I've seen this post [1,3,4] and tried postman [2] but I get the same error when I send an email with Thunderbird or Laravel: SSL certificate has expired.
I deleted and reinstalled the email, then added it to Thunderbird (no errors), but when I try to send an email I get the same error.
Do you know how to fix this issue? I've created few other websites following the same procedure and everything works fine, I don't have a clue on how to catch this bug.
Many thanks
SnappyEmail: OK send/ receive (webmail)
CyPanel LE Certificates: Valid
Thunderbird, Laravel: no emails > certificate has expired (28-Apr)
Before 28-Apr: Emails OK
Why 4 certificates? No idea. When I installed CyPanel all emails SSL were fine.
smtp servers use different config from webserver: they may are out of sync (like config not updated and looking at old cerficiate) most acme client's default deploy hook only reloads web servers, not mail related ones
you didn't post any config about smtp server on port 587, so not much to talk about
If not: please contact the system administrator of the mailserver: it's their job to renew and update the mailservers certificate.
If you are:
When you opened this thread in the Help section, you should have been provided with a questionnaire. Maybe you didn't get it somehow (which is weird), or you've decided to delete it. In any case, all the answers to this questionnaire are required:
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
By the way, it seems the sysops from that domain (you forgot to redact it at a single point) are renewing their certificates for other hostnames just fine. They just forgot to renew their mail subdomain or they forgot to install their wildcard certificate in the mailserver..
Hi @Osiris@orangepizza thanks for your feedback.
I'm the Linux admin and webmaster and I got the survey on my ticket, but I cannot share those client's details (NDA).
They just forgot to renew their mail subdomain or they forgot to install their wildcard certificate in the mailserver.. > Do you know how to check and fix this manually?
Do you need more details? Please let me know where I can get them
Webserver: Open LiteSpeed 1.7.18
certbot --version
Command 'certbot' not found, but can be installed with:
snap install certbot # version 2.10.0, or
apt install certbot # version 1.21.0-1build1
LE generates the SSL certificates via CyPanel
Why I've 4 certificates for example.com and my other domains (with working emails) have only 3?
Sorry, I cannot share sensitive domain details online. Thanks
I don't have any experience with CyPanel, sorry. Without a lot more details (logs et c.) I cannot help you.
Again, without way more details we're unable to say.
While the domain too is mandatory, without any substantial information it's impossible to help you. We are not gifted with prescience or other magical abilities. The only thing we can work with is information provided by the sysadmin/person administrating the server. Things like error messages, logs et c.
But none from the mailserver daemon itself. I see you mention Postfix somewhere. Well, the SMTP server (presumably Postfix) also uses the expired mail.example.com certificate.
Is Postfix also managed by CyPanel? Doesn't CyPanel have any way to renew the mail.example.com certificate? If so, what error message does it give when you try to do that? Or even better, a CyPanel log?
Is Postfix also managed by CyPanel? Yes Doesn't CyPanel have any way to renew the mail.example.com certificate? Yes. I've reissued the certificate, then recreated the account in ThunderBird (TBrd) (no errors) but when I send the email in TBrd or Laravel, I get the same error again. I've also deleted the email and recreated (in CyPanel) same error.
Why //email/testTo: detects 4-certificates while my other (email-working) websites have only 3? Thanks
Please have attached below the postfix log
May 5 19:51:09 server1 postfix/anvil[901637]: statistics: max connection rate 1/60s for (smtp:45.88.90.38) at May 5 19:47:48
May 5 19:51:09 server1 postfix/anvil[901637]: statistics: max connection count 1 for (smtp:45.88.90.38) at May 5 19:47:48
May 5 19:51:09 server1 postfix/anvil[901637]: statistics: max cache size 1 at May 5 19:47:48
May 5 19:52:53 server1 postfix/smtpd[901810]: connect from unknown[xxx.118.xxx.118]
May 5 19:52:54 server1 postfix/smtpd[901810]: warning: unknown[xxx.118.xxx.118]: SASL LOGIN authentication failed: Invalid authentication mechanism
May 5 19:52:54 server1 postfix/smtpd[901810]: lost connection after AUTH from unknown[xxx.118.39.xxx]
May 5 19:52:54 server1 postfix/smtpd[901810]: disconnect from unknown[xxx.118.39.xxx] ehlo=1 auth=0/1 commands=1/2
May 5 20:08:14 server1 postfix/anvil[902275]: statistics: max cache size 1 at May 5 20:04:54
May 5 20:11:02 server1 postfix/qmgr[807922]: 65404107D65: from=<>, size=3105, nrcpt=1 (queue active)
May 5 20:13:14 server1 postfix/smtp[902555]: 65404107D65: host natwest.co.uk[13.107.213.69] refused to talk to me: 421 Downstream server error
May 5 20:15:07 server1 dovecot: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:0A000102:SSL routines::unsupported protocol (no auth attempts in 1 secs): user=<>, rip=xxx.210.31.172, lip=xxx.254.xxx.239, TLS handshaking: SSL_accept() failed: error:0A000102:SSL routines::unsupported protocol, session=<7UTom7oXjMrN0h+s>
May 5 20:15:20 server1 postfix/smtpd[902677]: connect from unknown[xxx.32.xxx.80]
May 5 20:15:20 server1 postfix/smtpd[902677]: warning: unknown[xxx.32.xxx.80]: SASL LOGIN authentication failed: Invalid authentication mechanism
May 5 20:15:21 server1 postfix/smtpd[902677]: lost connection after AUTH from unknown[xxx.32.xxx.80]
Oh, mostly nevermind. I just studied the very dense image you posted earlier and see that the 4 certs relates to the longer chain. The shorter chain has been the default since Feb. So, all it means about 4 vs 3 is that the failing one hasn't renewed and is using the longer default chain in use prior to that change.
Prior info about short and long chains now blurred
Mail servers are not my specialty but can you explain what you mean by "4 certificates" versus 3?
I have a feeling you are talking about the leaf, the intermediate(s), and the private key which is (rarely) required by certain servers.
If that's the case you should know that Let's Encrypt currently offers two different intermediate chains. One has an extra cert and is being phased out (the intermediate for DST Root CA X3). Maybe all your working ones use the "short chain" and the failing uses this one?
Do not post the cert file if it includes the private key!
We can't help you without the details but there are tools to assess this.
Hi @Bruce5051@Osiris thanks for your feedback
CyPanel message said that the certificate was renewed successfully (see my scr-shot above) - 54d validity. I suppose they had a Bug for website SSL but it'd be resolved. [1]
I think the problem is with the SSL for mail.example.com , not for example.com (the website is secure, see sc-shot)
If that is wrong, how do I renew the certificate for mail.example.com manually?
Thanks
