I been using this server and a LetsEncrypt certificate for almost a year without any issues. We added a second domain (AspenTree.com) in September 2022. I added a LetsEncrypt certificate for it around Sept 25. The Certificate for RDKsCorner.EU was already active until mid-December. When both were within the 30 days period, we renewed both ( sudo certbot renew) successfully, we thought??

Both are working but for the past week when I send emails using the RDKsCorner.EU account I'm getting "Internet Security Warnings" from Outlook. I have screen shots if they would be useful, but my reading of the message and expansion of the cert details is that it is still trying to use the previous certificate which expired on Dec 15 and not the new ones which are good into February.

Here is the output from certbot certificates:
sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: mail.aspentree.com
Domains: mail.aspentree.com
Expiry Date: 2023-02-27 16:54:36+00:00 (VALID: 66 days)
Certificate Path: /etc/letsencrypt/live/mail.aspentree.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/mail.aspentree.com/privkey.pem
Certificate Name: mail.rdkscorner.eu
Domains: mail.rdkscorner.eu
Expiry Date: 2023-02-27 16:54:49+00:00 (VALID: 66 days)
Certificate Path: /etc/letsencrypt/live/mail.rdkscorner.eu/fullchain.pem
Private Key Path: /etc/letsencrypt/live/mail.rdkscorner.eu/privkey.pem

Can someone help me fix this issue?....RDK

My domain is:
RDKsCorner.EU / second domain Aspentree.com

I ran this command:

It produced this output:

My web server is (include version):
nginx/1.14.2

The operating system my web server runs on is (include version):
Linux 10 (Buster) on Raspberry Pi 4 Model B Rev 1.4

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.31.0

Hi @rdk45, and welcome to the LE community forum

It sounds like the email server doesn't know about the new certificate.

Who configured the email server to use a certificate? And how?

After you got the new certificates did the services reload certs or services get restarted?

This link will show you the certificate being served for https://decoder.link/sslchecker/mail.aspentree.com/465

This link will show you the certificate being served for https://decoder.link/sslchecker/mail.rdkscorner.eu/465

To me that means they did it all.

Means it was issued 90 days prior to that.

Put two and two together and:
They have forgotten what they did ... months ago.
Have no notes on the matter.
And somehow think people outside of their system might know more/anything about what they did to it.

Without access [which we don't want] to that system, nor more information about the system and HOW it was put together...
We can only make slightly educated guesses.

If you want the problem fixed, you are going to have to roll-up your sleeves and get under that hood.

Supplemental information:
Both mail.rdkscorner.eu and mail.aspentree.com map to the same IPv4 Address, which is not a problem.
I assume your server has SNI.

$ nslookup mail.rdkscorner.eu
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   mail.rdkscorner.eu
Address: 66.62.161.25

$ nslookup mail.aspentree.com
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   mail.aspentree.com
Address: 66.62.161.25

Or using openssl s_client -showcerts -servername mail.rdkscorner.eu -connect mail.rdkscorner.eu:465 < /dev/null

