R3 cert has expired

For some reason, I am getting errors from various clients that my R3 cert has expired...

This certificate belongs to:
joeman1.com

This certificate was issued by:
R3
Let's Encrypt
US

This certificate is valid
from Aug 2 20:19:41 2022 GMT
to Oct 31 20:19:40 2022 GMT

But when I go to renew, I get this:


The following certificates are not due for renewal yet:
/etc/letsencrypt/live/joeman1.com/fullchain.pem expires on 2022-12-30 (skipped)
No renewals were attempted.


My domain is: joeman1.com

I ran this command: certbot renew

It produced this output:


The following certificates are not due for renewal yet:
/etc/letsencrypt/live/joeman1.com/fullchain.pem expires on 2022-12-30 (skipped)
No renewals were attempted.


My web server is (include version): Apache, Postfix
Apache - 2.4.37-47
Postfix - 3.5.8-4

The operating system my web server runs on is (include version): Rocky 8.6

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.31.0

Thanks for and advice on how to fix.

Joe

looks like I am firewalled off, but ssllabs result says there would be no proble to connecting it?
https://www.ssllabs.com/ssltest/analyze.html?d=joeman1.com

and keep mind your message said the cert expired is 'issued by' R3, not R3 itself was expired.

maybe you didn't update postfix's cert? try restart the postfix (and kill old processes?)

4 Likes

Thanks for the reply!

Firewall is open for all ports (80,443,993,587,25,465).

I can get to web and mail from external, just get the cert error from iPhone, and Thunderbird.

Joe

1 Like

your dovecot sending old certificate, should hook include a commned to update it

3 Likes

my 10-ssl.conf is pointing to the same cert as my postfix/apache

10-ssl.conf:ssl_cert = </etc/letsencrypt/live/joeman1.com/fullchain.pem
10-ssl.conf:ssl_key = </etc/letsencrypt/live/joeman1.com/privkey.pem

Which is a link to

[root@wolfserver conf.d]# ls -la /etc/letsencrypt/live/joeman1.com/fullchain.pem
lrwxrwxrwx 1 root root 41 Oct  1 18:18 /etc/letsencrypt/live/joeman1.com/fullchain.pem -> ../../archive/joeman1.com/fullchain13.pem
[root@wolfserver conf.d]# ls -la /etc/letsencrypt/live/joeman1.com/privkey.pem
lrwxrwxrwx 1 root root 39 Oct  1 18:18 /etc/letsencrypt/live/joeman1.com/privkey.pem -> ../../archive/joeman1.com/privkey13.pem

Nothing has changed in 4 years - except the expire notice on the R3 cert.

Is there a ca-certificate that I need to update for R3?

Thanks!
Joe

1 Like

Ok, this is weird... I just rebooted server and its working... no error with R3 cert now.

Is there some trigger that required a reboot for cert updated that I need to be aware of? I admit im not 100% familiar with SSL certs :wink: .

Thanks!
Joe

1 Like

you rebooting restarted the dovecot, file in config is now new certificate and loaded new one,

4 Likes

Ahh ok gotcha... So... Do I have to remember to reboot when certs update? I never got a notification that this cert was expiring end of Oct 2022. I would have made provisions to reboot/restart services if this was an issue.

In the past, when I run the certbot update, I usually restart apache/postfix but have never bothered with dovecot - I will remember this in the future, but again, I never got an e-mail about the R3 expire.

Thanks!
Joe

1 Like

Certbot renew a certificate a month before it actually expires, and it succeeded, so you don't get reminder and only have problem just today. it can't tell what other services are using it other then webserver it used to do the challange. it doesn't know about postfix or dovecot or rsync deploy to other thing etc.

4 Likes

OK understand... Ill keep a better eye on things then.

Thanks so much for your help!
Joe

1 Like

For the dovecot service it is enough to execute the systemctl reload dovecot command for the service to start using the new certificate. That must be done at the post renewal hook of certbot. Rebooting the server is an overkill. You may want to avoid the M$ style hammer approche to fix your services.

6 Likes