Problems with R3 Certificate using exim/dovecot

terra3110 · September 29, 2021, 8:40pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: email.protect.kiwi

I use letsencrypt since a while fuer POP3, IMAP and SMTP (more correct POP3s, IMAPs, SSMTP, SMTP/TLS using dovecot and exim4. The Certificate for email.protect.kiwi was due and was renewed today and since then I get the Error while connecting "R3 certificate is expired".

See the Trust Information that is shown in my email client:

PDF with Trust Information

Like you see, the DST Root CA X3 is still valid (for another 18 hours), but the attached R3 Certificate already expired.

As result, I cannot receive or send any email. I tried already several steps including issue a complete new certificate, update on the Ubuntu 18.04 the root certificates (even when I am sure that it is not related), reboot, etc and running out of ideas.

Suggestions?

Frank

Osiris · September 29, 2021, 8:51pm

Your IMAP and POP3 services aren't sending any intermediate certificates. Please reconfigure your Dovecot so it sends the correct certificate chain.

As for your SMTP: for some reason I can't connect to port 25 or 587 with STARTTLS.. But as for your port 465: it serves a self signed certificate?

Edit:

osiris@erazer ~ $ telnet email.protect.kiwi 25
Trying 192.241.204.184...
Connected to email.protect.kiwi.
Escape character is '^]'.
220 email.protect.kiwi ESMTP Exim 4.90_1 Ubuntu Thu, 30 Sep 2021 09:51:41 +1300
EHLO blaat
250-email.protect.kiwi Hello 80-100-40-176.ip.xs4all.nl [80.100.40.176]
250-SIZE 25000000
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN
250-CHUNKING
250-STARTTLS
250 HELP
STARTTLS
454 TLS currently unavailable

Ah, that's why STARTTLS didn't work...

terra3110 · September 29, 2021, 9:07pm

Hi,

Many thanks to look into this:

Regarding Ports:

Maybe you tested it at the time of reboot. Port 587 should be reachable based on Open Port Check Tool - Test Port Forwarding on Your Router

Port 25 ist blocked, 465 pls ignore, that is used only for very old clients.

Regarding Dovecot:

i switched the Cert from /etc/letsencrypt/live/email.protect.kiwi-0001/cert.pem to /etc/letsencrypt/live/email.protect.kiwi-0001/fullchain.pem, but it seems that make not a difference.

Config in dovecot.conf:

ssl_cert = </etc/letsencrypt/live/email.protect.kiwi-0001/fullchain.pem
ssl_key = </etc/letsencrypt/live/email.protect.kiwi-0001/privkey.pem
ssl_client_ca_dir = /etc/ssl/certs

Frank

Osiris · September 29, 2021, 9:19pm

IMAP now sends the correct chain, that should work now. However, STARTTLS on SMTP is still unavailable.

terra3110 · September 29, 2021, 9:57pm

Many thanks. In exim the problem was, seems a permission problem and as well replace the reference to fullchain.pem.

Many thanks, it seems its working now.

system · October 29, 2021, 9:58pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Mail certificate expired? Help	5	1294	January 22, 2022
Thunderbird - exim - dovecot cert settings Help	22	1132	July 29, 2023
Dovecot error certificate unknown Help	9	2884	January 17, 2022
R3 expired iOS IMAPS using Dovecot Help	6	1349	November 23, 2021
Intermediate certificate for Let's Encrypt Help	12	6041	December 9, 2016

Problems with R3 Certificate using exim/dovecot

Related topics