$ openssl s_client -showcerts -servername mail.rdkscorner.eu -connect mail.rdkscorner.eu:465 < /dev/null
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = mail.rdkscorner.eu
verify error:num=10:certificate has expired
notAfter=Dec 15 14:11:43 2022 GMT
verify return:1
depth=0 CN = mail.rdkscorner.eu
notAfter=Dec 15 14:11:43 2022 GMT
verify return:1
---
Certificate chain
 0 s:CN = mail.rdkscorner.eu
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep 16 14:11:44 2022 GMT; NotAfter: Dec 15 14:11:43 2022 GMT
-----BEGIN CERTIFICATE-----
MIIFKzCCBBOgAwIBAgISA2TBcchuCFe3p1iOgcgEvR84MA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjA5MTYxNDExNDRaFw0yMjEyMTUxNDExNDNaMB0xGzAZBgNVBAMT
Em1haWwucmRrc2Nvcm5lci5ldTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBANvk9O+uTFsa0DWxkLz8ynJfhhzXV1N17XS8LeOaoQJIGFoFDQqZzrAaz+Je
uywcwOXj8pCzdQoze06wL8MPV8MFFqKAWhEoI74Dw/qS/mafFzaxNfs8dQDzvFXA
rU4XSPgGROgjDxstMlkP4CpsNlNr8LA+pck9R8ovelDdw1DgYonzy0iCLo25ewVO
KIK+h47hn6FYvS+o5BgTaawXt70PxUQeRwiuL30ZCLMfAfzDaz0EPpK8Q8RKerXJ
R/IJA3NLbHMOmOe5WysMxWVppsBwJfyQ7qPaOOd3wP8Q1cvYRtMysM7ajWFDgtE+
WOR+8K+W4DKOVgNg54euuJqBsIsCAwEAAaOCAk4wggJKMA4GA1UdDwEB/wQEAwIF
oDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAd
BgNVHQ4EFgQUAvRrv9PCL3jYFoH57mZnHk9BVP4wHwYDVR0jBBgwFoAUFC6zF7dY
VsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRw
Oi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNy
Lm9yZy8wHQYDVR0RBBYwFIISbWFpbC5yZGtzY29ybmVyLmV1MEwGA1UdIARFMEMw
CAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9j
cHMubGV0c2VuY3J5cHQub3JnMIIBBQYKKwYBBAHWeQIEAgSB9gSB8wDxAHYARqVV
63X6kSAwtaKJafTzfREsQXS+/Um4havy/HD+bUcAAAGDRtsPhAAABAMARzBFAiBN
u/K5dNh0CWHGGsprc5iBq07jRCoLHHZV+Ril63d2IAIhAOQ2LoEU3p6+Okj11wPj
FsvBirwG0fdJLjfqistc8VLVAHcAb1N2rDHwMRnYmQCkURX/dxUcEdkCwQApBo2y
CJo32RMAAAGDRtsQQgAABAMASDBGAiEAnVyjP80fCiOjIozu9Q/gTkAlK/0xQ/4V
y3BZsdC/zm0CIQCY3nR3dkKLO7Kohd+3XbtBSM/W+pxgLWUBFWblDFEzOzANBgkq
hkiG9w0BAQsFAAOCAQEAFW42rNNERTddWQa3E/GAi31LffSK69Ofabs5oPmvgdxy
Yh6m28sweuSQewQVnZIi6evPGr+X+uzhUvEZXDP2K6BM1Scd0DMi2UrSsPIhe8XI
Vv2wSgdB6Mr2R3kZ9p9OP/ZLN+cZ2bNYKJSnmU3pWkrs3BMmZGYqFHWpwLpigN5W
xDnqrzMfWL2HKWCmDbQ7z3yjsBE8Zg2DfN/VsjaEpuH6bMGsXrNVqmBWLUuALA3f
lsaSvYewIeK14uduZZHYPzI0zaLB9+5ugWRXVBhUdGdUr7osJ0nZStaTlMs1y/PZ
KKFpPaBBF9rYMsqvUCdfhIqniYfnrytxgmDAPGYxuw==
-----END CERTIFICATE-----
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----
---
Server certificate
subject=CN = mail.rdkscorner.eu
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4583 bytes and written 400 bytes
Verification error: certificate has expired
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 10 (certificate has expired)
---
DONE

And using openssl s_client -showcerts -servername mail.aspentree.com -connect mail.aspentree.com:465 < /dev/null

