My domain is: www.filipk.xyz mail.filipk.xyz
My web server is (include version): nginx 1.14.2
The operating system my web server runs on is (include version): uname -a gives: Linux server 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 GNU/Linux
My hosting provider, if applicable, is: vultr
I can login to a root shell on my machine (yes or no, or I don't know): yes I have root access
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.31.0
I am hosting my website and an email server on a VPS.
Locally my client is neomutt and the mail is refreshed with isync, but recently I noticed my email is not updating ( I have a cronjob do it every 20 mins) so I tried to do it manually.
After running mbsync -a i get:
SSL error connecting mail.filipk.xyz (95.179.255.203:993): certificate has expired.
First thing I did was ssh into the server, renewed the certificates and restarted nginx.
Certbot shows that all the certificates are still valid.
Running: certbot certificates gives
Found the following certs: Certificate Name: filipk Domains: mail.filipk.xyz filipk.xyz Expiry Date: 2021-09-11 04:51:03+00:00 (VALID: 89 days) Certificate Path: /etc/letsencrypt/live/filipk/fullchain.pem Private Key Path: /etc/letsencrypt/live/filipk/privkey.pem Certificate Name: filipk.xyz Domains: filipk.xyz www.filipk.xyz Expiry Date: 2021-07-29 21:30:13+00:00 (VALID: 46 days) Certificate Path: /etc/letsencrypt/live/filipk.xyz/fullchain.pem Private Key Path: /etc/letsencrypt/live/filipk.xyz/privkey.pem Certificate Name: mail.filipk.xyz Domains: mail.filipk.xyz Expiry Date: 2021-09-08 17:00:14+00:00 (VALID: 87 days) Certificate Path: /etc/letsencrypt/live/mail.filipk.xyz/fullchain.pem Private Key Path: /etc/letsencrypt/live/mail.filipk.xyz/privkey.pem
So it says the certificats are valid, but when i check with OpenSSL from my local machine by running: openssl s_client -showcerts -servername filipk.xyz -connect mail.filipk.xyz:993
CONNECTED(00000003)
---
Certificate chain
** 0 s:CN = mail.filipk.xyz**
** i:C = US, O = Let's Encrypt, CN = R3**
-----END CERTIFICATE-----
** 1 s:C = US, O = Let's Encrypt, CN = R3**
** i:O = Digital Signature Trust Co., CN = DST Root CA X3**
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
---
Server certificate
subject=CN = mail.filipk.xyzissuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3035 bytes and written 392 bytes
Verification error: certificate has expired
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 10 (certificate has expired)
---
*** OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN AUTH=LOGIN] Dovecot (Debian) ready.**
`
So here it says the certificate expiredon 30th of May...
I've been googling it for a couple of days but can't seem to find a pernament solution.
I figured a hack where I can run mbsync-get-cert mail.filipk.xyz which would give me a certificate. Don't freak out now this might be a noob thing to do but what I did is I put the certificate form that mbsync command in the end of the /etc/ssl/certs/ca-certificates.crt
With this I could refresh my email but for only a very short time after which I would again get the certificatee expired message from mbsync.
cat /etc/nginx/sites-enabled/mail gives:
server {
root /var/www/mail; index index.html index.htm index.nginx-debian.html; server_name mail.filipk.xyz www.mail.filipk.xyz; location / { try_files $uri $uri/ =404; } listen [::]:443 ssl; # managed by Certbot listen 443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/filipk/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/filipk/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot}
server {
if ($host = mail.filipk.xyz) {
return 301 https://$host$request_uri;
} # managed by Certbotlisten 80 ; listen [::]:80 ; server_name mail.filipk.xyz www.mail.filipk.xyz; return 404; # managed by Certbot}
Also, the the contents of mbsyncrc are:
IMAPStore filip@filipk.xyz-remote
Host mail.filipk.xyz
Port 993
User filip
PassCmd "pass mw-filip@filipk.xyz"
AuthMechs LOGIN
SSLType IMAPS
CertificateFile /etc/ssl/certs/ca-certificates.crtMaildirStore filip@filipk.xyz-local
Subfolders Verbatim
Path /home/filip/.local/share/mail/filip@filipk.xyz/
Inbox /home/filip/.local/share/mail/filip@filipk.xyz/INBOX
Flatten .Channel filip@filipk.xyz
Expunge Both
Master :filip@filipk.xyz-remote:
Slave :filip@filipk.xyz-local:
Patterns * !"[Gmail]/All Mail"
Create Both
SyncState *
MaxMessages 0
ExpireUnread noEnd profile
IMAPStore filipkomsic1@gmail.com-remote
Host imap.gmail.com
Port 993
User filipkomsic1@gmail.com
PassCmd "pass mw-filipkomsic1@gmail.com"
AuthMechs LOGIN
SSLType IMAPS
CertificateFile /etc/ssl/certs/ca-certificates.crtMaildirStore filipkomsic1@gmail.com-local
Subfolders Verbatim
Path /home/filip/.local/share/mail/filipkomsic1@gmail.com/
Inbox /home/filip/.local/share/mail/filipkomsic1@gmail.com/INBOX
Flatten .Channel filipkomsic1@gmail.com
Expunge Both
Master :filipkomsic1@gmail.com-remote:
Slave :filipkomsic1@gmail.com-local:
Patterns * !"[Gmail]/All Mail"
Create Both
SyncState *
MaxMessages 0
ExpireUnread noEnd profile
Any help would be wonderful! Thanks in advance!