Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: email.protect.kiwi
I use letsencrypt since a while fuer POP3, IMAP and SMTP (more correct POP3s, IMAPs, SSMTP, SMTP/TLS using dovecot and exim4. The Certificate for email.protect.kiwi was due and was renewed today and since then I get the Error while connecting "R3 certificate is expired".
See the Trust Information that is shown in my email client:
PDF with Trust Information
Like you see, the DST Root CA X3 is still valid (for another 18 hours), but the attached R3 Certificate already expired.
As result, I cannot receive or send any email. I tried already several steps including issue a complete new certificate, update on the Ubuntu 18.04 the root certificates (even when I am sure that it is not related), reboot, etc and running out of ideas.
Your IMAP and POP3 services aren't sending any intermediate certificates. Please reconfigure your Dovecot so it sends the correct certificate chain.
As for your SMTP: for some reason I can't connect to port 25 or 587 with STARTTLS.. But as for your port 465: it serves a self signed certificate?
osiris@erazer ~ $ telnet email.protect.kiwi 25
Connected to email.protect.kiwi.
Escape character is '^]'.
220 email.protect.kiwi ESMTP Exim 4.90_1 Ubuntu Thu, 30 Sep 2021 09:51:41 +1300
250-email.protect.kiwi Hello 80-100-40-176.ip.xs4all.nl [188.8.131.52]
454 TLS currently unavailable
Ah, that's why STARTTLS didn't work...
Many thanks to look into this:
Maybe you tested it at the time of reboot. Port 587 should be reachable based on Open Port Check Tool - Test Port Forwarding on Your Router
Port 25 ist blocked, 465 pls ignore, that is used only for very old clients.
i switched the Cert from /etc/letsencrypt/live/email.protect.kiwi-0001/cert.pem to /etc/letsencrypt/live/email.protect.kiwi-0001/fullchain.pem, but it seems that make not a difference.
Config in dovecot.conf:
ssl_cert = </etc/letsencrypt/live/email.protect.kiwi-0001/fullchain.pem
ssl_key = </etc/letsencrypt/live/email.protect.kiwi-0001/privkey.pem
ssl_client_ca_dir = /etc/ssl/certs
IMAP now sends the correct chain, that should work now. However, STARTTLS on SMTP is still unavailable.
Many thanks. In exim the problem was, seems a permission problem and as well replace the reference to fullchain.pem.
Many thanks, it seems its working now.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.