..U.
0040 - 8b 5b 83 b0 40 0f c4 3a-8b 2b 2e b8 55 59 a1 36 .[..@..:.+..UY.6
0050 - 5f 45 07 9f eb f1 9c e2-5d ed 19 d7 a6 99 0a fb _E......].......
0060 - 6b 4a 82 c2 c3 d1 2d 7e-39 5b b3 af f4 9e 13 f7 kJ....-~9[......
0070 - a2 52 60 e0 93 eb b7 77-78 f4 2b ea 8c f8 83 c5 .R`....wx.+.....
0080 - b5 15 c2 0d 9e 3e ea 58-c8 74 82 d0 09 93 eb e5 .....>.X.t......
0090 - e2 22 24 62 2b fd 43 62-e7 0a 46 be 22 a9 62 25 ."$b+.Cb..F.".b%
00a0 - 93 00 e5 c0 3e 7f d9 22-20 ee 4d 89 6b a7 d5 d7 ....>.." .M.k...
00b0 - d6 ae fb fd 4e c5 18 74-72 a8 db be 88 d2 8b fa ....N..tr.......
00c0 - 2f 46 bb b1 a4 bd cc 6b-b7 33 0d 44 61 72 76 d2 /F.....k.3.Darv.
Start Time: 1741014002
Timeout : 7200 (sec)
Verify return code: 18 (self-signed certificate)
Extended master secret: no
Max Early Data: 0
read R BLOCK
DONE
My web server is (include version): nginx, 1.24.0
The operating system my web server runs on is (include version): Ubuntu 24.04
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.9.0