$ openssl s_client -showcerts -servername mail.aspentree.com -connect mail.aspentree.com:465 < /dev/null
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = mail.aspentree.com
verify return:1
---
Certificate chain
 0 s:CN = mail.aspentree.com
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep 26 17:03:08 2022 GMT; NotAfter: Dec 25 17:03:07 2022 GMT
-----BEGIN CERTIFICATE-----
MIIFKjCCBBKgAwIBAgISAzLUO9Ok9aNAfRcgjn3RGssfMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjA5MjYxNzAzMDhaFw0yMjEyMjUxNzAzMDdaMB0xGzAZBgNVBAMT
Em1haWwuYXNwZW50cmVlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBALVPAdWjzTaZx9P1p5CThiyHV9FbTtA3Q9QdhIbaauE0zAlUzJ8ScR+RbYaL
aNFQJvLBuGr1i4Jz9EyqVGc4AVsT0TjyxOru09drYwHCplekOLFprPDEnxqWWA32
FK5iF/gq0N85t246JeDTUqj6npka9D0o/eyBhr30LDFpmtflp9E8p+g93oMojgiJ
6uKOdTjWWO0hZ6R5Q40YEdHPoucMizfzEZuWRjKSCZ4lYeHXflqWTte6Q4d+NNrh
+Z9N9y+/3X2VzDqrPFsdr9uiEZ1geX4fXKzRIrmEjNPjfFEX1jPvMFMVsUoxq8aW
jJ4N/YLtMqeisxjvvqExSdmbeVsCAwEAAaOCAk0wggJJMA4GA1UdDwEB/wQEAwIF
oDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAd
BgNVHQ4EFgQU/WsjXORs/DQsqZROVnccuhfX5howHwYDVR0jBBgwFoAUFC6zF7dY
VsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRw
Oi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNy
Lm9yZy8wHQYDVR0RBBYwFIISbWFpbC5hc3BlbnRyZWUuY29tMEwGA1UdIARFMEMw
CAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9j
cHMubGV0c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHYAKXm+
8J45OSHwVnOfY6V35b5XfZxgCvj5TV0mXCVdx4QAAAGDeveSdAAABAMARzBFAiEA
xJNSlzbE6MwsaPVJLVuDDJubFfuvQJw9BFm3OFdVzKYCIGjfSOGtoUgrsd1dMA2i
d4jbn82UBV6ON27gksVbYk49AHYAQcjKsd8iRkoQxqE6CUKHXk4xixsD6+tLx2jw
kGKWBvYAAAGDeveTPwAABAMARzBFAiBnMzNHnoAXWfLFDATHhEVrzK8tyIwNbZaX
zGNcG89VeQIhAP2sbJ3JRP5xA9yw20adzzW2Im2sCt+1bHi+0XxB8rE7MA0GCSqG
SIb3DQEBCwUAA4IBAQCcxLHdyfxAmoO/ZCoAJf2OLhSPhSk9V9iaxHTDpKeBhdgf
9hT/tvHL1LwY4mpaQJR/eHwMwoh8WtvLj7DlDihQ45rprF4dcobCCJIOuv8gKEoW
d90MUrcLIaOUiLt1Fc3W+ouv8qw7AFOpE7bo3qAU4nmtkd23euk2lrfGr6bPLdx5
4+robOzJ6BbuvMeYcJzhWAQ+ITgIbL7C4/unlBGHwci6cIt5FDYFoUR+tRH6ujS2
vBNNtt+VAl96mdX+kNXr5pyDmQ5Br92iXs0TuJrrCGEgezmTm3+9FcpvxZOAYEz2
pMurau+GVKYmP2LQMJ72oVK31QVqWPz3M2EHEkL8
-----END CERTIFICATE-----
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----
---
Server certificate
subject=CN = mail.aspentree.com
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4582 bytes and written 400 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
DONE

Well that needs some attention real soon.

That one is expired

Using this online tool https://crt.sh/ here are lists of issued certificates

• crt.sh | mail.rdkscorner.eu the latest being 2022-11-29
• crt.sh | mail.aspentree.com the latest being 2022-11-29

After getting those certificates did they get installed?
Did the services or servers get restarted?

The key thing to remember here is that the certificate you get is a just a file (or set of files). Your service then needs to actually use that file and sometime that involves restarting each service that depends on the cert (or copying the cert to where it's required etc).

Which certs are used for what is not a machine-wide thing. Their mapping to a service is port specific (and can also be IP specific where the machine has multiple IPs).

You could theoretically have multiple different versions of certs called "mail.something.com" bound to all sorts of different things and all using different cert files, or even all using the same files, but if not restarted/reloaded then the services may still have the old version loaded in memory.

First off, thanks for your time, thoughts and replies. For some I will have to study and ponder before I reply. For a bit of background, this project was to setup a new email server to eventually replace the current, aging server with new software and hardware. This was my first foray into setting up an e-mail server, although I have set up several NginX web servers and a Reverse Proxy Server.

