"SSL error: Leaf certificate is expired"

Client trying to get their email are getting this error- but the certificates are not expired - have no clue how to fix this.

certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/mail.tylite.com.conf

Cert not yet due for renewal

The following certs are not due for renewal yet:
/etc/letsencrypt/live/mail.tylite.com/fullchain.pem expires on 2019-10-11 (skipped)
No renewals were attempted.

lrwxrwxrwx 1 root root 44 Jul 13 10:22 fullchain.pem -> …/…/archive/mail.tylite.com/fullchain3.pem
lrwxrwxrwx 1 root root 42 Jul 13 10:22 privkey.pem -> …/…/archive/mail.tylite.com/privkey3.pem

certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: mail.tylite.com
Domains: mail.tylite.com
Expiry Date: 2019-10-11 09:22:24+00:00 (VALID: 55 days)
Certificate Path: /etc/letsencrypt/live/mail.tylite.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/mail.tylite.com/privkey.pem

SSL settings

SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>

ssl = yes

PEM encoded X.509 SSL/TLS certificate and private key. They’re opened before

dropping root privileges, so keep the key file unreadable by anyone but

root. Included doc/mkcert.sh can be used to easily generate self-signed

certificate, just make sure to update the domains in dovecot-openssl.cnf

ssl_cert = </etc/letsencrypt/live/mail.tylite.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.tylite.com/privkey.pem

My domain is:
I ran this command:
openssl x509 -dates -noout < cert3.pem
It produced this output:
notBefore=Jul 13 09:22:24 2019 GMT notAfter=Oct 11 09:22:24 2019 GMT
My web server is (include version):
Dovecot IMAP/POP3 Server
The operating system my web server runs on is (include version):
Ubuntu Linux 18.04.1
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.23.0

Hi @ptera

checking your domain - what's exact the problem?

Your website doesn't work - https://check-your-website.server-daten.de/?q=mail.tylite.com

Domainname Http-Status redirect Sec. G
http://mail.tylite.com/ -2 1.473 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it
https://mail.tylite.com/ -14 10.106 T
Timeout - The operation has timed out
http://mail.tylite.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de -2 1.470 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it
Visible Content:

But your mail ports 993 / 995 use the new certificate

The certificate:

expires in 56 days	mail.tylite.com - 1 entry

So your Dovecot IMAP/POP3 Server should work.

And your main domain doesn't have an open port 993/995.

Perhaps some users use the wrong domain name (another, third domain name) or the raw ip address.

Or are these internal users, so they use https://mail.tylite.com/?

1 Like

My GMAIL account was set to retrieve emails and was working until the last reboot of the server but now it reports

SSL Security Error. [ Help ]
Server returned error “SSL error: Leaf certificate is expired”

It is the correct port for email server. 995 and 993 is open thru the firewall.

using mail.tylite.com as the server not using the raw ip address

There is no web interface at mail.tylite.com


I just installed Thunderbird to check that account and it worked just fine must be a problem with gmail.


Ah, thanks, good to know.

Curious - what's gmail doing?

1 Like

Sorry I have no idea.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.