Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
webmail.tdcreative.nz/
I ran this command:
sudo certbot certificate
It produced this output:
Certificate Name: webmail.tdcreative.nz
Serial Number: the number
Key Type: RSA
Domains: webmail.tdcreative.nz
Expiry Date: 2023-05-01 22:18:46+00:00 (VALID: 89 days)
Certificate Path: the path
Private Key Path: the path
My web server is (include version):
webmail.tdcreative.nz
The operating system my web server runs on is (include version):
MAC
My hosting provider, if applicable, is: dovecot/postfix
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): dashboard and console
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.32.2
I have force renewed it already and it shows it is valid. I did it from then route. However, some of our clients are getting certificate not valid or expired notices so I am very confused. Any help would be appreciated.
If there is any other information needed let me know.
if one changed list of (sub)domains in the certificate, LE notifier doesn't consider it as renewal and send renewal notice. you can safely ignore it if you saw updated cert.
Certbot doesn't know how to tell Dovecot or Postfix about the existence of the newly-renewed certificate, so it might be necessary to reload or restart these services manually, or provide a --deploy-hook to Certbot with a script or command line that restarts the affected services after a renewal.
Well, that was unnecessary unfortunately. I see you've wasted two perfectly fine certificates indeed.
Forced renewal only makes sense if you want to change something to the contents of an already issued certificate, e.g. add or remove OCSP "must staple" or change the key lengt/type et cetera. If issuance was not an issue to begin with and you don't need to change the contents of the cert, there is absolutely no reason to force a renewal as it will not fix anything that went wrong the first place.
I already did that before and when we first got that issue hat resolved it. However this time it made no difference and only a selected group of people are having the issue.
My bad.Thank you for the explanation that makes more sense. I was trying to look for explanations and all I found is some articles suggesting to force renew. I won't do that again.
FYI: Postfix @ port 25 with STARTTLS at webmail.tdcreative.nz is using an expired certificate. IMAP @ port 143 with STARTTLS at webmail.tdcreative.nz is using the cert issued yesterday.
Thank you so much!!! I didn't notice that earlier!!!
I will take a look into how to renew that port now! Is there a safe way to do it?
(I'm sorry if my questions are kind of shallow...I don't know a lot when it comes to this area. Just started learning a few days ago.)
It was an old employee who decided to set up a old mail server at some point...
I actually have no information of how it was exactly done.
I know someone who works remotely did renew them a few months ago. But they ran into the same problem again. Since now I know a port has expired I wonder if the SSL cert didn't actually renew for anyone and needs to be done by port?
I will look into that. I've done a reload and tested it again..Seems to still have a similar problem unless I need to wait?
I will look into that as well! Thank you so much you saved me!