@rg305 After studying several web references or tutorials I ultimately followed this series of tutorials (Mail Server Archives - LinuxBabe) where parts 2 (Part 2: Install Dovecot IMAP server on Debian & Enable TLS Encryption - LinuxBabe) and 6? (How to Host Multiple Mail Domains in PostfixAdmin on Ubuntu) discuss the use of LetsEncrypt. According to my notes we followed his instruction for setting up the initial domain (RDKsCorner.EU) and then those for the second domain (Aspentree.com).

The computer is running Linux 10 (Buster) on Raspberry Pi 4 Model B Rev 1.4. The firewall is IPTABLES working in conjunction with FAIL2BAN. All web and e-mail ports are allowed by IPTABLES except those banned by FAIL2BAN for POSTFIX or DOVECOT failed intrusions. The web services for both domains are set to only respond to the ACME challenge.

I did not restart POSTFIX or DOVECOT after the renew on Nov 29, did not recall needing to do that before. I did restart them on Dec 19. I have since then rebooted the server on Dec 19.

Also, please note, until this last renew, this server has functioned correctly for almost a year for the first domain and for almost 3 months for the second domain.

I will continue working through all of the replies and will formulate answers as best I can....RDK

Below are the results from "/etc/letsencrypt/archive/mail.rdkscorner.eu", "/etc/letsencrypt/live/mail.rdkscorner.eu", "sudo netstat -tulpn | grep LISTEN" and "sudo ss -tulpn | grep LISTEN".

sudo ls /etc/letsencrypt/live/mail.rdkscorner.eu -l
total 4
lrwxrwxrwx 1 root root 42 Nov 29 10:54 cert.pem -> ../../archive/mail.rdkscorner.eu/cert4.pem
lrwxrwxrwx 1 root root 43 Nov 29 10:54 chain.pem -> ../../archive/mail.rdkscorner.eu/chain4.pem
lrwxrwxrwx 1 root root 47 Nov 29 10:54 fullchain.pem -> ../../archive/mail.rdkscorner.eu/fullchain4.pem
lrwxrwxrwx 1 root root 45 Nov 29 10:54 privkey.pem -> ../../archive/mail.rdkscorner.eu/privkey4.pem
-rw-r-xr--+ 1 root root 692 May 1 2022 README

$ sudo ls /etc/letsencrypt/archive/mail.rdkscorner.eu -l
total 80
-rw-r-xr--+ 1 root root 1854 May 1 2022 cert1.pem
-rw-r-xr--+ 1 root root 1854 Jul 8 07:56 cert2.pem
-rw-r-xr--+ 1 root root 1854 Sep 16 09:11 cert3.pem
-rw-r-xr--+ 1 root root 1854 Nov 29 10:54 cert4.pem
-rw-r-xr--+ 1 root root 3750 May 1 2022 chain1.pem
-rw-r-xr--+ 1 root root 3750 Jul 8 07:56 chain2.pem
-rw-r-xr--+ 1 root root 3750 Sep 16 09:11 chain3.pem
-rw-r-xr--+ 1 root root 3750 Nov 29 10:54 chain4.pem
-rw-r-xr--+ 1 root root 5604 May 1 2022 fullchain1.pem
-rw-r-xr--+ 1 root root 5604 Jul 8 07:56 fullchain2.pem
-rw-r-xr--+ 1 root root 5604 Sep 16 09:11 fullchain3.pem
-rw-r-xr--+ 1 root root 5604 Nov 29 10:54 fullchain4.pem
-rw-r-x---+ 1 root root 1704 May 1 2022 privkey1.pem
-rw-r-x---+ 1 root root 1704 Jul 8 07:56 privkey2.pem
-rw-r-x---+ 1 root root 1708 Sep 16 09:11 privkey3.pem
-rw-r-x---+ 1 root root 1704 Nov 29 10:54 privkey4.pem

