Port 993 not connecting to current certificate after restore from backup

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: adonax.com

I ran this command: certbox certificates

It produced this output:

fgphil@ladonax:~$ sudo certbot certificates
[sudo] password for fgphil: 
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: adonax.com
    Serial Number: 62852ef394d5bffedd61b75a5aff937e2fb
    Key Type: RSA
    Identifiers: adonax.com hexara.com leviaphon.com www.adonax.com www.hexara.com www.leviaphon.com
    Expiry Date: 2026-03-20 05:24:51+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/adonax.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/adonax.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

My web server is (include version): apache2

The operating system my web server runs on is (include version): Ubuntu 22.04.5 LTS (GNU/Linux 6.14.3-x86_64-linode168 x86_64)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 5.2.2

Yesterday I restored my linode remote server from a backup dated in August, 2025. Today, Thunderbird is showing my Certificate to be an old one (expired in October, 2025). I was receiving emails up to yesterday. Now, Thunderbird is not connecting, citing an expired certificate.

Thunderbird is configured to use port 993. I tested access to port 993 with sslscan --show-certificate from my client computer and it displayed the same outdated certificate held by Thunderbird.

I also checked the certificate, using SSH, from the remote server with the command certbot certificates. This displayed the info above--showing a Certificate that has different dates, ones that have not expired.

I also tried sudo certbot renew but received the message that the current certificate is valid and it did not execute the renewal.

Is it okay in this case to "force" a renewal of the Certificate? sudo certbot --force-renewal Would this update whatever the communication chain is between the stored cert in my remote server and its access via port 993? Is there a particular form of the command I should use?

Am trying to be careful!

Welcome back @philfrei

When you restored from backup the cert on disk would have been expired. So, anything that started up right away would have loaded that.

Later, Certbot's automatic renewal would have seen the expired cert and renewed it. Depending on Certbot setup it may have reload some services.

Have you reloaded (restarted) Thunderbird since you got the fresh cert?

I only went so far as to close and reopen Thunderbird, but also to hit a "Get Certificate" button in their configuration screen that had no effect. One moment while I reboot the client machine.

Sorry, not a mail system expert. But, the thing that needs reloading / restarting is your mail server. Not your mail client. I believe Thunderbird is only the client - right?

After rebooting the client PC with Thunderbird on it, I get the same message. I've hit the "Get Certificate" button that shows on a form Thunderbird provides named "Add Security Exception". The form altered and displays the message "Checking Information: Attempting to identify this site..." and hangs. This message has been displayed for the last 5 minutes.
I will try using sslscan again .

We cross-posted. What is your mail server? That probably just needs reloading

It is a combo of Postfix and Dovecot. I'll have to research how to restart it!

ah, probably just a service, using systemctl restart
Am going to try this.

If that doesn't work you might need this for Postfix. I don't recall the circumstances that require it but I am just leaving so thought I'd give you as much info as I had

Thank you so much for your help! Indeed, restarting the two services solved the problem. FWIW in case anyone follows with the same problem, instructions for restarting them are in this Linode article Troubleshooting Problems with Postfix, Dovecot and MySQL

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.