$ sudo netstat -tulpn | grep LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 806/nginx: master p
tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 995/master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 775/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 28355/cupsd
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 995/master
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 833/smbd
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 696/dovecot
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 696/dovecot
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 788/mysqld
tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN 995/master
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 833/smbd
tcp 0 0 0.0.0.0:5900 0.0.0.0:* LISTEN 710/vncserver-x11-c
tcp 0 0 0.0.0.0:2222 0.0.0.0:* LISTEN 775/sshd
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 696/dovecot

$ sudo ss -tulpn | grep LISTEN
tcp LISTEN 0 511 0.0.0.0:80 0.0.0.0:* users:(("nginx",pid=28344,fd=10),("nginx",pid=28343,fd=10),("nginx",pid=28342,fd=10),("nginx",pid=28341,fd=10),("nginx",pid=806,fd=10))
tcp LISTEN 0 100 0.0.0.0:465 0.0.0.0:* users:(("master",pid=995,fd=20))
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=775,fd=5))
tcp LISTEN 0 5 127.0.0.1:631 0.0.0.0:* users:(("cupsd",pid=28355,fd=7))
tcp LISTEN 0 100 0.0.0.0:25 0.0.0.0:* users:(("master",pid=995,fd=13))
tcp LISTEN 0 50 0.0.0.0:445 0.0.0.0:* users:(("smbd",pid=833,fd=34))
tcp LISTEN 0 100 0.0.0.0:993 0.0.0.0:* users:(("dovecot",pid=696,fd=43))
tcp LISTEN 0 100 0.0.0.0:995 0.0.0.0:* users:(("dovecot",pid=696,fd=24))
tcp LISTEN 0 80 127.0.0.1:3306 0.0.0.0:* users:(("mysqld",pid=788,fd=23))
tcp LISTEN 0 100 0.0.0.0:587 0.0.0.0:* users:(("master",pid=995,fd=17))
tcp LISTEN 0 50 0.0.0.0:139 0.0.0.0:* users:(("smbd",pid=833,fd=35))
tcp LISTEN 0 5 0.0.0.0:5900 0.0.0.0:* users:(("vncserver-x11-c",pid=710,fd=12))
tcp LISTEN 0 128 0.0.0.0:2222 0.0.0.0:* users:(("sshd",pid=775,fd=3))
tcp LISTEN 0 100 0.0.0.0:110 0.0.0.0:* users:(("dovecot",pid=696,fd=22))
tcp LISTEN 0 100 0.0.0.0:143 0.0.0.0:* users:(("dovecot",pid=696,fd=41))

@webprofusion OK, as one of the other members said that I should “roll-up your sleeves and get under that hood”. Well, I’m willing to do that but first I have to have some idea of what I’m looking for. When I tackle a new project (plumbing, car/truck, yard, …) I like to have some idea of what I’m doing and looking for. Unfortunately, in this case, except for going over the steps I did when creating the server or adding the second domain, I’m really not sure what to look at or look for.

As I said in my last post, I have restarted POSTFIX and DOVECOT and also restarted the server, which in principle should also have caused a restart of ALL services.

If I assume that something went wrong with my last renew (Nov 29), can I remove the files from that renew and start over?

Can someone give me some pointers?...RDK

Make sure that the configuration you have set for each service is pointing to the \live\ version of the files (which are a symbolic link) and not the archive files (which are the actual files but change with each renewal.

@webprofusion Thanks for the reply. I have checked the service config files for POSTFIX and DOVECOT. The results are below:

sudo nano /etc/dovecot/conf.d/10-ssl.conf

ssl_cert = </etc/letsencrypt/live/mail.rdkscorner.eu/fullchain.pem

ssl_key = </etc/letsencrypt/live/mail.rdkscorner.eu/privkey.pem

local_name mail.rdkscorner.eu {

ssl_cert =</etc/letsencrypt/live/mail.rdkscorner.eu/fullchain.pem

ssl_key =</etc/letsencrypt/live/mail.rdkscorner.eu/privkey.pem

}

local_name mail.aspentree.com {

ssl_cert =</etc/letsencrypt/live/mail.aspentree.com/fullchain.pem

ssl_key =</etc/letsencrypt/live/mail.aspentree.com/privkey.pem

}

sudo nano /etc/postfix/main.cf

#Enable TLS Encryption when Postfix receives incoming emails

TLS parameters

smtpd_tls_cert_file=/etc/letsencrypt/live/mail.rdkscorner.eu/fullchain.pem

smtpd_tls_key_file=/etc/letsencrypt/live/mail.rdkscorner.eu/privkey.pem

smtpd_tls_security_level=may

smtpd_tls_loglevel = 1

smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

...

...

...

tls_server_sni_maps = hash:/etc/postfix/sni_maps

sudo nano /etc/postfix/sni_maps

mail.rdkscorner.eu /etc/letsencrypt/live/mail.rdkscorner.eu/privkey.pem /etc/letsencrypt/live/mail.rdkscorner.eu/fullchain.pem

mail.aspentree.com /etc/letsencrypt/live/mail.aspentree.com/privkey.pem /etc/letsencrypt/live/mail.aspentree.com/fullchain.pem

Also here is the files in /live/:

sudo ls /etc/letsencrypt/live/mail.rdkscorner.eu -l

total 4

lrwxrwxrwx 1 root root 42 Nov 29 10:54 cert.pem -> ../../archive/mail.rdkscorner.eu/cert4.pem

lrwxrwxrwx 1 root root 43 Nov 29 10:54 chain.pem -> ../../archive/mail.rdkscorner.eu/chain4.pem

lrwxrwxrwx 1 root root 47 Nov 29 10:54 fullchain.pem -> ../../archive/mail.rdkscorner.eu/fullchain4.pem

lrwxrwxrwx 1 root root 45 Nov 29 10:54 privkey.pem -> ../../archive/mail.rdkscorner.eu/privkey4.pem

-rw-r-xr--+ 1 root root 692 May 1 2022 README

Do see any issues ?...RDK

I am not an email expert but based on these listen ports I see a good cert for mail.rdkscorner.eu issued on Nov29 good thru Feb27 2023. But, only on 3 of the above 4 ports:

openssl s_client -connect mail.rdkscorner.eu:110 -starttls pop3
openssl s_client -connect mail.rdkscorner.eu:143 -starttls imap
openssl s_client -connect mail.rdkscorner.eu:995

A test to port 993 fails:

openssl s_client -connect mail.rdkscorner.eu:993
40E72343327F0000:error:80000071:system library:BIO_connect:No route to host:../crypto/bio/bio_sock2.c:125:calling connect()
40E72343327F0000:error:10000067:BIO routines:BIO_connect:connect error:../crypto/bio/bio_sock2.c:127:
connect:errno=113

I see a process named "master" shown for some other common mail ports. I did not test these.

Can you describe the port and domain name that is causing trouble? I skimmed the thread but did not see a specific explanation.

What cron type jobs do you have?
What hooks [if any] are included with the certbot renewal?

Something needs to instruct dovecot that there is a new cert and to use it.

Here are the entries in CRONTAB:
@daily certbot renew --quiet && systemctl reload postfix dovecot nginx
#@daily doveadm expunge -A mailbox Junk savedbefore 2w;doveadm expunge -A mailbox Trash savedbefore 2w
@daily setfacl -R -m u:www-data:rx /etc/letsencrypt/live/ /etc/letsencrypt/archive/

The conf file for DOVECOT seems to be pointing to the /LIVE/ folder as I reported above....RDK

I saw that too.
And you rebooted the system...
hmm...
Try this from cli and see if it fails or what:
systemctl reload postfix dovecot nginx

Dovecot is using the new cert at least on ports 110, 143, and 995 (993 is failing connect)

@MikeMsQ I'm not sure I completely understand. The command below would seem to say that 993 is open and the system is LISTEN-ing...RDK

$ sudo netstat -tulpn | egrep 'master|dovecot'
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 806/nginx: master p
tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 995/master
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 995/master
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 696/dovecot
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 696/dovecot
tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN 995/master
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 696/dovecot
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 696/dovecot

Yes, I saw that which is why I tried connecting to port 993. Yet, it failed while connects to the other 3 ports worked fine and returned the latest cert.

Even this SSL Checker failed to reach that port (see link) and enter domain and port numbers 993 and 995

Do connections to this port work for you?